Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PIX and VPN with Linksys... weird problem!

People:

I am having the weirdest of the problems... I have a PIX515E with several Linksys BEFX41 routers with VPNs..... suddenly... the VPNs cannot be established... I have Linksys routers distributed in diferent places... and all of them are unable to connect. ... I even tried connecting with a Linksys right next to the ouside interface.. with an contiguous IP to the one assigned to the PIX's outside interface.... (you'll see that below.. the .34 and .44 addresses)..No luck either

so far... I have discarded my ISP... the linksys routers (if were only one I would suspect that... but with 3 or 4 failing...)... and I don't remember making any change to the firewall in the last weeks in fact I compared the last good known configuration and it's fine....

whenever I hit the connect buttom in the Linksys router I got the following response in the PIX

(and then the linksys routers hang and I have to reboot them!)

-----------------------------------------------------crypto_isakmp_process_block: src X.X.X.44, dest X.X.X.34

VPN Peer: ISAKMP: Peer ip:X.X.X.44 Ref cnt incremented to:1 Total VPN

Peers:1

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 1

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src X.X.X.44, dest X.X.X.34

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src X.X.X.44, dest X.X.X.34

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 10

ISAKMP (0): Total payload length: 14

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

-----------------------------------------------------as you can see... looks like the connection starts to be established.. but it stops right after sending that NOTIFY message.....

any idea?? or similar problem in the past??? I tried rebooting the firewall... rewriting the configuration..... etcetera... and no luck...

I attach my PIX configuration below.... thanks a lot for any help with this!

-----------------------------------------------------PIX Version 6.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

hostname PIX01

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

no fixup protocol rtsp 554

no fixup protocol sip 5060

no fixup protocol skinny 2000

names

access-list 100 permit tcp any host X.X.X.37 eq smtp

access-list 100 permit tcp any host X.X.X.37 eq pop3

access-list 100 permit tcp any host X.X.X.37 eq domain

access-list 100 permit udp any host X.X.X.37 eq domain

access-list 100 permit tcp any host X.X.X.35 eq www

access-list 100 permit tcp any host X.X.X.35 eq 443

access-list 100 permit tcp any host X.X.X.36 eq www

access-list 100 permit tcp any host X.X.X.36 eq 443

access-list 100 permit tcp any host X.X.X.36 eq domain

access-list 100 permit udp any host X.X.X.36 eq domain

access-list 100 permit tcp any host X.X.X.38 eq www

access-list 100 permit tcp any host X.X.X.38 eq 443

access-list 100 permit tcp any host X.X.X.37 eq www

access-list 100 deny icmp any any

access-list 100 permit tcp any host X.X.X.42 eq www

access-list 100 permit tcp any host X.X.X.42 eq 443

access-list 100 permit tcp any host X.X.X.43 eq www

access-list 100 permit tcp any host X.X.X.43 eq 443

access-list 100 permit tcp any host X.X.X.39 eq www

access-list 100 permit tcp any host X.X.X.39 eq 443

access-list 100 permit tcp any host X.X.X.41 eq www

access-list 100 permit tcp any host X.X.X.41 eq 443

access-list 100 permit tcp any host X.X.X.46 eq www

access-list 100 permit tcp any host X.X.X.46 eq 443

access-list 101 permit tcp any any

access-list 101 permit udp any any

access-list 101 permit ip any any

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list nonat2 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list nonat2 permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list nonat2 permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list nonat2 permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0

access-list nonat2 permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside X.X.X.34 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

ip address dmz 192.168.2.1 255.255.255.0

ip audit name attack1 attack action alarm drop reset

ip audit interface outside attack1

ip audit info action alarm

ip audit attack action alarm drop reset

pdm history enable

arp timeout 14400

global (outside) 1 X.X.X.50-X.X.X.61 netmask 255.255.255.224

global (outside) 1 X.X.X.62 netmask 255.255.255.224

nat (inside) 0 access-list nonat

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

nat (dmz) 0 access-list nonat2

alias (inside) 192.168.1.2 X.X.X.38 255.255.255.255

alias (inside) X.X.X.36 192.168.2.11 255.255.255.255

alias (inside) X.X.X.35 192.168.2.10 255.255.255.255

alias (inside) X.X.X.37 192.168.2.12 255.255.255.255

alias (inside) X.X.X.40 192.168.2.14 255.255.255.255

alias (inside) X.X.X.42 192.168.2.16 255.255.255.255

alias (inside) X.X.X.43 192.168.2.17 255.255.255.255

alias (inside) X.X.X.39 192.168.2.19 255.255.255.255

alias (inside) X.X.X.45 192.168.2.18 255.255.255.255

alias (inside) X.X.X.41 192.168.2.15 255.255.255.255

alias (inside) 192.168.1.14 X.X.X.46 255.255.255.255

alias (dmz) 192.168.2.16 X.X.X.42 255.255.255.255

alias (dmz) 192.168.2.17 X.X.X.43 255.255.255.255

alias (dmz) 192.168.2.19 X.X.X.39 255.255.255.255

alias (dmz) 192.168.2.18 X.X.X.45 255.255.255.255

alias (dmz) 192.168.2.15 X.X.X.41 255.255.255.255

static (dmz,outside) X.X.X.36 192.168.2.11 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.35 192.168.2.10 netmask 255.255.255.255 0

static (inside,outside) X.X.X.38 192.168.1.2 netmask 255.255.255.255

static (dmz,outside) X.X.X.37 192.168.2.12 netmask 255.255.255.255 0

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 0 0

static (dmz,outside) X.X.X.40 192.168.2.14 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.42 192.168.2.16 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.43 192.168.2.17 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.39 192.168.2.19 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.45 192.168.2.18 netmask 255.255.255.255 0

static (dmz,outside) X.X.X.41 192.168.2.15 netmask 255.255.255.255 0

static (inside,outside) X.X.X.46 192.168.1.14 netmask 255.255.255.255

access-group 100 in interface outside

access-group 101 in interface dmz

route outside 0.0.0.0 0.0.0.0 X.X.X.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00

si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set router-set esp-des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set router-set

crypto map dyn-map 10 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

2 REPLIES
Silver

Re: PIX and VPN with Linksys... weird problem!

Not sure how the Linksys routers work. But if there is any cisco routers apart from Pix, this looks like ' ships in the night' problem, where in, the routed discovered by one of the routing protocols should be redistributed to the other, else there will be a duplicate discovery.

Community Member

Re: PIX and VPN with Linksys... weird problem!

I can tell you flat out I have never been able to get the Linksys gateways to Make a VPN connection to a PIX......Netscreens yes, Pix to Pix yes.....Software IPSEC yes.......Linksys....NEVER...

I was actually brought in on a job for this very reason... VPN from LINKSYS TO LINKSYS is about as reliable as the weather.....I recomend you check out some of the reports at http://www.dslreports.com it will shed some light on the LINKSYS-PIX Issues

James

87
Views
0
Helpful
2
Replies
CreatePlease to create content