On the PIX side you could follow the config on:
Then turn on the debugs, ie:
debug crypto isakmp
debug crypto ipsec
And see what is not matching on the Linksys side. Also is the Linksys doing some form of nat? You have to bypass nat for the ipsec traffic.
I have successfully implemented a VPN tunnel between the Linksys BEFVP41 device and a PIX 515. I have also been able to get the linksys to talk to the vpn3000 concentrator. I used pre-shared keys and static IP's for both. I am now going to try to implement both configuration using a dynamic IP on the linksys (as if the linksys is on a cable modem or dsl). I will post my results.
I have a client who has implemented VPN between Linksys router and VPN 3000. However the at least once a day, the tunnel drops and requires reboot of the Linksys router to make it work. ANy idea, what could be the reason
I had a very similar issue that I solved by increasing the SA time to 31 days. This was 2678400 Seconds. It must be a firmware issue.
BTW: Linksys posted the new Firmware on 4/11/02 Version 1.40.2
I have received several emails asking how I got the linksys to connect. I figured that replying to this tread was the logical way to answer all.
Let me first state that I have static IPs on both ends. I am still working on getting it to work with a dynamic IP on the linksys side. I have configured the devices to use pre-shared keys. On the PIX I have :
crypto map newmap 70 ipsec-isakmp
crypto map newmap 70 match address 170
crypto map newmap 70 set peer xxx.xxx.xxx.xxx
crypto map newmap 70 set transform-set myset
where the 170 is the access-list that tells the Pix what subnet to route to that tunnel.
access-list 170 permit ip 192.168.1.0 255.255.255.0 192.168.70.0 255.255.255.0
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
(for the pre-shared Key)
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
I chose des instead of 3des for performance reasons.
On the linksys side I have specified the following on the vpn tab:
Tunnel 1, and gave it a name
local secure group - subnet
remote secure group - subnet and specified the 192.168.1.0 network
remote security gateway - IP addr of the pix
selected des and md5 (as seen in the pix config)
Key Management - Auto (IKE)
specified the pre-share key and 1000 key timeout
As I mentioned earlier, I have not gotten the dynamic IP linksys to work with the static PIX. But I am sure I will (given free time).
Do you also have a working config bet linksys and 3005? been trying to figure out how to make this two box work, but no luck. I dont know what Im missing, I have the latest firmware for the linksys too. Thanks.!
You mention in an earlier email that you were able to get a tunnel created between a Cisco 30xx Concentrator and the Linksys VPN router. What config. did you use to accomplish this?
Follow the Cisco instructions for setting up a Cisco 1.1 client to PIX VPN when the client has a dynamic IP address. Don't bother with peer statements. Then, on the Linksys, make SURE that you define the subnet on the PIX secure interface as the Remote Network. If you choose "ANY", the tunnel will fail.
If you use this configuration, the Linksys can connect with a dynamic IP address.