PIX501 easy VPN

ccoombs · ‎11-26-2002

Probably a stupid question but it has me stumped.

I am setting up a PIX501 with the basic vpn connection. I am getting all kinds of errors with the SA keys. What default IKE settings does the PIX501 easy vpn setup use? I don't see any option to specify.

Thanks!

d-garnett · ‎11-26-2002

is the 501 at a remote site?

are you connecting to a 3000 concentrator?

if so then on the 3000 concentrator, find the IKE proposals and move the CiscoVPNClient proposal to the top of the list. you will need to modify some of it's settings.

here's two useful links

http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_example09186a00800945cf.shtml#c4

http://www.cisco.com/en/US/products/sw/iosswrel/ps4382/products_feature_guide09186a00800a8565.html

ccoombs · ‎11-26-2002

I think my big problem here is that I don't have 3des enabled on this pix501. The 501 is at a remote site and it does terminate at a 3005 concentrator.

I could try adding a new proposal but I don't feel good about putting it in the front of the others. I have a lot of users connecting using the vpn client and using 3des.

Thanks!

d-garnett · ‎11-26-2002

if you are using easy vpn client on the pix , you need to enable mode configuration on the 3005 concentrator. This will push the policies down to the pix.. On the Concentrator, use IKE/ESP-3DES-MD5 as the SA with CiscoVPNClient as the IKE proposal.