12-23-2010 03:22 AM
I am trying to create a vpn tunnel between a PIX 506E and a Linksys RV042. I have configured Phase 1 and Phase 2 as well as the transform set and interested traffic and tied it to the outside interface but it will not create the tunnel. The configurations are as follows:
PIX 506E running IOS 6.3
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp key ******** address 96.10.xxx.xxx netmask 255.255.255.255
access-list 101 permit ip 192.168.21.0 255.255.255.0 192.168.1.0 255.255.255.0crypto map Columbia_to_Office 10 ipsec-isakmp
crypto map Columbia_to_Office 10 match address 101
crypto map Columbia_to_Office 10 set peer 96.10.xxx.xxx
crypto map Columbia_to_Office 10 set transform-set ESP-3DES-SHA
crypto map Columbia_to_Office interface outside
Linksys RV042
Local Group Setup
IP Only
IP Address: 96.10.xxx.xxx
Local Security Group Type: Subnet
IP Address: 192.168.1.0
Subnet Mask: 255.255.255.0
Remote Group Setup
IP Only
IP Address: 66.192.xxx.xxx
Remote Security Group Type: Subnet
IP Address: 192.168.21.0
Subnet Mask: 255.255.255.0
IPSec Setup
Keying Mode: IKE with Preshared key
Phase1 DH Group: Group2
Phase1 Encryption: 3DES
Phase1 Authentication: SHA1
Phase1 SA Lifetime: 86400
Phase2 Encryption: 3DES
Phase2 Authentication: SHA1
Phase2 SA Lifetime: 3600 seconds
Preshared Key ********
I am a bit of a novice on VPN. Thank you in advance for your expertise.
Solved! Go to Solution.
12-23-2010 04:19 AM
Yes, PIX version 6.3 does not support sh run nat or sh run crypto.
Please kindly post the full config if you don't mind.
Please also try to send traffic between the 2 subnets and obtain the output of:
show cry isa sa
show cry ipsec sa
12-23-2010 03:58 AM
The VPN configuration seems to be correct.
However, I don't see that you include the NAT exemption. Can you please advise if NAT exemption between 192.168.21.0/24 and 192.168.1.0/24 has been configured?
12-23-2010 04:00 AM
Hi,
Have you authorized isakmp( udp 500) as well as esp on your Pix? :
sysopt connection permit-ipsec command
Is isakmp enabled? : show run crypto isakmp
Are you exempting VPN traffic from NAT ? sh run nat and sh run global
can you then post sh crypto isa sa and sh crypto ipsec sa
Regards.
Alain.
12-23-2010 04:06 AM
Sorry for the ignorant questions but I am new to VPN. How do I authorized isakmp( udp 500) as well as esp on the Pix?
I ran show run crypto isakmp but the pix just returned the show run
I also ran sh run nat with same return of total config
12-23-2010 04:09 AM
How do I verify that I have authorized isakmp( udp 500) as well as esp on the Pix
Thank you for your help.
12-23-2010 04:19 AM
Yes, PIX version 6.3 does not support sh run nat or sh run crypto.
Please kindly post the full config if you don't mind.
Please also try to send traffic between the 2 subnets and obtain the output of:
show cry isa sa
show cry ipsec sa
12-23-2010 04:33 AM
Running the sh crypto ipsec sa command led me to the answer. The endpoint on the PIX side showed the incorrect local crypto endpoint. I changed that to my WAN IP and viola! Thank you both for your time and I really appreciate your help and expertise.
Have a great day.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide