01-04-2007 08:28 AM - edited 02-21-2020 02:47 PM
I have inherited a job where we have a Cisco PIX 501 firewall at one site, and Linksys WRV200 VPN Router on two other
sites. I have been asked to connect these Linksys routers to the PIX firewall via VPN.
I believe the Linksys vpn routers can only connect via IPSec VPN, so i am looking for help on configuring the PIX 501 to allow the linksys to connect with the following parameters, if possible.
Key Exchange Method: Auto (IKE)
Encryption: Auto, 3DES, AES128, AES192, AES256
Authentication: MD5
Pre-Shared Key: xxx
PFS: Enabled/Disabled
ISAKMP Key Lifetime: 28800
IPSec Key Lifetime: 3600
On the PIX i have the PDM installed and i have tried using the VPN Wizard to no avail.
I chose the following settings when doing the VPN Wizard:
Type of VPN: Remote Access VPN
Interface: Outside
Type of VPN Client Device used: Cisco VPN Client
(can choose Cisco VPN 3000 Client, MS Windows Client using PPTP, MS Windows client using L2TP)
VPN Client Group
Group Name: RabyEstates
Pre Shared Key: rabytest
Extended Client Authentication: Disabled
Address Pool
Pool Name: VPN-LAN
Range Start: 192.168.2.200
Range End: 192.168.2.250
DNS/WINS/Default Domain: None
IKE Policy
Encryption: 3DES
Authentication: MD5
DH Group: Group 2 (1024-bit)
Transform Set
Encryption: 3DES
Authentication: MD5
I have attached the VPN log from the Linksys VPN Router.
This is the first time i've ever worked with PIX so i'm still trying to figure the thing out, but i'm confident with CCNA level networking.
Thanks for your help!
Solved! Go to Solution.
01-09-2007 10:37 AM
Hi,
All seems fine to me, try having one computer in each network and ping each other. Check the logs/debug and attach them.
Let me know.
Cheers,
Daniel
01-04-2007 11:15 AM
You chosed Remote access VPN but you actually want site-to-site VPN. Try again with site to site wizard.
On both machines you need to specify the other's IP address as a VPN peer and the crypto domain (source and destination networks the traffic protected).
Check the link below:
Please rate if this helped.
Regards,
Daniel
01-08-2007 02:46 AM
Thanks for your help Daniel.
I have tried using the VPN Wizard with Site-to-Site options to no avail.
Then I followed through the instructions in the link you provided me and i think it is the closest i have got.
I now have the following errors from the Linksys VPN Router.
000 [Sun 11:40:21] added connection description "TunnelA"
001 [Sun 11:40:26] "TunnelA" #1: initiating Main Mode
002 [Sun 11:40:26] "TunnelA" #1: [WRV200 Response:] ISAKMP SA (Main Mode) Initiation
003 [Sun 11:41:36] "TunnelA" #1: [WRV200 Response:] Remote peer has no tunnel entry to correspond to this tunnel.
004 [Sun 11:41:36] "TunnelA" #1: [WRV200 Response:] Please check your Remote Secure Gateway setting.
005 [Sun 11:41:36] "TunnelA" #1: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
006 [Sun 11:41:36] "TunnelA" #1: starting keying attempt 2 of at most 5
... Retries the 5 times and then ...
023 [Sun 11:46:16] "TunnelA" #5: [WRV200 Response:] Remote peer has no tunnel entry to correspond to this tunnel.
024 [Sun 11:46:16] "TunnelA" #5: [WRV200 Response:] Please check your Remote Secure Gateway setting.
025 [Sun 11:46:16] "TunnelA" #5: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
I have attached my current PIX config as well, if you be so kind to take a look i'd much appreciate it.
The "public" IP for the pix, in my test environment, is 10.0.0.1.
Similary the "public" ip for the Linksys is 10.0.0.2
Is there anything you can spot that immediately looks wrong to you?
Many thanks once again,
David
01-08-2007 03:31 AM
Hi David,
I see the following problems:
1. You should have used 3DES as DES is not in your Linksys list:
crypto ipsec transform-set raby esp-3des esp-md5-hmac
isakmp policy 1 encryption 3des
If your firewall doesn't have a 3DES licence you can get it free from the cisco site => Products => Security and VPN => Cisco 500 PIX Series => Downloads
The alternative is to enable DES on Linksys.
2. The lifetime must be identical:
isakmp policy 1 lifetime 28800
3. There is no route for the VPN traffic. Keep in ming that the VPN map is applied on the outside interface.
If the traffic on the inside interface doesn't have a route, it will not reach the crypto map (outside interface) to be encapsualted.
route (outside) 192.168.101.0 255.255.255.0 10.0.0.2
Now it should work.
Please rate if this helped.
Regards,
Daniel
01-08-2007 07:35 AM
Thanks again daniel,
I've made the suggested changes but am now getting the following in my Linksys VPN log.
026 [Wed 11:40:55] "TunnelA": deleting connection
027 [Wed 11:41:02] added connection description "TunnelA"
028 [Wed 11:41:02] "TunnelA" #6: initiating Main Mode
029 [Wed 11:41:02] "TunnelA" #6: [WRV200 Response:] ISAKMP SA (Main Mode) Initiation
030 [Wed 11:42:12] "TunnelA" #6: [WRV200 Response:] Remote peer has no tunnel entry to correspond to this tunnel.
031 [Wed 11:42:12] "TunnelA" #6: [WRV200 Response:] Please check your Remote Secure Gateway setting.
