Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
1
Replies

PIX 515 and 3Com OfficeConnect Secure Router

gotee
Level 1
Level 1

‎07-07-2004 11:24 AM - edited ‎02-20-2020 11:29 PM

Hey everybody,

I'm trying to establish a site-to-site vpn connection between a PIX 515 and a 3Com 3CR860-95 OfficeConnect Secure Router using Ipsec. The router fails to make the vpn connection when it gets to assigning the Diffie-Hellman group. The router supports both groups 1 & 2 and I've tried both of these on the PIX side but it still fails. Below is the part of the PIX config that pertains to this vpn connection. Have I typed something wrong? Is this version of 3Com router incompatible with a PIX 515? Thanx in advance for your help!

(IP's changed for obvious reasons)

access-list home-acl permit ip 1.1.1.1 255.255.0.0 1.1.1.1 255.255.0.0

access-list home-acl permit ip any 1.1.1.1 255.255.0.0

crypto map TUNNEL 18 ipsec-isakmp

crypto map TUNNEL 18 match address home-acl

crypto map TUNNEL 18 set peer 2.2.2.2

crypto map TUNNEL 18 set transform-set des

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255

isakmp policy 18 authentication pre-share

isakmp policy 18 encryption des

isakmp policy 18 hash md5

isakmp policy 18 group 1

isakmp policy 18 lifetime 1000

The above is all I entered into the PIX to establish the vpn. And these changes show on a "sh run" so I know that they have been applied. It shouldn't be as easy as rebooting the PIX? I've never had to reboot for changes to apply before. Thanx again for your help.

Thomas Tetter

Baptist Children's Homes of NC, Inc.

0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎07-08-2004 12:14 PM

The pix is using md5 hash; can the router support it or is it expecting to use SHA (also known as SHA-1)?

Also insure that the isakmp enable interface-name has been entered where interface-name is outside or whatever name that the IPSec tunnel termiantes on. And check that the crypto map TUNNEL is applied to that interface as well.

Try running the debug crypto isakmp and the debug crypto ipsec commands on the pix and have the router reconnect. Then post what the pix logs state as they will be useful in troubleshooting.

Note that DH can be used in phase 2 (IPsec) as well as phase 1 (IKE) and I am assuming that the failure occurs at phase 1. The log messages from the debug commands will show where the failure is.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card