Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 506 to Linksys BEFVPN41 VPN connection issue

I am trying to set up a VPN between a Cisco PIX 506 w/ IOS 6.3(5) and a Linksys BEFVPN41. Below is the config from the PIX and the resulting log from the Linksys. I am using the Linksys BEFVPN as I believe this is supposed to be operable with a PIX. I saw from many threads that Linksys BEFSX41s are problematic to say the least with a PIX.

Here is the config on my Cisco PIX:

ip address outside 6x.xxx.xxx.xx 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set Cisco esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map cisco 1 set peer 2x.xxx.xxx.xx

crypto dynamic-map cisco 1 set transform-set Cisco ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 2x.xxx.xxx.xx netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local VPN

vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.2 192.168.1.4

vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.2 192.168.1.4

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username adminvpn password *********

vpdn enable outside

vpdn enable inside

Here is the log output on the Linksys BEFVPN41:

2005-10-10 22:01:07

2005-10-10 22:01:07 IKE[1] Tx >> AG_I1 : 6x.xxx.xxx.xx SA, KE, Nonce, ID

2005-10-10 22:01:07 IKE[1] Rx << AG_R1 : 6x.xxx.xxx.xx SA, VID, VID, VID, VID, KE, ID, NONCE, HASH

2005-10-10 22:01:07 IKE[1] ISAKMP SA CKI=[861417a7 8c843633] CKR=[b0b3d1ec 9f7df067]

2005-10-10 22:01:07 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768

2005-10-10 22:01:07 IKE[1] Tx >> AG_I2 : 6x.xxx.xxx.xx HASH

2005-10-10 22:01:07 IKE[1] Tx >> QM_I1 : 6x.xxx.xxx.xx HASH, SA, NONCE, ID, ID

One problem is I have changed the config on both so many times I believe somewhere I might have screwed up. I have re-read the Cisco config over and over and can not seem to see what I might have done wrong. Any ideas? Also, in past we found we could not use a PPTP and Cisco dial in VPN as they would conflict with each other. But as far as I know a PPTP should not conflict with this IPsec tunnel correct?

1 REPLY
Silver

Re: PIX 506 to Linksys BEFVPN41 VPN connection issue

Your configs on the PIX looks good to me. I would suggest you to verify if the policies match at both ends of the tunnel. Also, as per my understanding, configuring PPTP and dial-in VPDN must not conflict, because they use different ports.

215
Views
0
Helpful
1
Replies
CreatePlease to create content