Linksys BEFVP41 - Cisco 525 7.2(3) VPN Problem

[cmorriso]

Hello,

I recently upgraded my Cisco 525 PIX from v6.3 to v7.2(3). Allthough everything worked fine (after some minor adjustments etc) I am unable to connect from my Linksys BEFVP41 through LAN-2-LAN VPN from home to the PIX. I have tried various different suggestions but am still left with the same result. Just out of curiosity I connected the same LinkSys box via VPN to another PIX running v6.3 and it worked fine.

The conenction passes Phase1 and Phase2 without any diffuculty (even with the Dynamic mapping) but after about 30 seconds I get the following error from the debug crypto isakmp 200 command:

Oct 03 11:32:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xxx.xxx.xxx.xxx, Active unit receives a centry expired event for remote peer xxx.xxx.xxx.xxx.
Oct 03 11:32:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = xxx.xxx.xxx.xxx, IKE Deleting SA: Remote Proxy 192.168.208.0, Local Proxy 10.0.0.0

Does naybody have any ideas how I can get these two devices to talk to each other as I really do not want to roll back to 6.3?

Thanks in advance

 

[brianinms]

Post a sanitized copy of your configuration.

 

[cmorriso]

:
PIX Version 7.2(3)
!
hostname --------------
domain-name ------------------
enable password -------------- encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.180 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
passwd --------------- encrypted
boot system flash:/image.bin
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name --------------------
object-group service ---- omitted -----
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.0.0
access-list client_vpn extended permit ip 10.0.0.0 255.255.255.0 192.168.188.0 255.255.255.0
access-list vpn-l2l extended permit ip 10.0.0.0 255.0.0.0 192.168.208.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnclient 192.168.188.10-192.168.188.100
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 xxx.xxx.xxx.10-xxx.xxx.xxx.159 netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.0.0.0

---- omitted ----

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.190 1
route inside 10.0.0.0 255.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout uauth 0:05:00 absolute

--- omitted ----

crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac
crypto dynamic-map ciscoclient 30 set transform-set vpn1
crypto dynamic-map VPN-DYNAMIC-MAP 400 set transform-set vpn1
crypto map mymap 20 ipsec-isakmp dynamic ciscoclient
crypto map mymap 400 ipsec-isakmp dynamic VPN-DYNAMIC-MAP
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 3600
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000

---- omittted -----

telnet timeout 5
ssh timeout 5
ssh version 1
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default

---- omitted ----
!
service-policy global_policy global

group-policy vpn_l2l internal
group-policy vpn_l2l attributes
pfs disable

tunnel-group DefaultL2Lgroup type ipsec-ra
tunnel-group DefaultL2Lgroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold infinite
prompt hostname context
Cryptochecksum:
: end