03-17-2008 09:54 PM - edited 03-09-2019 08:19 PM
I'm trying to get VPN tunnel going between these two devices and no matter what I do, it just won't work...
on WRVS4400N under IPSEC in Group it says 768bit
on PIX there is no bits, it just say group#
have anyone ever done something simliar?
03-20-2008 12:43 PM
Can you post the configuration from the Pix and also "deb cr is" and "deb cr ips" from the pix when you are having issues trying to bring up the tunnel.
Regards,
Arul
03-23-2008 05:04 PM
i used asdm wizard to create vpn tunnel, here is what it proposed me to use
!PIX
!Single Routed
!23-Mar-08_19.53.50
!Preview CLI Commands
access-list outside_20_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.240
access-list inside_nat0_outbound line 2 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.240
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXXXX
isakmp keepalive threshold 10 retry 2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer XXX.XXX.XXX.XXX
crypto map outside_map 20 set transform-set ESP-3DES-SHA
i replaced IP with XXX.XXX.XXX.XXX, and I also replaced my shared key
and this is from side of my linksys router
Local Group Setup
Local Security Gateway Type: IP Only
IP Address: XXX.XXX.XXX.XXX
Local Security Group Type: Subnet
IP Address: 10.10.10.0
Subnet Masl: 255.255.255.240
Remote Group Setup
Remote Security Gateway Type: IP Only
IP Address: XXX.XXX.XXX.XXX
Remote Security Group Type: Subnet
IP Address: 192.168.1.0
Subnet Mask 255.255.255.0
IPSec Setup
Keying Mode: IKE With Preshared key
Phase1
Encryption: 3DES
Authentication: SHA1
Group: 768-bit
Key Life Time: 28800
Phase2:
Encryption: 3DES
Authencation: SHA1
Perfect Forward Secrecy: Enable
Preshared Key: XXXXXXXXXXXX
Group: 768-bit
Key Life Time: 3600sec
03-23-2008 07:14 PM
Diffie-Hellman processes the secret key exchanged between the two IPsec tunnel points.The 768-bit refers to Diffie-Hellman group type 1 , there are several types of Diffie-Hellman groups 1,2,5,7.
In your PIX config you have Group 2 which specifies 1024- bit, in the other side is group1 768-bit ,these settings must much at both ends otherwise tunnel will not come up during Ipsec phase-1.
In pix change from crypto map outside_map 20 set pfs group2 to crypto map outside_map 20 set pfs group1
HTH
Rgds
Jorge
03-23-2008 08:57 PM
Correction, to change the DF group from 2 to 1 you need to change it in your Ike policy which is part of the Ipsec phase-1, so look in your configuration for statement isakmp policy xx group Y where xx is your ike policy number and Y is Diffie-Hellman type 1,2 or 5. you want 1.
isakmp policy xx group 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide