Question

Site to Site VPN between Cisco ASA 5510 and Fierbox X750e

Asked by: CLoz

I'm having trouble creating a VPN tunnel between a Cisco ASA 5510 v 7.0(6) and a Firebox X7506 v8.3.  I've successfully connected another office using a Cisco PIX 515 to this FireBox using the same configuration but I cant seem to get it to work with the ASA.  Ive tried creating the tunnel using the configuration below which is the same as the PIX but it wont connect.  

This is the error in the log:

4|Jun 26 2007 21:18:04|713903: Group = 2.2.2.2, IP = 2.2.2.2, Error: Unable to remove PeerTblEntry
3|Jun 26 2007 21:18:04|713902: Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from peer table failed, no match!

Here is the config:

ASA Version 7.0(6)
!
hostname afw
domain-name mydomain.com
enable password p@ssw0rd encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd p@ssw0rd encrypted
ftp mode passive
access-list 102 extended permit ip 172.16.1.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list 102 extended permit ip 192.168.99.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any echo-reply
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm warnings
logging host inside 172.16.1.2
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 102
nat (inside) 10 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password p@ssw0rd  encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myipsec esp-3des esp-sha-hmac
crypto map testmap 10 match address 102
crypto map testmap 10 set pfs
crypto map testmap 10 set peer 2.2.2.2
crypto map testmap 10 set transform-set myipsec
crypto map testmap 10 set security-association lifetime seconds 360
crypto map testmap 10 set security-association lifetime kilobytes 8192
crypto map testmap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 15
dhcpd address 172.16.1.100-172.16.1.199 inside
dhcpd dns 172.16.1.2
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain mydomain.com
dhcpd enable inside
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command vpn-sessiondb
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server

Thanks,

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-06-26 at 21:51:03ID22660359
Tags

asa

,

cisco

,

vpn

,

site

Topics

IPSec Security Protocol

,

Cisco PIX Firewall

,

Virtual Private Networking (VPN)

Participating Experts
2
Points
500
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Site-to-Site VPN from ASA 5505 to PIX 501 with Cli…
    I'm trying to get a site-to-site VPN going between a Cisco ASA 5505 and PIX 501. The ASA 5505 currently supports client VPN and I want to keep that. I'm guessing my issue is that the PIX 501 is on the same subnet as the client VPN pool, but I'm not sure. I've posted my ASA...
  2. IPSec VPN
    Trying to setup new ASA box for IPSec VPN. I receive this error message in ASDM when a VPN client tries to connect. Group = DefaultRAGroup, IP = x.x.x.x, Error: Unable to remove PeerTblEntry Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from peer table failed, no ma...
  3. Remote PIX vpn tunnels dropping, showing 127.0.0…
    Hi everyone- I'm configuring multiple sites on an ASA 5520 (8.0.3-k19) using EasyVPN with PIX501 (6.3.5) on the remote end. PIX firewalls are not staying connected, and one site is showing this (output of 'sh isakmp sa') Aug 22 2008 09:16:23: %ASA-5-713201: Group = shilohre...
  4. pix and router ipsec vpn
    Hi, Ive an IPSEC tunnel b/w PIX and a router ... Can you please suggest why its not establishing the tunnel ? Router and PIX are directly connected...Given below is the code:
  5. PIX vpn
    I am setting up a site to site vpn from a PIX version 6.3 to checkpoint: In the checkpoint the log are showing the error: Failed to establish VPN Tunnel with 192.168.2.1: no proposal chosen 00244 26Sep2000 12:56:26 Closed VPN Tunnel with 192.168.2.1 00243 26Sep2000 12:...
  6. PIX to ASA
    I am trying to convert a pix 515 to an ASA5510 with SSM 10 module. I have used the conversion tool Cisco provides for this to make the config for the ASA. I can ping outside from the ASA but cannot get out from my inside network. I have both configs below as well as our 18...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: PeteLongPosted on 2007-06-27 at 00:51:44ID: 19370411

try
no crypto map testmap 10 set pfs
crypto map testmap 10 set pfs group2

any difference? if not simply do the following

no crypto map testmap 10 set pfs group2
crypto map testmap 10 set pfs

 

by: CLozPosted on 2007-06-27 at 04:29:38ID: 19371242

No change:
 The default value for pfs is group2 so:
crypto map testmap 10 set pfs == crypto map testmap 10 set pfs group2

Thanks anyway.

 

by: calvinetterPosted on 2007-06-27 at 05:36:46ID: 19371619

>Ive tried creating the tunnel... but it wont connect.
   Won't even complete Phase 1?

You need a separate but identical ACL for matching the traffic in addition to the "nat 0" ACL, ACL 102's line #2 is incorrect/not needed... see below.  Also suggest you upgrade the ASA - it's running early 7.0 code, which should be considered "semi-beta".

>crypto map testmap 10 set security-association lifetime seconds 360
  I hope that's a typo??  Is that perhaps 3600 seconds?  I seriously doubt you want your boxes having to re-key every 6 min since 'pfs' is enabled!  Regardless, the exact # of sec must match on both boxes, & does the Firebox actually support "lifetime kilobytes 8192"?  If you're not sure, don't use the 'kilobtyes' option on the ASA.

