[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Site to Site VPN: Pix 515e to Linksys WRV200

Posted on 2008-02-12
3
Medium Priority
?
1,754 Views
Last Modified: 2010-05-18
Howdy,
 
I am trying to get a site to site VPN setup between a Linksys WRV200 (1.0.32.2) and a Cisco Pix 515E (v7.2.3).  Both have public static IPs and the Pix was already setup with remote VPN connections.
 
On the Linksys I have the tunnel enabled, named test, Nat-t off, the local ip subnet (192.168.2.0), remote subnet (192.168.1.0), the public ip of the remote peer, Auto/Main/3des/md5/Group 2/28800/PFS enabled/3des/md5/3600/ sharedk_key.  Dead Peer is turned off.
 
On the Pix I current have:
PIX Version 7.2(3)
!
hostname PIX515
domain-name mydomain.com
names
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address PUBLIC_IP 255.255.255.128
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name mydomain.com
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.1.240 255.255.255.240
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.240 255.255.255.240
access-list Support_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list Pix-to-WRV200 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_crypto_map_40 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging list vpn level informational class vpn
logging history vpn
logging asdm informational
logging class vpn history errors
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPNPool 192.168.1.240-192.168.1.250
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 206.229.106.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:10:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:10:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map VPN_MULTIPURPOSE 40 match address Pix-to-WRV200
crypto map VPN_MULTIPURPOSE 40 set pfs
crypto map VPN_MULTIPURPOSE 40 set peer 208.180.21.3
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 15
ssh version 1
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
group-policy Support internal
group-policy Support attributes
 wins-server value 192.168.1.10
 dns-server value 192.168.1.10
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Support_splitTunnelAcl
 default-domain value mydomain.com
tunnel-group Support type ipsec-ra
tunnel-group Support general-attributes
 address-pool VPNPool
 default-group-policy Support
tunnel-group Support ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
tunnel-group LINKSYS_PUBLIC_IP type ipsec-l2l
tunnel-group LINKSYS_PUBLIC_IP general-attributes
tunnel-group LINKSYS_PUBLIC_IP ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:cba0691b425573f21a392e778cf4ceb7
: end

 
The Linksys VPN Log shows this:
 
000   [Tue 07:50:39]  "TunnelA": deleting connection
001   [Tue 07:50:39]  "TunnelA" #16: deleting state (STATE_MAIN_I3)
002   [Tue 07:50:43]  added connection description "TunnelA"
003   [Tue 07:50:43]  "TunnelA" #17: initiating Main Mode
004   [Tue 07:50:43]  "TunnelA" #17: [WRV200 Response:] ISAKMP SA (Main Mode) Initiation
005   [Tue 07:50:43]  "TunnelA" #17: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
006   [Tue 07:50:43]  "TunnelA" #17: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
007   [Tue 07:50:43]  "TunnelA" #17: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
008   [Tue 07:50:43]  "TunnelA" #17: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
009   [Tue 07:50:43]  "TunnelA" #17: STATE_MAIN_I2: sent MI2, expecting MR2
010   [Tue 07:50:43]  "TunnelA" #17: received Vendor ID payload [Cisco-Unity]
011   [Tue 07:50:44]  "TunnelA" #17: received Vendor ID payload [XAUTH]
012   [Tue 07:50:44]  "TunnelA" #17: ignoring unknown Vendor ID payload [b149454febc313841080ed0d497f8295]
013   [Tue 07:50:44]  "TunnelA" #17: ignoring Vendor ID payload [Cisco VPN 3000 Series]
014   [Tue 07:50:44]  "TunnelA" #17: I did not send a certificate because I do not have one.
015   [Tue 07:50:44]  "TunnelA" #17: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
016   [Tue 07:50:44]  "TunnelA" #17: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
017   [Tue 07:50:44]  "TunnelA" #17: STATE_MAIN_I3: sent MI3, expecting MR3
018   [Tue 07:50:44]  "TunnelA" #17: received Vendor ID payload [Dead Peer Detection]
019   [Tue 07:50:44]  "TunnelA" #17: Main mode peer ID is ID_FQDN: '@PIX515.mydomain.com'
020   [Tue 07:50:44]  "TunnelA" #17: we require peer to have ID 'PIX_PUBLIC_IP', but peer declares '@PIX515.mydomain.com'
021   [Tue 07:50:44]  "TunnelA" #17: sending encrypted notification INVALID_ID_INFORMATION to PIX_PUBLIC_IP:500
022   [Tue 07:50:54]  "TunnelA" #17: byte 2 of ISAKMP Hash Payload must be zero, but is not
023   [Tue 07:50:54]  "TunnelA" #17: malformed payload in packet
024   [Tue 07:50:54]  "TunnelA" #17: sending notification PAYLOAD_MALFORMED to PIX_PUBLIC_IP:500
025   [Tue 07:50:56]  "TunnelA" #17: next payload type of ISAKMP Hash Payload has an unknown value: 254
026   [Tue 07:50:56]  "TunnelA" #17: malformed payload in packet
027   [Tue 07:50:56]  "TunnelA" #17: sending notification PAYLOAD_MALFORMED to PIX_PUBLIC_IP:500
028   [Tue 07:50:58]  "TunnelA" #17: next payload type of ISAKMP Hash Payload has an unknown value: 133
029   [Tue 07:50:58]  "TunnelA" #17: malformed payload in packet
030   [Tue 07:50:58]  "TunnelA" #17: sending notification PAYLOAD_MALFORMED to PIX_PUBLIC_IP:500
031   [Tue 07:51:00]  "TunnelA" #17: next payload type of ISAKMP Hash Payload has an unknown value: 151
032   [Tue 07:51:00]  "TunnelA" #17: malformed payload in packet
033   [Tue 07:51:00]  "TunnelA" #17: sending notification PAYLOAD_MALFORMED to PIX_PUBLIC_IP:500
 
Notes:
Policy 40 is for the site to site vpn.
When I try to ping an internal ip on the pix side from behind the linksys I get a reply from some bogus public IP that is not in my scheme that also says TTL expired in transit.
When I perform a 'sh crypto isakmp sa' on the Pix I do not see the peer of the  Linksys at all.
 
Any ideas?
Thanks!
0
Comment
Question by:aiscom
  • 2
3 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 2000 total points
ID: 20880437
Try this on the PIX and then try to bring up the tunnel by sending interesting traffic:

no crypto isakmp identity hostname
crypto isakmp identity address
crypto map VPN_MULTIPURPOSE 40 set transform-set ESP-3DES-MD5

If that doesn't do it, you may want to try disabling PFS on both the PIX and the Linksys.  Don't know how on the Linksys, but do this on the PIX:

no crypto map VPN_MULTIPURPOSE 40 set pfs

If that doesn't do it, then turn on debug for the IPSEC traffic and post the output:

debug crypto isakmp
debug crypto ipsec
0
 
LVL 28

Assisted Solution

by:batry_boy
batry_boy earned 2000 total points
ID: 20880453
You'll also want to exempt the VPN traffic from NAT by adding the following command to the PIX:

access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
0
 

Author Comment

by:aiscom
ID: 20881117
Thanks!
Both of those posts help me get the tunnel up and passing traffic.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Just after setting up Cloud PBX connectivity and migrated Skype users to SFBO, we noticed inbound calls not working but outbound calls would work.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question