Thanks for your help Daniel.

I have tried using the VPN Wizard with Site-to-Site options to no avail.

Then I followed through the instructions in the link you provided me and i think it is the closest i have got.

I now have the following errors from the Linksys VPN Router.

000 [Sun 11:40:21] added connection description "TunnelA"

001 [Sun 11:40:26] "TunnelA" #1: initiating Main Mode

002 [Sun 11:40:26] "TunnelA" #1: [WRV200 Response:] ISAKMP SA (Main Mode) Initiation

003 [Sun 11:41:36] "TunnelA" #1: [WRV200 Response:] Remote peer has no tunnel entry to correspond to this tunnel.

004 [Sun 11:41:36] "TunnelA" #1: [WRV200 Response:] Please check your Remote Secure Gateway setting.

005 [Sun 11:41:36] "TunnelA" #1: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message

006 [Sun 11:41:36] "TunnelA" #1: starting keying attempt 2 of at most 5

... Retries the 5 times and then ...

023 [Sun 11:46:16] "TunnelA" #5: [WRV200 Response:] Remote peer has no tunnel entry to correspond to this tunnel.

024 [Sun 11:46:16] "TunnelA" #5: [WRV200 Response:] Please check your Remote Secure Gateway setting.

025 [Sun 11:46:16] "TunnelA" #5: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message

I have attached my current PIX config as well, if you be so kind to take a look i'd much appreciate it.

The "public" IP for the pix, in my test environment, is 10.0.0.1.

Similary the "public" ip for the Linksys is 10.0.0.2

Is there anything you can spot that immediately looks wrong to you?

Many thanks once again,

David

Hi David,

I see the following problems:

1. You should have used 3DES as DES is not in your Linksys list:

crypto ipsec transform-set raby esp-3des esp-md5-hmac

isakmp policy 1 encryption 3des

If your firewall doesn't have a 3DES licence you can get it free from the cisco site => Products => Security and VPN => Cisco 500 PIX Series => Downloads

The alternative is to enable DES on Linksys.

2. The lifetime must be identical:

isakmp policy 1 lifetime 28800

3. There is no route for the VPN traffic. Keep in ming that the VPN map is applied on the outside interface.

If the traffic on the inside interface doesn't have a route, it will not reach the crypto map (outside interface) to be encapsualted.

route (outside) 192.168.101.0 255.255.255.0 10.0.0.2

Now it should work.

Please rate if this helped.

Regards,

Daniel

Thanks again daniel,

I've made the suggested changes but am now getting the following in my Linksys VPN log.

026 [Wed 11:40:55] "TunnelA": deleting connection

027 [Wed 11:41:02] added connection description "TunnelA"

028 [Wed 11:41:02] "TunnelA" #6: initiating Main Mode

029 [Wed 11:41:02] "TunnelA" #6: [WRV200 Response:] ISAKMP SA (Main Mode) Initiation

030 [Wed 11:42:12] "TunnelA" #6: [WRV200 Response:] Remote peer has no tunnel entry to correspond to this tunnel.

031 [Wed 11:42:12] "TunnelA" #6: [WRV200 Response:] Please check your Remote Secure Gateway setting.

032 [Wed 11:42:12] "TunnelA" #6: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message

033 [Wed 11:42:12] "TunnelA" #6: starting keying attempt 2 of at most 5, but releasing whack

Is this because i've not got a 3DES licence? Is there any way i can check via PDM or CLI to see if i have a license?

Also could you suggest any debug commands that might help me troubleshoot my problem? I feel like i would get better debug information from the PIX itself rather than looking in the Linksys VPN log.

I believe i have requested a 3DES license fine, but that hasnt come through email yet. Will there be instructions on how to set that up in the email from cisco?

Thanks again!

Hi,

You can check if you hace 3DES licence with the command:

sh ver

To troubleshoot/debug IPSEC:

debug crytpo isakmp

debug crytpo ipsec

logging on

logging enable

terminal monitor

sh crypto isakmp sa

sh crytpo ipsec sa

You can get the 3DES licence from here: https://tools.cisco.com/SWIFT/Licensing/RegistrationServlet

Please rate if this helped.

Regards,

Daniel

Hi again,

I believe the pix has a 3des license because of the following parts of the "show version"

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

.....