  *Run this:
no access-list 102 extended permit ip 192.168.99.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat extended permit ip 172.16.1.0 255.255.255.0 192.168.99.0 255.255.255.0
nat (inside) 0 access-list nonat
crypto map testmap 10 set security-association lifetime seconds <#>   <- # must match what's set on Firefox
crypto map testmap 10 set security-association lifetime kilobytes 8192  <- either remove entirely or actual kilobytes must match Firebox setting
isakmp nat-traversal
clear xlate
crypto map testmap interface outside  <- always re-apply last to ensure changes take effect

cheers

 

by: CLozPosted on 2007-06-27 at 18:06:57ID: 19377520

Made the suggested changes and cleaned up the config but still unable to get past phase 1. This is the error I'm getting now:

Jun 27 17:52:45 [IKEv1 DEBUG]: IP =2.2.2.2, processing ke payload
Jun 27 17:52:45 [IKEv1 DEBUG]: IP =2.2.2.2, processing ISA_KE payload
Jun 27 17:52:45 [IKEv1 DEBUG]: IP =2.2.2.2, processing nonce payload
Jun 27 17:52:45 [IKEv1 DEBUG]: IP =2.2.2.2, processing NAT-Discovery payload
Jun 27 17:52:45 [IKEv1 DEBUG]: IP =2.2.2.2, computing NAT Discovery hash Jun 27 17:52:45 [IKEv1 DEBUG]: IP =2.2.2.2, processing NAT-Discovery payload
Jun 27 17:52:45 [IKEv1 DEBUG]: IP =2.2.2.2, computing NAT Discovery hash
Jun 27 17:52:45 [IKEv1]: Group =2.2.2.2, IP =2.2.2.2, Can't find a valid tunnel group, aborting...!
Jun 27 17:52:45 [IKEv1 DEBUG]: Group =2.2.2.2, IP =2.2.2.2, IKE MM Initiator FSM error history (struct &0x3a192c0)  <state>, <event>:  MM_DONE,EV_ERROR-->MM_BLD_MSG5, EV_GROUP_LOOKUP-->MM_BLD_MSG5, EV_TEST_CERT-->MM_BLD_MSG5, EV_SECRET_KEY_OK-->MM_BLD_MSG5, NullEvent-->MM_BLD_MSG5, EV_GEN_SECRET_KEY-->MM_WAIT_MSG4, EV_PROCESS_MSG-->MM_WAIT_MSG4, EV_RCV_MSG
Jun 27 17:52:45 [IKEv1 DEBUG]: Group =2.2.2.2, IP =2.2.2.2, IKESA MM:9b9554b1 terminating:  flags 0x01008022, refcnt 0, tuncnt 0
Jun 27 17:52:45 [IKEv1 DEBUG]: Group =2.2.2.2, IP =2.2.2.2, sending delete/delete with reason message
Jun 27 17:52:45 [IKEv1]: Group =2.2.2.2, IP =2.2.2.2, Removing peer from peer table failed, no match!
Jun 27 17:52:45 [IKEv1]: Group =2.2.2.2, IP =2.2.2.2, Error: Unable to remove PeerTblEntry
Jun 27 17:52:45 [IKEv1]: IP =2.2.2.2, Header invalid, missing SA payload! (next payload = 4)
Jun 27 17:52:45 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Jun 27 17:52:47 [IKEv1]: IP =2.2.2.2, Header invalid, missing SA payload! (next payload = 4)
Jun 27 17:52:47 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Jun 27 17:52:48 [IKEv1]: IP =2.2.2.2, Header invalid, missing SA payload! (next payload = 4)
Jun 27 17:52:48 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Jun 27 17:52:50 [IKEv1]: IP =2.2.2.2, Header invalid, missing SA payload! (next payload = 4)
Jun 27 17:52:50 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Jun 27 17:52:54 [IKEv1]: IP =2.2.2.2, Header invalid, missing SA payload! (next payload = 4)
Jun 27 17:52:54 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68




 

by: CLozPosted on 2007-06-27 at 18:10:51ID: 19377533

Here is the new configuration:

asdm image disk0:/asdm506.bin
no asdm history enable
: Saved
:
ASA Version 7.0(6)
!
hostname pfw
domain-name europecraft.com
enable password LGZSc6Pp.GjiI9wc encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit ip 172.16.1.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list 101 extended permit ip 172.16.1.0 255.255.255.0 host 2.2.2.2
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any echo
access-list nonat extended permit ip 172.16.1.0 255.255.255.0 192.168.99.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered warnings
logging trap informational
logging asdm warnings
logging host inside 172.16.1.2
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username dlhcadmin password nyhJQ2GxczW3nWkG encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 172.16.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ciscotowatchguard esp-3des esp-sha-hmac
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 set peer 2.2.2.2
crypto map vpnmap 1 set transform-set ciscotowatchguard
crypto map vpnmap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 28800
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 28800
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 28800
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
isakmp nat-traversal  20
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
telnet 172.16.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.16.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 15
dhcpd address 172.16.1.100-172.16.1.199 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 172.16.1.2
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain europecraft.com
dhcpd enable inside
dhcpd enable management

 

by: CLozPosted on 2007-06-27 at 18:29:49ID: 19377608

Opps, Added:
crypto map vpnmap 1 set pfs
crypto map vpnmap 1 set security-association lifetime seconds 28800 <-- match Firebox 8 hours

Getting further put ntill not connecting and getting:
Jun 27 18:23:43 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Received non-routine Notify message: No proposal chosen (14)

Thanks for the help so far.

 

by: CLozPosted on 2007-06-27 at 19:43:42ID: 19377847

I finally got it working, the WatchGuard had Group 1 on the Phase 2,  change it to match the Cisco and the Tunnel is up.

 

by: calvinetterPosted on 2007-06-27 at 19:46:20ID: 19377856

Ah, great!  Glad you got it going.

cheers

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...