linksys to Pix501 (again)

Posted on 2006-07-02
Last Modified: 2008-02-01
i asked for help a month ago but couldn't provide enough information for  a solution that wordked.
this time i think i have better information. the linksys vpn log provided me with this information
any help will be appreciated. i'm trying to understand what's going on behind the scenes i have read quite
a few chapters from various books on PIX501 configurations and the posts available but i'm still not able to

any help is appreciated

11:58:50 IKE[71] Rx << MM_I1 : SA
11:58:50 IKE[71] Tx >> MM_R1 : SA
11:58:50 IKE[71] ISAKMP SA CKI=[e6ee1f38 9ee91231] CKR=[fcbf351f 89658e30]
11:58:50 IKE[71] ISAKMP SA DES / MD5 / PreShared / MODP_1024 / 3600 sec (*0 sec)
11:58:51 IKE[71] Rx << MM_I2 : KE, NONCE, VID, VID, VID, VID
11:58:51 IKE[71] Tx >> MM_R2 : KE, NONCE
11:58:52 This connection request matches tunnel 3 setting !
11:58:52 IKE[3] Rx << MM_I3 : ID, HASH
11:58:52 IKE[3] Tx >> MM_R3 : ID, HASH
11:58:52 IKE[3] Rx << Notify :
11:58:52 IKE[3] Rx << QM_I1 : HASH, SA, NONCE, ID, ID
11:58:52 IKE[3] **Check your Encryption and Authentication method settings !
11:58:52 IKE[3] Tx >> Notify : NO-PROPOSAL-CHOSEN

on the linksys side it is configure with no PFS
and a key lifetime of 3600 seconds
under advanced i have
main mode

proposal 1: enc 3DES
                  auth  MD5
                  group 768-bit
                  key lifetime 28800

phase 2:
proposal      enc   DES
                  auth  MD5
                  pfs   off
                 group 768-bit
                 key lifetime 3600

no other options selected

 on the pix side this is the configuration

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password TueRgJiuiSI6TX6o encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname muirlandpix
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name a
name pix
name b
name c
name d
name e
name remoteserver
access-list outside_access_in remark vnc
access-list outside_access_in permit tcp any interface outside eq 5917
access-list inside_outbound_nat0_acl permit ip remoteserver
access-list outside_cryptomap_20 permit ip remoteserver
pager lines 24
logging on
logging timestamp
logging console warnings
logging buffered warnings
logging host inside mseed_xp1
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside pix
ip audit info action alarm
ip audit attack action alarm
pdm location a inside
pdm location b inside
pdm location c inside
pdm location d inside
pdm location e inside
pdm location remoteserver outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) tcp interface 5917 a 5917 netmask 0 0
static (inside,outside) tcp interface pop3 a pop3 netmask 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp identity address
isakmp log 2000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 3600
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 1
isakmp policy 50 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname
vpdn group pppoe_group ppp authentication pap
vpdn username password *********
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
Question by:mseedii
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
LVL 79

Accepted Solution

lrmoore earned 350 total points
ID: 17027362
proposal 1: enc 3DES
                  auth  MD5
                  group 768-bit <== make this group 1024
                  key lifetime 28800

phase 2:
proposal      enc   DES <== make this 3DES to match the proposal and the PIX transform set
                  auth  MD5
                  pfs   off
                 group 768-bit <== make this group 1024-bit to match "group 2" on PIX
                 key lifetime 3600

On the PIX
>isakmp policy 20 encryption des

Change that to 3des:
  isakmp policy 20 encryption 3des


Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
*STABLE* and free Linux Firewall distribution 6 107
Cisco ASA 1 72
Watchguard XTM 2 94
Palo Alto Networks Global Protect 2 162
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question