Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WRVS4400N Vs PIX515E

I'm trying to get VPN tunnel going between these two devices and no matter what I do, it just won't work...

on WRVS4400N under IPSEC in Group it says 768bit

on PIX there is no bits, it just say group#

have anyone ever done something simliar?

4 REPLIES
Cisco Employee

Re: WRVS4400N Vs PIX515E

Can you post the configuration from the Pix and also "deb cr is" and "deb cr ips" from the pix when you are having issues trying to bring up the tunnel.

Regards,

Arul

New Member

Re: WRVS4400N Vs PIX515E

i used asdm wizard to create vpn tunnel, here is what it proposed me to use

!PIX

!Single Routed

!23-Mar-08_19.53.50

!Preview CLI Commands

access-list outside_20_cryptomap line 1 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.240

access-list inside_nat0_outbound line 2 extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.240

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l

tunnel-group XXX.XXX.XXX.XXX ipsec-attributes

pre-shared-key XXXXXXXXXXXX

isakmp keepalive threshold 10 retry 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set pfs group2

crypto map outside_map 20 set peer XXX.XXX.XXX.XXX

crypto map outside_map 20 set transform-set ESP-3DES-SHA

i replaced IP with XXX.XXX.XXX.XXX, and I also replaced my shared key

and this is from side of my linksys router

Local Group Setup

Local Security Gateway Type: IP Only

IP Address: XXX.XXX.XXX.XXX

Local Security Group Type: Subnet

IP Address: 10.10.10.0

Subnet Masl: 255.255.255.240

Remote Group Setup

Remote Security Gateway Type: IP Only

IP Address: XXX.XXX.XXX.XXX

Remote Security Group Type: Subnet

IP Address: 192.168.1.0

Subnet Mask 255.255.255.0

IPSec Setup

Keying Mode: IKE With Preshared key

Phase1

Encryption: 3DES

Authentication: SHA1

Group: 768-bit

Key Life Time: 28800

Phase2:

Encryption: 3DES

Authencation: SHA1

Perfect Forward Secrecy: Enable

Preshared Key: XXXXXXXXXXXX

Group: 768-bit

Key Life Time: 3600sec

Re: WRVS4400N Vs PIX515E

Diffie-Hellman processes the secret key exchanged between the two IPsec tunnel points.The 768-bit refers to Diffie-Hellman group type 1 , there are several types of Diffie-Hellman groups 1,2,5,7.

In your PIX config you have Group 2 which specifies 1024- bit, in the other side is group1 768-bit ,these settings must much at both ends otherwise tunnel will not come up during Ipsec phase-1.

In pix change from crypto map outside_map 20 set pfs group2 to crypto map outside_map 20 set pfs group1

HTH

Rgds

Jorge

Re: WRVS4400N Vs PIX515E

Correction, to change the DF group from 2 to 1 you need to change it in your Ike policy which is part of the Ipsec phase-1, so look in your configuration for statement isakmp policy xx group Y where xx is your ike policy number and Y is Diffie-Hellman type 1,2 or 5. you want 1.

isakmp policy xx group 1

216
Views
0
Helpful
4
Replies
CreatePlease login to create content