Re: Linksys BEFVP41 VPn router and Pix 515

okretzer · ‎03-12-2002

I cant seem to get the Linksys VPn router to work with the Pix 515, can anyone tell me what commands i need to put into the Pix to get these 2 to talk to each other.

thanks

cjacinto · ‎03-16-2002

On the PIX side you could follow the config on:

http://www.cisco.com/warp/customer/110/38.html

Then turn on the debugs, ie:

debug crypto isakmp

debug crypto ipsec

And see what is not matching on the Linksys side. Also is the Linksys doing some form of nat? You have to bypass nat for the ipsec traffic.

stevepatrick · ‎03-19-2002

Can you email the sample config? steve_p@tekki.com

Thanks

fred · ‎03-20-2002

I have successfully implemented a VPN tunnel between the Linksys BEFVP41 device and a PIX 515. I have also been able to get the linksys to talk to the vpn3000 concentrator. I used pre-shared keys and static IP's for both. I am now going to try to implement both configuration using a dynamic IP on the linksys (as if the linksys is on a cable modem or dsl). I will post my results.

r.nair · ‎04-08-2002

I have a client who has implemented VPN between Linksys router and VPN 3000. However the at least once a day, the tunnel drops and requires reboot of the Linksys router to make it work. ANy idea, what could be the reason

cheath · ‎04-16-2002

I had a very similar issue that I solved by increasing the SA time to 31 days. This was 2678400 Seconds. It must be a firmware issue.

BTW: Linksys posted the new Firmware on 4/11/02 Version 1.40.2

fred · ‎04-02-2002

I have received several emails asking how I got the linksys to connect. I figured that replying to this tread was the logical way to answer all.

Let me first state that I have static IPs on both ends. I am still working on getting it to work with a dynamic IP on the linksys side. I have configured the devices to use pre-shared keys. On the PIX I have :

crypto map newmap 70 ipsec-isakmp

crypto map newmap 70 match address 170

crypto map newmap 70 set peer xxx.xxx.xxx.xxx

crypto map newmap 70 set transform-set myset

where the 170 is the access-list that tells the Pix what subnet to route to that tunnel.

access-list 170 permit ip 192.168.1.0 255.255.255.0 192.168.70.0 255.255.255.0

isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255

(for the pre-shared Key)

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

I chose des instead of 3des for performance reasons.

On the linksys side I have specified the following on the vpn tab:

Tunnel 1, and gave it a name

local secure group - subnet

remote secure group - subnet and specified the 192.168.1.0 network

remote security gateway - IP addr of the pix

selected des and md5 (as seen in the pix config)

Key Management - Auto (IKE)

specified the pre-share key and 1000 key timeout

As I mentioned earlier, I have not gotten the dynamic IP linksys to work with the static PIX. But I am sure I will (given free time).

mddistor · ‎10-04-2002

Hi,

Do you also have a working config bet linksys and 3005? been trying to figure out how to make this two box work, but no luck. I dont know what Im missing, I have the latest firmware for the linksys too. Thanks.!

cgervasini · ‎10-22-2002

You mention in an earlier email that you were able to get a tunnel created between a Cisco 30xx Concentrator and the Linksys VPN router. What config. did you use to accomplish this?

ccolumbus · ‎04-22-2002

Follow the Cisco instructions for setting up a Cisco 1.1 client to PIX VPN when the client has a dynamic IP address. Don't bother with peer statements. Then, on the Linksys, make SURE that you define the subnet on the PIX secure interface as the Remote Network. If you choose "ANY", the tunnel will fail.

If you use this configuration, the Linksys can connect with a dynamic IP address.