linksys ipsec with pix 501 6.3 anyone?
in [Cisco]
|
From: jcharth on 3 Oct 2005 09:47 Hello I am unable to setup a tunnel between a pix and a linksys vpn router. I get NO-PROPOSAL-CHOSEN "check your encryption, authentication and pfs settings" My settings are. The local secure group is the subnet behind nat in both routers the pix and the linksys. The remote secure group is the subnet behind the pix on the linksys and the subnet behine the linksys in the pix. The remote secure gateway is the external address of the pix in the linksys and the external address of the linksys in the pix. encryption DES auth MD5. AutoIKE. No PFS enable in the pix or the linksys. Pre-shared key 123456 in both. key life time 86400 in both. Under advanced settings I tried 768-bit and group 1 in the pix. I also tried 1024-bit and group 2 in the pix. The tunnel sims to be working on the pix, but on the linksys it wont connect. Any Ideas?
From: Walter Roberson on 3 Oct 2005 10:14 In article <1128347260.702330.219290(a)f14g2000cwb.googlegroups.com>, <jcharth(a)hotmail.com> wrote: :Hello I am unable to setup a tunnel between a pix and a linksys vpn :router. I get NO-PROPOSAL-CHOSEN "check your encryption, authentication :and pfs settings" Which Linksys? I have two here beside me that work without difficulty. Do you have the 3DES key for your PIX 501? -- If you like, you can repeat the search with the omitted results included.
From: jcharth on 3 Oct 2005 13:55 Looks like I do, right?. Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: 10 Throughput: Unlimited IKE peers: 10 I am trying with DES and I get the following output OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10 ISAKMP (0): atts are acceptable. Next payload is 3 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 VPN Peer: ISAKMP: Peer ip:10.1.1.101/500 Ref cnt incremented to:2 Total VPN Peer s:1 crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 99618033 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_DES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP: encaps is 1 ISAKMP: authenticator is HMAC-MD5 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS Seems like it works but then it does not.
From: jcharth on 3 Oct 2005 16:55 thanks for the reply. In case anyone has this problem, i named my tranform-set my-set, i dont think the linksys liked the dash. I took i called the transform-set myset and it worked.
From: AM on 3 Oct 2005 17:24 jcharth(a)hotmail.com wrote: > Looks like I do, right?. > > Failover: Disabled > VPN-DES: Enabled > VPN-3DES-AES: Enabled > Maximum Physical Interfaces: 2 > Maximum Interfaces: 2 > Cut-through Proxy: Enabled > Guards: Enabled > URL-filtering: Enabled > Inside Hosts: 10 > Throughput: Unlimited > IKE peers: 10 > > > I am trying with DES and I get the following output > > OAK_MM exchange > ISAKMP (0): processing SA payload. message ID = 0 > > ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy > ISAKMP: encryption DES-CBC > ISAKMP: hash SHA > ISAKMP: auth pre-share > ISAKMP: default group 1 > ISAKMP: life type in seconds > ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10 > ISAKMP (0): atts are not acceptable. Next payload is 3 > ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy > ISAKMP: encryption DES-CBC > ISAKMP: hash MD5 > ISAKMP: auth pre-share > ISAKMP: default group 1 > ISAKMP: life type in seconds > ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10 > ISAKMP (0): atts are acceptable. Next payload is 3 > ISAKMP (0): SA is doing pre-shared key authentication using id type > ID_IPV4_ADDR > return status is IKMP_NO_ERROR > crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500 > dpt:500 > OAK_MM exchange > ISAKMP (0): processing KE payload. message ID = 0 > > ISAKMP (0): processing NONCE payload. message ID = 0 > > return status is IKMP_NO_ERROR > crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500 > dpt:500 > OAK_MM exchange > ISAKMP (0): processing ID payload. message ID = 0 > ISAKMP (0): processing HASH payload. message ID = 0 > ISAKMP (0): SA has been authenticated > > ISAKMP (0): ID payload > next-payload : 8 > type : 1 > protocol : 17 > port : 500 > length : 8 > ISAKMP (0): Total payload length: 12 > return status is IKMP_NO_ERROR > ISAKMP (0): sending INITIAL_CONTACT notify > ISAKMP (0): sending NOTIFY message 24578 protocol 1 > ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify > ISAKMP (0): sending NOTIFY message 24576 protocol 1 > VPN Peer: ISAKMP: Peer ip:10.1.1.101/500 Ref cnt incremented to:2 Total > VPN Peer > s:1 > crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500 > dpt:500 > OAK_QM exchange > oakley_process_quick_mode: > OAK_QM_IDLE > ISAKMP (0): processing SA payload. message ID = 99618033 > > ISAKMP : Checking IPSec proposal 1 > > ISAKMP: transform 1, ESP_DES > ISAKMP: attributes in transform: > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80 > ISAKMP: encaps is 1 > ISAKMP: authenticator is HMAC-MD5 > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): SA not acceptable! > ISAKMP (0): sending NOTIFY message 14 protocol 0 > return status is IKMP_ERR_NO_RETRANS > > > Seems like it works but then it does not. > Check Phase II parameters. Have you chosen the right ones both on the PIX and the Linksys. Seems that PIX has only one proposal. Perhaps DF group... How have you set up the Linksys for phase II? Alex.
|
Pages: 1 Prev: Pix Cut-Through proxy with Private Outside IP Next: host flapping |