asked on

Linksys to PIX VPN connection

I just purchased this linksys router and trying to configure it for one of our remote offices to connect to my main office. but reguardless of how I configure it, I seem to consistently get this NO_PROPOSAL_CHOSEN error. I'm using a Linksys WRVS4400 for remote office and a PIX 515 for main office.

Here's my Linksys Config

IPSec VPN Tunnel: Enable
Tunnel Name: eacvpns2

Local Security Gateway type: IP Only
IP address: x.x.x.x
Local Security Group Type: Subnet
IP Address: 192.168.5.1
Subnet Mask: 255.255.255.0

Remote Security Gateway: IP Only
IP address: x.x.x.x (pix external IP address)
Remote Security Group Type: Subnet
IP Address: 192.168.10.0
Subnet Mask: 255.255.255.0

Keying Mode: IKE with Preshared Key
phase 1
Encryption: 3DES
Authenticaion: MD5
Group: 1024-bit
key life time: 86400

phase 2
Encryption: 3DES
Authentication: MD5
Perfect Forward Secrecy: Disabled
Preshared Key: testing
Group: 1024-bit
key life time: 86400

Agressive mode: off
Netbios Broadcast: off

my PIX config looks like this.

crypto ipsec transform-set eacvpns esp-des esp-md5-hmac
crypto ipsec transform-set eacvpns2 esp-3des esp-md5-hmac
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer x.x.x.x (remote office w/ pix)
crypto map transam 1 set transform-set eacvpns
crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 103
crypto map transam 3 set peer x.x.x.x (remote office w/ pix)
crypto map transam 3 set transform-set eacvpns
crypto map transam 5 ipsec-isakmp
crypto map transam 5 match address 105
crypto map transam 5 set peer x.x.x.x (remote office w/ Linksys WRVS4400N)
crypto map transam 5 set transform-set eacvpns2
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.248 (remote office w/ pix)
isakmp key ******** address x.x.x.x netmask 255.255.255.248 (remote office w/ pix)
isakmp key ******** address x.x.x.x netmask 255.255.255.248 no-xauth no-config-mode (remote office w/ Linksys WRVS4400N)
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

Here's a copy of my Linksys Logs

Jun 19 15:03:57 - Configuration changed!
Jun 19 15:03:59 - [VPN Log]: shutting down
Jun 19 15:03:59 - [VPN Log]: forgetting secrets
Jun 19 15:03:59 - [VPN Log]: "eacvpns2": deleting connection
Jun 19 15:03:59 - [VPN Log]: "eacvpns2" #2: deleting state (STATE_QUICK_I1)
Jun 19 15:03:59 - [VPN Log]: "eacvpns2" #1: deleting state (STATE_AGGR_I2)
Jun 19 15:03:59 - [VPN Log]: ERROR: "eacvpns2": pfkey write() of SADB_X_DELFLOW message 6 for flow int.0@0.0.0.0 failed. Errno 14: Bad address
Jun 19 15:04:00 - [VPN Log]: "eacvpns2": unroute-client output: 0
Jun 19 15:04:00 - [VPN Log]: shutting down interface ipsec0/eth1 172.16.77.112:4500
Jun 19 15:04:00 - [VPN Log]: shutting down interface ipsec0/eth1 172.16.77.112:500
Jun 19 15:04:00 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Jun 19 15:04:03 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Jun 19 15:04:03 - [VPN Log]: @(#) built on Sep 3 2007:16:44:42:
Jun 19 15:04:03 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Jun 19 15:04:03 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Jun 19 15:04:03 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Jun 19 15:04:03 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 19 15:04:03 - [VPN Log]: starting up 1 cryptographic helpers
Jun 19 15:04:03 - [VPN Log]: started helper pid=2589 (fd:5)
Jun 19 15:04:03 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Jun 19 15:04:03 - [VPN Log]: Warning: empty directory
Jun 19 15:04:03 - [VPN Log]: added connection description "eacvpns2"
Jun 19 15:04:03 - [VPN Log]: listening for IKE messages
Jun 19 15:04:03 - [VPN Log]: adding interface ipsec0/eth1 172.16.77.112:500
Jun 19 15:04:03 - [VPN Log]: adding interface ipsec0/eth1 172.16.77.112:4500
Jun 19 15:04:03 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"
Jun 19 15:04:05 - [VPN Log]: "eacvpns2": route-client output: 0
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: initiating Main Mode
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [XAUTH]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [Dead Peer Detection]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [Cisco-Unity]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring unknown Vendor ID payload [16df04afde729f9719c0a5dfe0d66fb5]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: I did not send a certificate because I do not have one.
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK+DONTREKEY+UP {using isakmp#1}
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received and ignored informational message
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received and ignored informational message
Jun 19 15:04:12 - ipsec0: no IPv6 routers present
Jun 19 15:05:15 - [VPN Log]: "eacvpns2" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

