Site to Site VPN: Pix 515e to Linksys WRV200

Howdy,
 
I am trying to get a site to site VPN setup between a Linksys WRV200 (1.0.32.2) and a Cisco Pix 515E (v7.2.3).  Both have public static IPs and the Pix was already setup with remote VPN connections.
 
On the Linksys I have the tunnel enabled, named test, Nat-t off, the local ip subnet (192.168.2.0), remote subnet (192.168.1.0), the public ip of the remote peer, Auto/Main/3des/md5/Group 2/28800/PFS enabled/3des/md5/3600/ sharedk_key.  Dead Peer is turned off.
 
On the Pix I current have:
PIX Version 7.2(3)
!
hostname PIX515
domain-name mydomain.com
names
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address PUBLIC_IP 255.255.255.128
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name mydomain.com
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.1.240 255.255.255.240
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.240 255.255.255.240
access-list Support_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list Pix-to-WRV200 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_crypto_map_40 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging list vpn level informational class vpn
logging history vpn
logging asdm informational
logging class vpn history errors
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPNPool 192.168.1.240-192.168.1.250
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group outbound in interface inside
route outside 0.0.0.0 0.0.0.0 206.229.106.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:10:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:10:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map VPN_MULTIPURPOSE 40 match address Pix-to-WRV200
crypto map VPN_MULTIPURPOSE 40 set pfs
crypto map VPN_MULTIPURPOSE 40 set peer 208.180.21.3
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 15
ssh version 1
console timeout 0
management-access inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
group-policy Support internal
group-policy Support attributes
 wins-server value 192.168.1.10
 dns-server value 192.168.1.10
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Support_splitTunnelAcl
 default-domain value mydomain.com
tunnel-group Support type ipsec-ra
tunnel-group Support general-attributes
 address-pool VPNPool
 default-group-policy Support
tunnel-group Support ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
tunnel-group LINKSYS_PUBLIC_IP type ipsec-l2l
tunnel-group LINKSYS_PUBLIC_IP general-attributes
tunnel-group LINKSYS_PUBLIC_IP ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:cba0691b425573f21a392e778cf4ceb7
: end

 
The Linksys VPN Log shows this:
 
000   [Tue 07:50:39]  "TunnelA": deleting connection
001   [Tue 07:50:39]  "TunnelA" #16: deleting state (STATE_MAIN_I3)
002   [Tue 07:50:43]  added connection description "TunnelA"
003   [Tue 07:50:43]  "TunnelA" #17: initiating Main Mode
004   [Tue 07:50:43]  "TunnelA" #17: [WRV200 Response:] ISAKMP SA (Main Mode) Initiation
005   [Tue 07:50:43]  "TunnelA" #17: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
006   [Tue 07:50:43]  "TunnelA" #17: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
007   [Tue 07:50:43]  "TunnelA" #17: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
008   [Tue 07:50:43]  "TunnelA" #17: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
009   [Tue 07:50:43]  "TunnelA" #17: STATE_MAIN_I2: sent MI2, expecting MR2
010   [Tue 07:50:43]  "TunnelA" #17: received Vendor ID payload [Cisco-Unity]
011   [Tue 07:50:44]  "TunnelA" #17: received Vendor ID payload [XAUTH]
012   [Tue 07:50:44]  "TunnelA" #17: ignoring unknown Vendor ID payload [b149454febc313841080ed0d497f8295]
013   [Tue 07:50:44]  "TunnelA" #17: ignoring Vendor ID payload [Cisco VPN 3000 Series]
014   [Tue 07:50:44]  "TunnelA" #17: I did not send a certificate because I do not have one.
015   [Tue 07:50:44]  "TunnelA" #17: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
016   [Tue 07:50:44]  "TunnelA" #17: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
017   [Tue 07:50:44]  "TunnelA" #17: STATE_MAIN_I3: sent MI3, expecting MR3
018   [Tue 07:50:44]  "TunnelA" #17: received Vendor ID payload [Dead Peer Detection]
019   [Tue 07:50:44]  "TunnelA" #17: Main mode peer ID is ID_FQDN: '@PIX515.mydomain.com'
020   [Tue 07:50:44]  "TunnelA" #17: we require peer to have ID 'PIX_PUBLIC_IP', but peer declares '@PIX515.mydomain.com'
021   [Tue 07:50:44]  "TunnelA" #17: sending encrypted notification INVALID_ID_INFORMATION to PIX_PUBLIC_IP:500
022   [Tue 07:50:54]  "TunnelA" #17: byte 2 of ISAKMP Hash Payload must be zero, but is not
023   [Tue 07:50:54]  "TunnelA" #17: malformed payload in packet
024   [Tue 07:50:54]  "TunnelA" #17: sending notification PAYLOAD_MALFORMED to PIX_PUBLIC_IP:500
025   [Tue 07:50:56]  "TunnelA" #17: next payload type of ISAKMP Hash Payload has an unknown value: 254
026   [Tue 07:50:56]  "TunnelA" #17: malformed payload in packet
027   [Tue 07:50:56]  "TunnelA" #17: sending notification PAYLOAD_MALFORMED to PIX_PUBLIC_IP:500
028   [Tue 07:50:58]  "TunnelA" #17: next payload type of ISAKMP Hash Payload has an unknown value: 133
029   [Tue 07:50:58]  "TunnelA" #17: malformed payload in packet
030   [Tue 07:50:58]  "TunnelA" #17: sending notification PAYLOAD_MALFORMED to PIX_PUBLIC_IP:500
031   [Tue 07:51:00]  "TunnelA" #17: next payload type of ISAKMP Hash Payload has an unknown value: 151
032   [Tue 07:51:00]  "TunnelA" #17: malformed payload in packet
033   [Tue 07:51:00]  "TunnelA" #17: sending notification PAYLOAD_MALFORMED to PIX_PUBLIC_IP:500
 
Notes:
Policy 40 is for the site to site vpn.
When I try to ping an internal ip on the pix side from behind the linksys I get a reply from some bogus public IP that is not in my scheme that also says TTL expired in transit.
When I perform a 'sh crypto isakmp sa' on the Pix I do not see the peer of the  Linksys at all.
 
Any ideas?
Thanks!
aiscomAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
Try this on the PIX and then try to bring up the tunnel by sending interesting traffic:

no crypto isakmp identity hostname
crypto isakmp identity address
crypto map VPN_MULTIPURPOSE 40 set transform-set ESP-3DES-MD5

If that doesn't do it, you may want to try disabling PFS on both the PIX and the Linksys.  Don't know how on the Linksys, but do this on the PIX:

no crypto map VPN_MULTIPURPOSE 40 set pfs

If that doesn't do it, then turn on debug for the IPSEC traffic and post the output:

debug crypto isakmp
debug crypto ipsec
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
batry_boyCommented:
You'll also want to exempt the VPN traffic from NAT by adding the following command to the PIX:

access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
0
aiscomAuthor Commented:
Thanks!
Both of those posts help me get the tunnel up and passing traffic.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.