Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
0
Helpful
1
Replies

PIX 506 to Linksys BEFVPN41 VPN connection issue

twaite
Level 1
Level 1

‎10-10-2005 07:15 PM

I am trying to set up a VPN between a Cisco PIX 506 w/ IOS 6.3(5) and a Linksys BEFVPN41. Below is the config from the PIX and the resulting log from the Linksys. I am using the Linksys BEFVPN as I believe this is supposed to be operable with a PIX. I saw from many threads that Linksys BEFSX41s are problematic to say the least with a PIX.

Here is the config on my Cisco PIX:

ip address outside 6x.xxx.xxx.xx 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set Cisco esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map cisco 1 set peer 2x.xxx.xxx.xx

crypto dynamic-map cisco 1 set transform-set Cisco ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp enable outside

isakmp key ******** address 2x.xxx.xxx.xx netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local VPN

vpdn group PPTP-VPDN-GROUP client configuration dns 192.168.1.2 192.168.1.4

vpdn group PPTP-VPDN-GROUP client configuration wins 192.168.1.2 192.168.1.4

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username adminvpn password *********

vpdn enable outside

vpdn enable inside

Here is the log output on the Linksys BEFVPN41:

2005-10-10 22:01:07

2005-10-10 22:01:07 IKE[1] Tx >> AG_I1 : 6x.xxx.xxx.xx SA, KE, Nonce, ID

2005-10-10 22:01:07 IKE[1] Rx << AG_R1 : 6x.xxx.xxx.xx SA, VID, VID, VID, VID, KE, ID, NONCE, HASH

2005-10-10 22:01:07 IKE[1] ISAKMP SA CKI=[861417a7 8c843633] CKR=[b0b3d1ec 9f7df067]

2005-10-10 22:01:07 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_768

2005-10-10 22:01:07 IKE[1] Tx >> AG_I2 : 6x.xxx.xxx.xx HASH

2005-10-10 22:01:07 IKE[1] Tx >> QM_I1 : 6x.xxx.xxx.xx HASH, SA, NONCE, ID, ID

One problem is I have changed the config on both so many times I believe somewhere I might have screwed up. I have re-read the Cisco config over and over and can not seem to see what I might have done wrong. Any ideas? Also, in past we found we could not use a PPTP and Cisco dial in VPN as they would conflict with each other. But as far as I know a PPTP should not conflict with this IPsec tunnel correct?

Labels:
0 Helpful
1 Reply 1

ebreniz
Level 6
Level 6

‎10-14-2005 12:22 PM

Your configs on the PIX looks good to me. I would suggest you to verify if the policies match at both ends of the tunnel. Also, as per my understanding, configuring PPTP and dial-in VPDN must not conflict, because they use different ports.

0 Helpful
Customers Also Viewed These Support Documents