I just recently added 3des to my PIX, so I know that's not an issue. I've tried running with agressive mode on and off, and many other things that I've found on the web. I'm at a loss as to what to try next

SOLUTION

Les Moore

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

mnswhit

ASKER

I made the changes, but didn't seem to change the log entries at all. still can't connect

Les Moore

Can you post the PIX config?

mnswhit

ASKER

Here it is.

: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password NQzjhlBXd7zn61Ax encrypted
passwd NQzjhlBXd7zn61Ax encrypted
hostname Firewall
domain-name evertsair.biz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.26 Srv02X
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list 103 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list 104 permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list 105 permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0 
no pager
logging on
logging timestamp
logging trap debugging
logging history warnings
logging facility 16
logging host inside 192.168.10.45
icmp permit any outside
icmp permit any inside
mtu outside 1460
mtu inside 1460
mtu intf2 1460
ip address outside x.x.62.66 255.255.255.240
ip address inside 192.168.10.2 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.250.1-192.168.250.20
pdm location 192.168.10.20 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.10.108 255.255.255.255 inside
pdm location 192.168.250.0 255.255.255.0 outside
pdm location 192.168.10.21 255.255.255.255 inside
pdm location 192.168.10.15 255.255.255.255 inside
pdm location Srv02X 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.10.28 255.255.255.255 inside
pdm location 192.168.10.137 255.255.255.255 inside
pdm location 192.168.10.143 255.255.255.255 inside
pdm location 192.168.10.168 255.255.255.255 inside
pdm location 192.168.10.195 255.255.255.255 inside
pdm location 192.168.10.217 255.255.255.255 inside
pdm location 192.168.10.233 255.255.255.255 inside
pdm location 192.168.10.240 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 104
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.62.67 192.168.10.20 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.78 192.168.10.233 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.70 192.168.10.240 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.71 192.168.10.195 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.77 192.168.10.217 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.74 192.168.10.168 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.69 192.168.10.18 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.73 192.168.10.115 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.75 192.168.10.143 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.76 192.168.10.29 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.68 192.168.10.206 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.72 192.168.10.89 netmask 255.255.255.255 0 0 
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.62.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
aaa-server partnerauth protocol radius 
aaa-server partnerauth (inside) host 192.168.10.20 7auth7 timeout 5
http server enable
http 192.168.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set eacvpns esp-des esp-md5-hmac 
crypto ipsec transform-set eacvpns2 esp-3des esp-md5-hmac 
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer x.x.192.218
crypto map transam 1 set transform-set eacvpns
crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 103
crypto map transam 3 set peer x.x.104.125
crypto map transam 3 set transform-set eacvpns
crypto map transam 5 ipsec-isakmp
crypto map transam 5 match address 105
crypto map transam 5 set peer x.x.190.73
crypto map transam 5 set transform-set eacvpns2
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.104.125 netmask 255.255.255.248 
isakmp key ******** address x.x.192.218 netmask 255.255.255.248 
isakmp key ******** address x.x.190.73 netmask 255.255.255.255 
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 35
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:7c030a18368b08a051a41d74203e43dc

Open in new window

SOLUTION

Les Moore

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

mnswhit

ASKER

Didn't notice that error, however that didn't seem to fix my issue, I'm still getting the same error logs.

ASKER CERTIFIED SOLUTION

Les Moore

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

mnswhit

ASKER

This is what it looks like when I try to connect:
Firewall# sh cry is sa
Total : 3
Embryonic : 1
dst src state pending created
x.x.62.66 x.x.104.125 QM_IDLE 0 1
x.x.62.66 x.x192.218 QM_IDLE 0 1
x.x.62.66 x.x.114.115 AG_NO_STATE 0 0

But it ends up going back to this:

Firewall# sh cry is sa
Total : 2
Embryonic : 0
dst src state pending created
x.x.62.66 x.x.104.125 QM_IDLE 0 1
x.x.62.66 x.x.192.218 QM_IDLE 0 1

Just incase it ketches your eye that the IP is different than the one I listed in my config earlier. I moved the linksys to a different ISP for troubleshooting. I'm reposting my cisco config.

: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname Firewall
domain-name evertsair.biz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.26 Srv02X
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list 103 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list 105 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0 
no pager
logging on
logging timestamp
logging trap debugging
logging history warnings
logging facility 16
logging host inside 192.168.10.45
icmp permit any outside
icmp permit any inside
mtu outside 1460
mtu inside 1460
mtu intf2 1460
ip address outside x.x.62.66 255.255.255.240
ip address inside 192.168.10.2 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.250.1-192.168.250.20
pdm location 192.168.10.20 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.10.108 255.255.255.255 inside
pdm location 192.168.250.0 255.255.255.0 outside
pdm location 192.168.10.21 255.255.255.255 inside
pdm location 192.168.10.15 255.255.255.255 inside
pdm location Srv02X 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.10.28 255.255.255.255 inside
pdm location 192.168.10.137 255.255.255.255 inside
pdm location 192.168.10.143 255.255.255.255 inside
pdm location 192.168.10.168 255.255.255.255 inside
pdm location 192.168.10.195 255.255.255.255 inside
pdm location 192.168.10.217 255.255.255.255 inside
pdm location 192.168.10.233 255.255.255.255 inside
pdm location 192.168.10.240 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 104
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.62.67 192.168.10.20 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.78 192.168.10.233 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.70 192.168.10.240 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.71 192.168.10.195 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.77 192.168.10.217 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.74 192.168.10.168 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.69 192.168.10.18 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.73 192.168.10.115 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.75 192.168.10.143 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.76 192.168.10.29 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.68 192.168.10.206 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.72 192.168.10.89 netmask 255.255.255.255 0 0 
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.192.62.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
aaa-server partnerauth protocol radius 
aaa-server partnerauth (inside) host 192.168.10.20 7auth7 timeout 5
http server enable
http 192.168.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set eacvpns esp-des esp-md5-hmac 
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer x.x.192.218
crypto map transam 1 set transform-set eacvpns
crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 103
crypto map transam 3 set peer x.x.104.125
crypto map transam 3 set transform-set eacvpns
crypto map transam 5 ipsec-isakmp
crypto map transam 5 match address 105
crypto map transam 5 set peer x.x.114.115
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.104.125 netmask 255.255.255.248 
isakmp key ******** address x.x.192.218 netmask 255.255.255.248 
isakmp key ******** address x.x.114.115 netmask 255.255.255.255 
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 35
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:108940d419f11498305c354ada97fd02

Open in new window

mnswhit

ASKER

ok, a little google search made me realize that I forgot to save my config on reboot, so some of that last config list didn't have enough info to work anyways.....I got it online, But not in the location that I need it online. I'll make another post in about an hour, once I test this connection out at the actual location.

mnswhit

ASKER

It worked. Thank you for your help. Debug mode really helped me track down the errors, and google gave this link, which turns out was you as well. Helped me get the final touches on my config.

https://www.experts-exchange.com/questions/21638685/PIX-to-PIX-VPN-Tunnel-Phase-2-Problem.html

mnswhit

ASKER

Each of your suggestions fixed an issue. The end result answer that got me up and running wasn't on this page, but it was your post and your suggestion.