Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix 501 6.3 - howto enable aggressive mode? lifetime get ignored

Dear Forum-Users,

How can i enable the aggressive mode for a site-to-site connection with psk on my pix 501 6.3? There is an option like phase1-mode aggressive for ASA's - but not for the "old" Pix. Ideas?

Second question: Even though i set isakmp policy 5 lifetime 600 - the pix is still using for the vpn-connection 28800. Ideas? The policy number 5 is the only policy on my pix.

thanks in advance

Stefan

11 REPLIES
Super Bronze

Re: pix 501 6.3 - howto enable aggressive mode? lifetime get ign

1) For site-to-site VPN tunnel on PIX version 6.3, you can't enable aggressive mode. That feature is only available from version 7.x.

2) Can you please advise how you determine the lifetime is negotiated to be 28800?

New Member

Re: pix 501 6.3 - howto enable aggressive mode? lifetime get ign

Thank you for your answer.

2, The other side is complaining about the lifetime:

Apr 22 09:37:58 black racoon: ERROR: long lifetime proposed: my:600 peer:28800
Apr 22 09:37:58 black racoon: ERROR: not matched
Apr 22 09:37:58 black racoon: ERROR: no suitable policy found.

Peer is in this case the pix 501.

Thanks in advance.

Stefan

Super Bronze

Re: pix 501 6.3 - howto enable aggressive mode? lifetime get ign

Can you please share the isakmp policy on both ends? Also which version of 6.3 are you running? And what device is this end?

New Member

Re: pix 501 6.3 - howto enable aggressive mode? lifetime get ign

isakmp enable outside
isakmp key mykey address 80.82.223.63 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp log 99
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 600

Cisco PIX Firewall Version 6.3(5)

The other side is ipsec-tools/racoon 0.7.3 (the old kame stuff)

Thanks

stefan

Super Bronze

Re: pix 501 6.3 - howto enable aggressive mode? lifetime get ign

Thanks. Can you also share the isakmp policy on the racoon server?

You can also run "debug crypto isakmp" on the PIX end, and share the debug output.

Seems like the policy does not match.

New Member

Re: pix 501 6.3 - howto enable aggressive mode? lifetime get ign

Here is the debug output after i try to establish a conenction with the remote side:

(output removed to not disclose too much informations)

Super Bronze

Re: pix 501 6.3 - howto enable aggressive mode? lifetime get ign

I am not familiar with racoon, however, based on the racoon configuration, it seems that lifetime of 600 is set for phase 2, not phase 1 (isakmp).

On the PIX, try to change the ISAKMP lifetime back to 28800 for policy 5.

New Member

Re: pix 501 6.3 - howto enable aggressive mode? lifetime get ign

Damn, now i see the problem. How do i then set the lifetime at pix side for phase2 (rekeeying of SA's) ?

Stefan

Super Bronze

Re: pix 501 6.3 - howto enable aggressive mode? lifetime get ign

It would be under the crypto map section.

Command: crypto map set security-association lifetime seconds 28800

New Member

Re: pix 501 6.3 - howto enable aggressive mode? lifetime get ign

Awesome! That's it! Thank you very much. I owe you a beer

Super Bronze

Re: pix 501 6.3 - howto enable aggressive mode? lifetime get ign

Cheers.

1590
Views
0
Helpful
11
Replies