Cisco Support Community
Community Member

vpn tunnel between vpn3000 and pix 501

I am trying to connect Vpn tunnel between VPN3000 (only basegroup with pre-shared key) and Pix 501. The Pix has dynamic assigned ip adress on the outside interface. I get an error "Xauth required but selected Proposal does not support xauth,

Check priorities of ike xauth proposals in ike proposal list" when trying to connect. I have checked the basegroup for IPSEC:SA (ESP-DES-MD5)and then the Configuration | Policy Management | Traffic Management | Security Associations for ESP-DES-MD5. In this configuration the IKE Proposal was set to IKE-DES-MD5. And when i looked in there the Authentication Mode are "preshared keys" as it should be. I don´t no any other place to look. Here is my Pix config.

access-list inside_access_in permit ip any any

access-list outside_access_in permit icmp any any echo-reply

access-list test permit ip

access-list crypto-acl permit ip

global (outside) 15 interface

nat (inside) 15 0 0

static (inside,outside) access-list test 0 0

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address crypto-acl

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address netmask no-xauth no-config-mode

isakmp identity adress

isakmp keepalive 10 10

isakmp log 100

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

I would be very grateful for an answer /Jonny


Re: vpn tunnel between vpn3000 and pix 501

If you are using an old version of the PIX(6.1 and before) you may be encountering the bug CSCdz01450. The work around is to upgrade the PIX to a version above 6.2

CreatePlease to create content