Solved: Re: Site to Site VPN between PIX and Linksys RV042

Gary Jackson · ‎12-23-2010

I am trying to create a vpn tunnel between a PIX 506E and a Linksys RV042. I have configured Phase 1 and Phase 2 as well as the transform set and interested traffic and tied it to the outside interface but it will not create the tunnel. The configurations are as follows:

PIX 506E running IOS 6.3

isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp key ******** address 96.10.xxx.xxx netmask 255.255.255.255
access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0crypto map Columbia_to_Office 10 ipsec-isakmp
crypto map Columbia_to_Office 10 match address 101
crypto map Columbia_to_Office 10 set peer 96.10.xxx.xxx
crypto map Columbia_to_Office 10 set transform-set ESP-3DES-SHA
crypto map Columbia_to_Office interface outside

Linksys RV042

Local Group Setup
     IP Only
     IP Address: 96.10.xxx.xxx
     Local Security Group Type: Subnet
     IP Address: 192.168.1.0
     Subnet Mask: 255.255.255.0

Remote Group Setup
     IP Only
     IP Address: 66.192.xxx.xxx
     Remote Security Group Type: Subnet
     IP Address: 192.168.21.0
     Subnet Mask: 255.255.255.0

IPSec Setup
     Keying Mode: IKE with Preshared key
     Phase1 DH Group: Group2
     Phase1 Encryption: 3DES
     Phase1 Authentication: SHA1
     Phase1 SA Lifetime: 86400

     Phase2 Encryption: 3DES
     Phase2 Authentication: SHA1
     Phase2 SA Lifetime: 3600 seconds
     Preshared Key ********

I am a bit of a novice on VPN. Thank you in advance for your expertise.

Jennifer Halim · ‎12-23-2010

Yes, PIX version 6.3 does not support sh run nat or sh run crypto.

Please kindly post the full config if you don't mind.

Please also try to send traffic between the 2 subnets and obtain the output of:

show cry isa sa

show cry ipsec sa

View solution in original post

Jennifer Halim · ‎12-23-2010

The VPN configuration seems to be correct.

However, I don't see that you include the NAT exemption. Can you please advise if NAT exemption between 192.168.21.0/24 and 192.168.1.0/24 has been configured?

cadet alain · ‎12-23-2010

Hi,

Have you authorized isakmp( udp 500) as well as esp on your Pix? :

sysopt connection permit-ipsec command

Is isakmp enabled? : show run crypto isakmp

Are you exempting VPN traffic from NAT ? sh run nat and sh run global

can you then post sh crypto isa sa and sh crypto ipsec sa

Regards.

Alain.

Don't forget to rate helpful posts.

Gary Jackson · ‎12-23-2010

Sorry for the ignorant questions but I am new to VPN. How do I authorized isakmp( udp 500) as well as esp on the Pix?

I ran show run crypto isakmp but the pix just returned the show run

I also ran sh run nat with same return of total config

Gary Jackson · ‎12-23-2010

How do I verify that I have authorized isakmp( udp 500) as well as esp on the Pix

Thank you for your help.

Jennifer Halim · ‎12-23-2010

Yes, PIX version 6.3 does not support sh run nat or sh run crypto.

Please kindly post the full config if you don't mind.

Please also try to send traffic between the 2 subnets and obtain the output of:

show cry isa sa

show cry ipsec sa

Gary Jackson · ‎12-23-2010

Running the sh crypto ipsec sa command led me to the answer. The endpoint on the PIX side showed the incorrect local crypto endpoint. I changed that to my WAN IP and viola! Thank you both for your time and I really appreciate your help and expertise.

Have a great day.