Solved

linksys to Pix501 (again)

Posted on 2006-07-02
1
548 Views
Last Modified: 2008-02-01
i asked for help a month ago but couldn't provide enough information for  a solution that wordked.
this time i think i have better information. the linksys vpn log provided me with this information
any help will be appreciated. i'm trying to understand what's going on behind the scenes i have read quite
a few chapters from various books on PIX501 configurations and the posts available but i'm still not able to
connect

any help is appreciated

11:58:50 IKE[71] Rx << MM_I1 : xxx.xxx.xxx.xxx SA
11:58:50 IKE[71] Tx >> MM_R1 : xxx.xxx.xxx.xxx SA
11:58:50 IKE[71] ISAKMP SA CKI=[e6ee1f38 9ee91231] CKR=[fcbf351f 89658e30]
11:58:50 IKE[71] ISAKMP SA DES / MD5 / PreShared / MODP_1024 / 3600 sec (*0 sec)
11:58:51 IKE[71] Rx << MM_I2 : xxx.xxx.xxx.xxx KE, NONCE, VID, VID, VID, VID
11:58:51 IKE[71] Tx >> MM_R2 : xxx.xxx.xxx.xxx KE, NONCE
11:58:52 This connection request matches tunnel 3 setting !
11:58:52 IKE[3] Rx << MM_I3 : xxx.xxx.xxx.xxx ID, HASH
11:58:52 IKE[3] Tx >> MM_R3 : xxx.xxx.xxx.xxx ID, HASH
11:58:52 IKE[3] Rx << Notify :
11:58:52 IKE[3] Rx << QM_I1 : xxx.xxx.xxx.xxx HASH, SA, NONCE, ID, ID
11:58:52 IKE[3] **Check your Encryption and Authentication method settings !
11:58:52 IKE[3] Tx >> Notify : NO-PROPOSAL-CHOSEN
11:58:52

on the linksys side it is configure with no PFS
and a key lifetime of 3600 seconds
under advanced i have
main mode

proposal 1: enc 3DES
                  auth  MD5
                  group 768-bit
                  key lifetime 28800


phase 2:
proposal      enc   DES
                  auth  MD5
                  pfs   off
                 group 768-bit
                 key lifetime 3600

no other options selected

 on the pix side this is the configuration

PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password TueRgJiuiSI6TX6o encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname muirlandpix
domain-name mseedii.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.203.1 a
name 192.168.203.253 pix
name 192.168.203.185 b
name 192.168.203.12 c
name 192.168.203.11 d
name 192.168.203.2 e
name 192.168.107.0 remoteserver
access-list outside_access_in remark vnc
access-list outside_access_in permit tcp any interface outside eq 5917
access-list inside_outbound_nat0_acl permit ip 192.168.203.0 255.255.255.0 remoteserver 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.203.0 255.255.255.0 remoteserver 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console warnings
logging buffered warnings
logging host inside mseed_xp1
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside pix 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location a 255.255.255.255 inside
pdm location b 255.255.255.255 inside
pdm location c 255.255.255.255 inside
pdm location d 255.255.255.255 inside
pdm location e 255.255.255.255 inside
pdm location remoteserver 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 5917 a 5917 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 a pop3 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 65.48.44.178
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp log 2000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 3600
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 1
isakmp policy 50 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxx@xxx.xxx
vpdn group pppoe_group ppp authentication pap
vpdn username xxx@xxx.xxx password *********
dhcpd address 192.168.xxx.xxx-192.168.xxx.xxx inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:767affa272e69facbfb81c0c5edd93a4
: end
0
Comment
Question by:mseedii
1 Comment
 
LVL 79

Accepted Solution

by:
lrmoore earned 350 total points
ID: 17027362
proposal 1: enc 3DES
                  auth  MD5
                  group 768-bit <== make this group 1024
                  key lifetime 28800

phase 2:
proposal      enc   DES <== make this 3DES to match the proposal and the PIX transform set
                  auth  MD5
                  pfs   off
                 group 768-bit <== make this group 1024-bit to match "group 2" on PIX
                 key lifetime 3600

On the PIX
>isakmp policy 20 encryption des

Change that to 3des:
  isakmp policy 20 encryption 3des

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question