Solved: Re: PIX to Linksys LAN 2 LAN VPN Problems

bbeal · ‎01-11-2005

I have a customer that is replacing an existing Linksys router with a PIX. The Linksys is setup today with a LAN 2 LAN VPN connection to another Linksys. I am attaching the Linksys config, but I cannot get the PIX to successfully encrypt packets to send to the Linksys site, or vice versus. I know this subject has been beat to death, but I still need help. Can someone look at the Linksys config and tell me what this requires on the PIX side? Thanks for any help!

ehirsel · ‎01-16-2005

The isakmp key command that you entered does two things:

1. It identifies what pre-share key to use with the remote peer (as both ends need to use the same value) and the no-xauth and no-config-mode tell the pix that the ipsec vpn is a lan-to-lan (aka site-to-site) config and not to expect to do RAS vpn user authentication. This is because the pix code can terminate both types of vpn connections on the same interface so it needs to be able to determine when and when not to additional user authen for ras vpn users.

Glad your issue was resolved.

View solution in original post

jzsides · ‎01-11-2005

Can you post the PIX Config?

ehirsel · ‎01-12-2005

On the pix you would code an acl as follows:

access-list acl_linksys permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

This is the inverse of the linksys remote and local subnets/secure groups.

You will need to define a preshare key to match what is contained on the linksys:

cry isakmp key xxxx address remote-linksys-address

Next you will need to setup the ipsec transform set and isakmp policies to match how the linksys is configured:

isakmp policy 10 authen pre-share

isakmp policy 10 encry des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 3600

crypto ipsec transform-set ts01 esp-des esp-md5-hmac

On the pix crypto map you will need to set it up like so:

cry map map01 10 match-address acl_linksys

cry map map01 10 set peer remote-linksys-address

cry map map01 10 set transformset ts01

cry map map01 10 set pfs group1

cry map map01 10 set security-association lifetime seconds 3600

Then you will need to enable isakmp and the crypto map on the pix outside interface - run these commands:

isakmp enable outside

crypo map map01 interface outside

I assume that you will not nat traffic destined for the other side of the vpn connection. To accomplish nat bypass create this acl and use this command:

access-list vpn_acl permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list vpn_acl

Let me know if this helps. If you run into any issues with the pix, here are some handy debug commands:

debug cry isakmp

debug cry ipsec

Just run the isakmp debug 1st until you are sure that the phase 1 sa's are establihsed. Then run the other command to help find out why the phase 2 sa's are not getting initialized.

Insure that the preshare key is the same on both ends before you start troubleshooting - case does matter.

ehirsel · ‎01-14-2005

Just following up to see if my prior post was of any help, and that you were able to get your issue resolved. Let me know if you need more help.

bbeal · ‎01-14-2005

Thanks for the awesome help! I did need one more thing to get this to work:

isakmp key ******** address XXX.XX.XX.XXX netmask 255.255.255.255 no-xauth no-config-mode

I have no idea what that does, but it did make the difference.

ehirsel · ‎01-16-2005

The isakmp key command that you entered does two things:

1. It identifies what pre-share key to use with the remote peer (as both ends need to use the same value) and the no-xauth and no-config-mode tell the pix that the ipsec vpn is a lan-to-lan (aka site-to-site) config and not to expect to do RAS vpn user authentication. This is because the pix code can terminate both types of vpn connections on the same interface so it needs to be able to determine when and when not to additional user authen for ras vpn users.

Glad your issue was resolved.