Re: Problem with vpn tunnel when upgrading pix os

cisco7889 · ‎09-26-2005

I´am trying to connect Vpn tunnel between VPN3000 (only basegroup with pre-shared key) and Pix 501. It´s working fine with Pix OS 6.2.2. But when i upgrade to 6.3.5 i get this error "Xauth required but selected Proposal does not support xauth,

Check priorities of ike xauth proposals in ike proposal list". I have checked the basegroup for IKE Proposal and it is correct. Here is my Pix config.

access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.0.0.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 192.0.0.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 192.168.21.25

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 192.168.21.25 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp keepalive 10 10

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

I would be very grateful for an answer. /Jonny

umedryk · ‎10-03-2005

Change to IKE proposal to preshare and see if that works.

jackko · ‎10-04-2005

it may help if you change both isakmp policy and ipsec transform set from des to 3des/aes.

3des is free now. to register with cisco,

http://www.cisco.com/kobayashi/sw-center/ciscosecure/pix.shtml

and select *FREE* Register for PIX DES or 3DES/AES IPSec software feature keys

if your login can't get access, then open a tac case.

jackko · ‎10-15-2005

just wondering how you go.