SBNservices
IS-IT--Management
I am trying to set up a VPN between a Cisco PIX 506 w/ IOS 6.3(5) and a Linksys BEFVPN41. Below is the config from the PIX and the resulting log from the Linksys. I am using the Linksys BEFVPN as I believe this is supposed to be operable with a PIX. I saw from many threads that Linksys BEFSX41s are problematic to say the least with a PIX.
Here is the config on my Cisco PIX:
ip address outside 6x.xxx.xxx.xx 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set Cisco esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cisco 1 set peer 2x.xxx.xxx.xx
crypto dynamic-map cisco 1 set transform-set Cisco ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 2x.xxx.xxx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local VPN
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.2 192.168.1.4
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.2 192.168.1.4
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username adminvpn password *********
vpdn enable outside
vpdn enable inside
Here is the log output on the Linksys BEFVPN41:
2005-10-10 22:01:07
2005-10-10 22:01:07 IKE[1] Tx >> AG_I1 : 6x.xxx.xxx.xx SA, KE, Nonce, ID
2005-10-10 22:01:07 IKE[1] Rx << AG_R1 : 6x.xxx.xxx.xx SA, VID, VID, VID, VID, KE, ID, NONCE, HASH
2005-10-10 22:01:07 IKE[1] ISAKMP SA CKI=[861417a7 8c843633] CKR=[b0b3d1ec 9f7df067]
2005-10-10 22:01:07 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768
2005-10-10 22:01:07 IKE[1] Tx >> AG_I2 : 6x.xxx.xxx.xx HASH
2005-10-10 22:01:07 IKE[1] Tx >> QM_I1 : 6x.xxx.xxx.xx HASH, SA, NONCE, ID, ID
One problem is I have changed the config on both so many times I believe somewhere I might have screwed up. I have re-read the Cisco config over and over and can not seem to see what I might have done wrong. Any ideas? Also, in past we found we could not use a PPTP and Cisco dial in VPN as they would conflict with each other. But as far as I know a PPTP should not conflict with this IPsec tunnel correct?
Here is the config on my Cisco PIX:
ip address outside 6x.xxx.xxx.xx 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set Cisco esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map cisco 1 set peer 2x.xxx.xxx.xx
crypto dynamic-map cisco 1 set transform-set Cisco ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 2x.xxx.xxx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required
vpdn group PPTP-VPDN-GROUP client configuration address local VPN
vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.2 192.168.1.4
vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.2 192.168.1.4
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username adminvpn password *********
vpdn enable outside
vpdn enable inside
Here is the log output on the Linksys BEFVPN41:
2005-10-10 22:01:07
2005-10-10 22:01:07 IKE[1] Tx >> AG_I1 : 6x.xxx.xxx.xx SA, KE, Nonce, ID
2005-10-10 22:01:07 IKE[1] Rx << AG_R1 : 6x.xxx.xxx.xx SA, VID, VID, VID, VID, KE, ID, NONCE, HASH
2005-10-10 22:01:07 IKE[1] ISAKMP SA CKI=[861417a7 8c843633] CKR=[b0b3d1ec 9f7df067]
2005-10-10 22:01:07 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768
2005-10-10 22:01:07 IKE[1] Tx >> AG_I2 : 6x.xxx.xxx.xx HASH
2005-10-10 22:01:07 IKE[1] Tx >> QM_I1 : 6x.xxx.xxx.xx HASH, SA, NONCE, ID, ID
One problem is I have changed the config on both so many times I believe somewhere I might have screwed up. I have re-read the Cisco config over and over and can not seem to see what I might have done wrong. Any ideas? Also, in past we found we could not use a PPTP and Cisco dial in VPN as they would conflict with each other. But as far as I know a PPTP should not conflict with this IPsec tunnel correct?