Solved

linksys to Pix501 (again)

Posted on 2006-07-02
1
544 Views
Last Modified: 2008-02-01
i asked for help a month ago but couldn't provide enough information for  a solution that wordked.
this time i think i have better information. the linksys vpn log provided me with this information
any help will be appreciated. i'm trying to understand what's going on behind the scenes i have read quite
a few chapters from various books on PIX501 configurations and the posts available but i'm still not able to
connect

any help is appreciated

11:58:50 IKE[71] Rx << MM_I1 : xxx.xxx.xxx.xxx SA
11:58:50 IKE[71] Tx >> MM_R1 : xxx.xxx.xxx.xxx SA
11:58:50 IKE[71] ISAKMP SA CKI=[e6ee1f38 9ee91231] CKR=[fcbf351f 89658e30]
11:58:50 IKE[71] ISAKMP SA DES / MD5 / PreShared / MODP_1024 / 3600 sec (*0 sec)
11:58:51 IKE[71] Rx << MM_I2 : xxx.xxx.xxx.xxx KE, NONCE, VID, VID, VID, VID
11:58:51 IKE[71] Tx >> MM_R2 : xxx.xxx.xxx.xxx KE, NONCE
11:58:52 This connection request matches tunnel 3 setting !
11:58:52 IKE[3] Rx << MM_I3 : xxx.xxx.xxx.xxx ID, HASH
11:58:52 IKE[3] Tx >> MM_R3 : xxx.xxx.xxx.xxx ID, HASH
11:58:52 IKE[3] Rx << Notify :
11:58:52 IKE[3] Rx << QM_I1 : xxx.xxx.xxx.xxx HASH, SA, NONCE, ID, ID
11:58:52 IKE[3] **Check your Encryption and Authentication method settings !
11:58:52 IKE[3] Tx >> Notify : NO-PROPOSAL-CHOSEN
11:58:52

on the linksys side it is configure with no PFS
and a key lifetime of 3600 seconds
under advanced i have
main mode

proposal 1: enc 3DES
                  auth  MD5
                  group 768-bit
                  key lifetime 28800


phase 2:
proposal      enc   DES
                  auth  MD5
                  pfs   off
                 group 768-bit
                 key lifetime 3600

no other options selected

 on the pix side this is the configuration

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password TueRgJiuiSI6TX6o encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname muirlandpix
domain-name mseedii.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.203.1 a
name 192.168.203.253 pix
name 192.168.203.185 b
name 192.168.203.12 c
name 192.168.203.11 d
name 192.168.203.2 e
name 192.168.107.0 remoteserver
access-list outside_access_in remark vnc
access-list outside_access_in permit tcp any interface outside eq 5917
access-list inside_outbound_nat0_acl permit ip 192.168.203.0 255.255.255.0 remoteserver 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.203.0 255.255.255.0 remoteserver 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console warnings
logging buffered warnings
logging host inside mseed_xp1
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside pix 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location a 255.255.255.255 inside
pdm location b 255.255.255.255 inside
pdm location c 255.255.255.255 inside
pdm location d 255.255.255.255 inside
pdm location e 255.255.255.255 inside
pdm location remoteserver 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5917 a 5917 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 a pop3 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 65.48.44.178
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp log 2000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 3600
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 1
isakmp policy 50 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxx@xxx.xxx
vpdn group pppoe_group ppp authentication pap
vpdn username xxx@xxx.xxx password *********
dhcpd address 192.168.xxx.xxx-192.168.xxx.xxx inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:767affa272e69facbfb81c0c5edd93a4
: end
0
Comment
Question by:mseedii
1 Comment
 
LVL 79

Accepted Solution

by:
lrmoore earned 350 total points
ID: 17027362
proposal 1: enc 3DES
                  auth  MD5
                  group 768-bit <== make this group 1024
                  key lifetime 28800

phase 2:
proposal      enc   DES <== make this 3DES to match the proposal and the PIX transform set
                  auth  MD5
                  pfs   off
                 group 768-bit <== make this group 1024-bit to match "group 2" on PIX
                 key lifetime 3600

On the PIX
>isakmp policy 20 encryption des

Change that to 3des:
  isakmp policy 20 encryption 3des

0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now