• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 560
  • Last Modified:

linksys to Pix501 (again)

i asked for help a month ago but couldn't provide enough information for  a solution that wordked.
this time i think i have better information. the linksys vpn log provided me with this information
any help will be appreciated. i'm trying to understand what's going on behind the scenes i have read quite
a few chapters from various books on PIX501 configurations and the posts available but i'm still not able to

any help is appreciated

11:58:50 IKE[71] Rx << MM_I1 : xxx.xxx.xxx.xxx SA
11:58:50 IKE[71] Tx >> MM_R1 : xxx.xxx.xxx.xxx SA
11:58:50 IKE[71] ISAKMP SA CKI=[e6ee1f38 9ee91231] CKR=[fcbf351f 89658e30]
11:58:50 IKE[71] ISAKMP SA DES / MD5 / PreShared / MODP_1024 / 3600 sec (*0 sec)
11:58:51 IKE[71] Rx << MM_I2 : xxx.xxx.xxx.xxx KE, NONCE, VID, VID, VID, VID
11:58:51 IKE[71] Tx >> MM_R2 : xxx.xxx.xxx.xxx KE, NONCE
11:58:52 This connection request matches tunnel 3 setting !
11:58:52 IKE[3] Rx << MM_I3 : xxx.xxx.xxx.xxx ID, HASH
11:58:52 IKE[3] Tx >> MM_R3 : xxx.xxx.xxx.xxx ID, HASH
11:58:52 IKE[3] Rx << Notify :
11:58:52 IKE[3] Rx << QM_I1 : xxx.xxx.xxx.xxx HASH, SA, NONCE, ID, ID
11:58:52 IKE[3] **Check your Encryption and Authentication method settings !
11:58:52 IKE[3] Tx >> Notify : NO-PROPOSAL-CHOSEN

on the linksys side it is configure with no PFS
and a key lifetime of 3600 seconds
under advanced i have
main mode

proposal 1: enc 3DES
                  auth  MD5
                  group 768-bit
                  key lifetime 28800

phase 2:
proposal      enc   DES
                  auth  MD5
                  pfs   off
                 group 768-bit
                 key lifetime 3600

no other options selected

 on the pix side this is the configuration

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password TueRgJiuiSI6TX6o encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname muirlandpix
domain-name mseedii.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name a
name pix
name b
name c
name d
name e
name remoteserver
access-list outside_access_in remark vnc
access-list outside_access_in permit tcp any interface outside eq 5917
access-list inside_outbound_nat0_acl permit ip remoteserver
access-list outside_cryptomap_20 permit ip remoteserver
pager lines 24
logging on
logging timestamp
logging console warnings
logging buffered warnings
logging host inside mseed_xp1
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside pix
ip audit info action alarm
ip audit attack action alarm
pdm location a inside
pdm location b inside
pdm location c inside
pdm location d inside
pdm location e inside
pdm location remoteserver outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0 0
static (inside,outside) tcp interface 5917 a 5917 netmask 0 0
static (inside,outside) tcp interface pop3 a pop3 netmask 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask
isakmp identity address
isakmp log 2000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 3600
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 1
isakmp policy 50 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxx@xxx.xxx
vpdn group pppoe_group ppp authentication pap
vpdn username xxx@xxx.xxx password *********
dhcpd address 192.168.xxx.xxx-192.168.xxx.xxx inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
: end
1 Solution
proposal 1: enc 3DES
                  auth  MD5
                  group 768-bit <== make this group 1024
                  key lifetime 28800

phase 2:
proposal      enc   DES <== make this 3DES to match the proposal and the PIX transform set
                  auth  MD5
                  pfs   off
                 group 768-bit <== make this group 1024-bit to match "group 2" on PIX
                 key lifetime 3600

On the PIX
>isakmp policy 20 encryption des

Change that to 3des:
  isakmp policy 20 encryption 3des

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now