032 [Wed 11:42:12] "TunnelA" #6: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
033 [Wed 11:42:12] "TunnelA" #6: starting keying attempt 2 of at most 5, but releasing whack
Is this because i've not got a 3DES licence? Is there any way i can check via PDM or CLI to see if i have a license?
Also could you suggest any debug commands that might help me troubleshoot my problem? I feel like i would get better debug information from the PIX itself rather than looking in the Linksys VPN log.
I believe i have requested a 3DES license fine, but that hasnt come through email yet. Will there be instructions on how to set that up in the email from cisco?
Thanks again!
01-08-2007 11:27 PM
Hi,
You can check if you hace 3DES licence with the command:
sh ver
To troubleshoot/debug IPSEC:
debug crytpo isakmp
debug crytpo ipsec
logging on
logging enable
terminal monitor
sh crypto isakmp sa
sh crytpo ipsec sa
You can get the 3DES licence from here: https://tools.cisco.com/SWIFT/Licensing/RegistrationServlet
Please rate if this helped.
Regards,
Daniel
01-09-2007 01:48 AM
Hi again,
I believe the pix has a 3des license because of the following parts of the "show version"
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
.....
This PIX has a Restricted (R) license.
I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"
As for the other show commands they give:
pixfirewall# show crypto isakmp sa
Total : 0
Embryonic : 0
dst src state pending created
pixfirewall# show crypto ipsec sa
interface: outside
Crypto map tag: transam, local addr. 10.0.0.1
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 10.0.0.2:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
pixfirewall#
Thanks again Daniel, i really appreciate your help on this matter.
01-09-2007 02:04 AM
Hi,
Yes, you have 3DES activated.
Please make sure you add the following commands:
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 28800
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash md5
isakmp policy 3 group 1
isakmp policy 3 lifetime 28800
isakmp policy 4 authentication pre-share
isakmp policy 4 encryption 3des
isakmp policy 4 hash md5
isakmp policy 4 group 2
isakmp policy 4 lifetime 28800
Now it should work.
For the Linkays, download the manual from: http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout&packedargs=page%3D2%26cid%3D1115416835852%26c%3DL_Content_C1&pagename=Linksys%2FCommon%2FVisitorWrapper&SubmittedElement=Linksys%2FFormSubmit%2FProductDownloadSearch&sp_prodsku=114718...
Please rate if this helped.
Regards,
Daniel
01-09-2007 03:27 AM
It must be getting closer because it appears go a lot further than it was earlier but it still isnt quite getting there.
I have again attached the debug logs from the PIX.
"show crypto isakmp sa" gives the following immediately after trying to reconnect:
Total : 1
Embryonic : 0
dst src state pending created
10.0.0.1 10.0.0.2 QM_IDLE 0 0
Now more interestingly the Linksys VPN log (attached) is giving me this error:
Main mode peer ID is ID_FQDN: '@pixfirewall.ciscopix.com'
we require peer to have ID '10.0.0.1', but peer declares '@pixfirewall.ciscopix.com'
How can i alter the PIX so that its ID will be its outside interface IP address and not the FQDN?
Edit: the command "isakmp identity address" has fixed what this post was enquiring. I'll continue to have a play with it as i still dont think its quite working.
Many thanks once again!
01-09-2007 04:11 AM
Ok, try this:
isakmp identity address
no isakmp key ******** address 10.0.0.2 netmask 255.255.255.0
isakmp key ******** address 10.0.0.2 netmask 255.255.255.255 no-xauth no-config-mode
Please rate if this helped.
Regards,
Daniel
01-09-2007 05:37 AM
Thanks a lot for your help Daniel, that has got the VPN tunnel to connect. As far as the it says connected in the Linksys VPN summary viewer, and the VPN Tunnel light on the PIX is green.
Now i'm only having problems routing traffing between the two local networks.
I have 192.168.101.0 on the Linksys and 192.168.1.0 on the PIX.
I expected to just be able to create a static route from both of the devices to just use the VPN. but as i have a look around I cant see how that would work. As there is no "next hop" ip to specify on the VPN connection at either end.
I hope i'm making sense.
Thanks again.
01-09-2007 06:59 AM
Hi,
On each device put the other as the next step, and the trick is that when the traffic reaches the outside interface, the crypto map will enacapsulate the traffic and send it to the right destiantion.
On PIX:
route (outside) 192.168.101.0 255.255.255.0 10.0.0.2
On Linksys:
route 192.168.1/24 to 10.0.0.1
Please rate if this helped.
Regards,
Daniel
01-09-2007 09:07 AM
Thanks once again Daniel.
I've done that but i cant ping accross to the local network from another network. I am thinking maybe my access lists / NAT or something not related to the VPN is causing this.
From the linksys network i can ping 10.0.0.2 (linksys wan) and 10.0.0.1 (PIX WAN) from the PIX network I can only ping 10.0.0.2 not the WAN of the directly connected PIX. From the CLI of the PIX i can ping both.
Can you take a quick spy at my PIX config and see if everything seems in order? If it is only an access-list / routing problem at least then i know where to look rather than keep on thinking its a VPN problem.
I forgot to attach the config to this post, please see below.
Many thanks once again matey.
David.
01-09-2007 09:17 AM
01-09-2007 10:37 AM
Hi,
All seems fine to me, try having one computer in each network and ping each other. Check the logs/debug and attach them.
Let me know.
Cheers,
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide