[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.3

Linksys to PIX VPN connection

Asked by mnswhit in IPSec Security Protocol, Cisco PIX Firewall, Virtual Private Networking (VPN)

Tags: Cisco, Linksys WRVS4400N, PIX 515, NO_PROPOSAL_CHOSEN

I just purchased this linksys router and trying to configure it for one of our remote offices to connect to my main office. but reguardless of how I configure it, I seem to consistently get this NO_PROPOSAL_CHOSEN error. I'm using a Linksys WRVS4400 for remote office and a PIX 515 for main office.

Here's my Linksys Config

     IPSec VPN Tunnel: Enable
     Tunnel Name: eacvpns2

     Local Security Gateway type: IP Only
     IP address: x.x.x.x
     Local Security Group Type: Subnet
     IP Address: 192.168.5.1
     Subnet Mask: 255.255.255.0

     Remote Security Gateway: IP Only
     IP address: x.x.x.x (pix external IP address)
     Remote Security Group Type: Subnet
     IP Address: 192.168.10.0
     Subnet Mask: 255.255.255.0

     Keying Mode: IKE with Preshared Key
     phase 1
     Encryption: 3DES
     Authenticaion: MD5
     Group: 1024-bit
     key life time: 86400

     phase 2
     Encryption: 3DES
     Authentication: MD5
     Perfect Forward Secrecy: Disabled
     Preshared Key: testing
     Group: 1024-bit
     key life time: 86400

     Agressive mode: off
     Netbios Broadcast: off

my PIX config looks like this.

     crypto ipsec transform-set eacvpns esp-des esp-md5-hmac
     crypto ipsec transform-set eacvpns2 esp-3des esp-md5-hmac
     crypto map transam 1 ipsec-isakmp
     crypto map transam 1 match address 101
     crypto map transam 1 set peer x.x.x.x (remote office w/ pix)
     crypto map transam 1 set transform-set eacvpns
     crypto map transam 3 ipsec-isakmp
     crypto map transam 3 match address 103
     crypto map transam 3 set peer x.x.x.x (remote office w/ pix)
     crypto map transam 3 set transform-set eacvpns
     crypto map transam 5 ipsec-isakmp
     crypto map transam 5 match address 105
     crypto map transam 5 set peer x.x.x.x (remote office w/ Linksys WRVS4400N)
     crypto map transam 5 set transform-set eacvpns2
     crypto map transam interface outside
     isakmp enable outside
     isakmp key ******** address x.x.x.x netmask 255.255.255.248 (remote office w/ pix)
     isakmp key ******** address x.x.x.x netmask 255.255.255.248 (remote office w/ pix)
     isakmp key ******** address x.x.x.x netmask 255.255.255.248 no-xauth no-config-mode (remote office w/ Linksys WRVS4400N)
     isakmp identity address
     isakmp policy 10 authentication pre-share
     isakmp policy 10 encryption des
     isakmp policy 10 hash md5
     isakmp policy 10 group 2
     isakmp policy 10 lifetime 86400
     isakmp policy 20 authentication pre-share
     isakmp policy 20 encryption 3des
     isakmp policy 20 hash md5
     isakmp policy 20 group 2
     isakmp policy 20 lifetime 86400

Here's a copy of my Linksys Logs

Jun 19 15:03:57 - Configuration changed!
Jun 19 15:03:59 - [VPN Log]: shutting down
Jun 19 15:03:59 - [VPN Log]: forgetting secrets
Jun 19 15:03:59 - [VPN Log]: "eacvpns2": deleting connection
Jun 19 15:03:59 - [VPN Log]: "eacvpns2" #2: deleting state (STATE_QUICK_I1)
Jun 19 15:03:59 - [VPN Log]: "eacvpns2" #1: deleting state (STATE_AGGR_I2)
Jun 19 15:03:59 - [VPN Log]: ERROR: "eacvpns2": pfkey write() of SADB_X_DELFLOW message 6 for flow int.0@0.0.0.0 failed. Errno 14: Bad address
Jun 19 15:04:00 - [VPN Log]: "eacvpns2": unroute-client output: 0
Jun 19 15:04:00 - [VPN Log]: shutting down interface ipsec0/eth1 172.16.77.112:4500
Jun 19 15:04:00 - [VPN Log]: shutting down interface ipsec0/eth1 172.16.77.112:500
Jun 19 15:04:00 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Jun 19 15:04:03 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Jun 19 15:04:03 - [VPN Log]: @(#) built on Sep 3 2007:16:44:42:
Jun 19 15:04:03 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Jun 19 15:04:03 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Jun 19 15:04:03 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Jun 19 15:04:03 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 19 15:04:03 - [VPN Log]: starting up 1 cryptographic helpers
Jun 19 15:04:03 - [VPN Log]: started helper pid=2589 (fd:5)
Jun 19 15:04:03 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Jun 19 15:04:03 - [VPN Log]: Warning: empty directory
Jun 19 15:04:03 - [VPN Log]: added connection description "eacvpns2"
Jun 19 15:04:03 - [VPN Log]: listening for IKE messages
Jun 19 15:04:03 - [VPN Log]: adding interface ipsec0/eth1 172.16.77.112:500
Jun 19 15:04:03 - [VPN Log]: adding interface ipsec0/eth1 172.16.77.112:4500
Jun 19 15:04:03 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"
Jun 19 15:04:05 - [VPN Log]: "eacvpns2": route-client output: 0
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: initiating Main Mode
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [XAUTH]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [Dead Peer Detection]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [Cisco-Unity]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring unknown Vendor ID payload [16df04afde729f9719c0a5dfe0d66fb5]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: I did not send a certificate because I do not have one.
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK+DONTREKEY+UP {using isakmp#1}
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received and ignored informational message
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received and ignored informational message
Jun 19 15:04:12 - ipsec0: no IPv6 routers present
Jun 19 15:05:15 - [VPN Log]: "eacvpns2" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

I just recently added 3des to my PIX, so I know that's not an issue. I've tried running with agressive mode on and off, and many other things that I've found on the web. I'm at a loss as to what to try next
[+][-]06/20/08 07:34 PM, ID: 21836114Assisted Solution

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 30-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]06/23/08 12:20 PM, ID: 21849389Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/23/08 12:41 PM, ID: 21849589Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]06/23/08 03:49 PM, ID: 21851039Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/23/08 04:41 PM, ID: 21851337Assisted Solution

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 30-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]06/23/08 09:05 PM, ID: 21852453Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/24/08 05:09 AM, ID: 21854771Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: IPSec Security Protocol, Cisco PIX Firewall, Virtual Private Networking (VPN)
Tags: Cisco, Linksys WRVS4400N, PIX 515, NO_PROPOSAL_CHOSEN
Sign Up Now!
Solution Provided By: lrmoore
Participating Experts: 1
Solution Grade: A
 
[+][-]06/24/08 12:13 PM, ID: 21859294Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/24/08 01:25 PM, ID: 21860052Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]06/24/08 04:48 PM, ID: 21861566Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-89 / EE_QW_2_20070628