This PIX has a Restricted (R) license.

I've tried reconnecting the VPN tunnel with debugging on the PIX and get the output as shown in the attached file "vpndebug.txt"

As for the other show commands they give:

pixfirewall# show crypto isakmp sa

Total : 0

Embryonic : 0

dst src state pending created

pixfirewall# show crypto ipsec sa

interface: outside

Crypto map tag: transam, local addr. 10.0.0.1

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

current_peer: 10.0.0.2:0

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2

path mtu 1500, ipsec overhead 0, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

pixfirewall#

Thanks again Daniel, i really appreciate your help on this matter.

Hi,

Yes, you have 3DES activated.

Please make sure you add the following commands:

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 28800

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption des

isakmp policy 2 hash md5

isakmp policy 2 group 2

isakmp policy 2 lifetime 28800

isakmp policy 3 authentication pre-share

isakmp policy 3 encryption 3des

isakmp policy 3 hash md5

isakmp policy 3 group 1

isakmp policy 3 lifetime 28800

isakmp policy 4 authentication pre-share

isakmp policy 4 encryption 3des

isakmp policy 4 hash md5

isakmp policy 4 group 2

isakmp policy 4 lifetime 28800

Now it should work.

For the Linkays, download the manual from: http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout&packedargs=page%3D2%26cid%3D1115416835852%26c%3DL_Content_C1&pagename=Linksys%2FCommon%2FVisitorWrapper&SubmittedElement=Linksys%2FFormSubmit%2FProductDownloadSearch&sp_prodsku=114718...

Please rate if this helped.

Regards,

Daniel

It must be getting closer because it appears go a lot further than it was earlier but it still isnt quite getting there.

I have again attached the debug logs from the PIX.

"show crypto isakmp sa" gives the following immediately after trying to reconnect:

Total : 1

Embryonic : 0

dst src state pending created

10.0.0.1 10.0.0.2 QM_IDLE 0 0

Now more interestingly the Linksys VPN log (attached) is giving me this error:

Main mode peer ID is ID_FQDN: '@pixfirewall.ciscopix.com'

we require peer to have ID '10.0.0.1', but peer declares '@pixfirewall.ciscopix.com'

How can i alter the PIX so that its ID will be its outside interface IP address and not the FQDN?

Edit: the command "isakmp identity address" has fixed what this post was enquiring. I'll continue to have a play with it as i still dont think its quite working.

Many thanks once again!

Ok, try this:

isakmp identity address

no isakmp key ******** address 10.0.0.2 netmask 255.255.255.0

isakmp key ******** address 10.0.0.2 netmask 255.255.255.255 no-xauth no-config-mode

Please rate if this helped.

Regards,

Daniel

Thanks a lot for your help Daniel, that has got the VPN tunnel to connect. As far as the it says connected in the Linksys VPN summary viewer, and the VPN Tunnel light on the PIX is green.

Now i'm only having problems routing traffing between the two local networks.

I have 192.168.101.0 on the Linksys and 192.168.1.0 on the PIX.

I expected to just be able to create a static route from both of the devices to just use the VPN. but as i have a look around I cant see how that would work. As there is no "next hop" ip to specify on the VPN connection at either end.

I hope i'm making sense.

Thanks again.

Hi,

On each device put the other as the next step, and the trick is that when the traffic reaches the outside interface, the crypto map will enacapsulate the traffic and send it to the right destiantion.

On PIX:

route (outside) 192.168.101.0 255.255.255.0 10.0.0.2

On Linksys:

route 192.168.1/24 to 10.0.0.1

Please rate if this helped.

Regards,

Daniel

Thanks once again Daniel.

I've done that but i cant ping accross to the local network from another network. I am thinking maybe my access lists / NAT or something not related to the VPN is causing this.

From the linksys network i can ping 10.0.0.2 (linksys wan) and 10.0.0.1 (PIX WAN) from the PIX network I can only ping 10.0.0.2 not the WAN of the directly connected PIX. From the CLI of the PIX i can ping both.

Can you take a quick spy at my PIX config and see if everything seems in order? If it is only an access-list / routing problem at least then i know where to look rather than keep on thinking its a VPN problem.

I forgot to attach the config to this post, please see below.

Many thanks once again matey.

David.

Sorry, forgot to attach the PIX running config to the previous post.