Solved

Linksys to PIX VPN connection

Posted on 2008-06-19
11
3,069 Views
Last Modified: 2010-04-21
I just purchased this linksys router and trying to configure it for one of our remote offices to connect to my main office. but reguardless of how I configure it, I seem to consistently get this NO_PROPOSAL_CHOSEN error. I'm using a Linksys WRVS4400 for remote office and a PIX 515 for main office.

Here's my Linksys Config

     IPSec VPN Tunnel: Enable
     Tunnel Name: eacvpns2

     Local Security Gateway type: IP Only
     IP address: x.x.x.x
     Local Security Group Type: Subnet
     IP Address: 192.168.5.1
     Subnet Mask: 255.255.255.0

     Remote Security Gateway: IP Only
     IP address: x.x.x.x (pix external IP address)
     Remote Security Group Type: Subnet
     IP Address: 192.168.10.0
     Subnet Mask: 255.255.255.0

     Keying Mode: IKE with Preshared Key
     phase 1
     Encryption: 3DES
     Authenticaion: MD5
     Group: 1024-bit
     key life time: 86400

     phase 2
     Encryption: 3DES
     Authentication: MD5
     Perfect Forward Secrecy: Disabled
     Preshared Key: testing
     Group: 1024-bit
     key life time: 86400

     Agressive mode: off
     Netbios Broadcast: off

my PIX config looks like this.

     crypto ipsec transform-set eacvpns esp-des esp-md5-hmac
     crypto ipsec transform-set eacvpns2 esp-3des esp-md5-hmac
     crypto map transam 1 ipsec-isakmp
     crypto map transam 1 match address 101
     crypto map transam 1 set peer x.x.x.x (remote office w/ pix)
     crypto map transam 1 set transform-set eacvpns
     crypto map transam 3 ipsec-isakmp
     crypto map transam 3 match address 103
     crypto map transam 3 set peer x.x.x.x (remote office w/ pix)
     crypto map transam 3 set transform-set eacvpns
     crypto map transam 5 ipsec-isakmp
     crypto map transam 5 match address 105
     crypto map transam 5 set peer x.x.x.x (remote office w/ Linksys WRVS4400N)
     crypto map transam 5 set transform-set eacvpns2
     crypto map transam interface outside
     isakmp enable outside
     isakmp key ******** address x.x.x.x netmask 255.255.255.248 (remote office w/ pix)
     isakmp key ******** address x.x.x.x netmask 255.255.255.248 (remote office w/ pix)
     isakmp key ******** address x.x.x.x netmask 255.255.255.248 no-xauth no-config-mode (remote office w/ Linksys WRVS4400N)
     isakmp identity address
     isakmp policy 10 authentication pre-share
     isakmp policy 10 encryption des
     isakmp policy 10 hash md5
     isakmp policy 10 group 2
     isakmp policy 10 lifetime 86400
     isakmp policy 20 authentication pre-share
     isakmp policy 20 encryption 3des
     isakmp policy 20 hash md5
     isakmp policy 20 group 2
     isakmp policy 20 lifetime 86400

Here's a copy of my Linksys Logs

Jun 19 15:03:57 - Configuration changed!
Jun 19 15:03:59 - [VPN Log]: shutting down
Jun 19 15:03:59 - [VPN Log]: forgetting secrets
Jun 19 15:03:59 - [VPN Log]: "eacvpns2": deleting connection
Jun 19 15:03:59 - [VPN Log]: "eacvpns2" #2: deleting state (STATE_QUICK_I1)
Jun 19 15:03:59 - [VPN Log]: "eacvpns2" #1: deleting state (STATE_AGGR_I2)
Jun 19 15:03:59 - [VPN Log]: ERROR: "eacvpns2": pfkey write() of SADB_X_DELFLOW message 6 for flow int.0@0.0.0.0 failed. Errno 14: Bad address
Jun 19 15:04:00 - [VPN Log]: "eacvpns2": unroute-client output: 0
Jun 19 15:04:00 - [VPN Log]: shutting down interface ipsec0/eth1 172.16.77.112:4500
Jun 19 15:04:00 - [VPN Log]: shutting down interface ipsec0/eth1 172.16.77.112:500
Jun 19 15:04:00 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Jun 19 15:04:03 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Jun 19 15:04:03 - [VPN Log]: @(#) built on Sep 3 2007:16:44:42:
Jun 19 15:04:03 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Jun 19 15:04:03 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Jun 19 15:04:03 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Jun 19 15:04:03 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 19 15:04:03 - [VPN Log]: starting up 1 cryptographic helpers
Jun 19 15:04:03 - [VPN Log]: started helper pid=2589 (fd:5)
Jun 19 15:04:03 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Jun 19 15:04:03 - [VPN Log]: Warning: empty directory
Jun 19 15:04:03 - [VPN Log]: added connection description "eacvpns2"
Jun 19 15:04:03 - [VPN Log]: listening for IKE messages
Jun 19 15:04:03 - [VPN Log]: adding interface ipsec0/eth1 172.16.77.112:500
Jun 19 15:04:03 - [VPN Log]: adding interface ipsec0/eth1 172.16.77.112:4500
Jun 19 15:04:03 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"
Jun 19 15:04:05 - [VPN Log]: "eacvpns2": route-client output: 0
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: initiating Main Mode
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [XAUTH]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [Dead Peer Detection]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [Cisco-Unity]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring unknown Vendor ID payload [16df04afde729f9719c0a5dfe0d66fb5]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: I did not send a certificate because I do not have one.
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK+DONTREKEY+UP {using isakmp#1}
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received and ignored informational message
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received and ignored informational message
Jun 19 15:04:12 - ipsec0: no IPv6 routers present
Jun 19 15:05:15 - [VPN Log]: "eacvpns2" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

I just recently added 3des to my PIX, so I know that's not an issue. I've tried running with agressive mode on and off, and many other things that I've found on the web. I'm at a loss as to what to try next
0
Comment
Question by:mnswhit
  • 7
  • 4
11 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 21836114
>isakmp key ******** address x.x.x.x netmask 255.255.255.248
Netmask should be 255.255.255.255 - host specific

 Local Security Group Type: Subnet
     IP Address: 192.168.5.1  <== this must be 192.168.5.0
     Subnet Mask: 255.255.255.0
0
 
LVL 2

Author Comment

by:mnswhit
ID: 21849389
I made the changes, but didn't seem to change the log entries at all. still can't connect
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21849589
Can you post the PIX config?
0
 
LVL 2

Author Comment

by:mnswhit
ID: 21851039
Here it is.
: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password NQzjhlBXd7zn61Ax encrypted

passwd NQzjhlBXd7zn61Ax encrypted

hostname Firewall

domain-name evertsair.biz

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.10.26 Srv02X

access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list 103 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 

access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 

access-list 104 permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list 105 permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0 

no pager

logging on

logging timestamp

logging trap debugging

logging history warnings

logging facility 16

logging host inside 192.168.10.45

icmp permit any outside

icmp permit any inside

mtu outside 1460

mtu inside 1460

mtu intf2 1460

ip address outside x.x.62.66 255.255.255.240

ip address inside 192.168.10.2 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.250.1-192.168.250.20

pdm location 192.168.10.20 255.255.255.255 inside

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.168.10.108 255.255.255.255 inside

pdm location 192.168.250.0 255.255.255.0 outside

pdm location 192.168.10.21 255.255.255.255 inside

pdm location 192.168.10.15 255.255.255.255 inside

pdm location Srv02X 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 192.168.1.0 255.255.255.0 outside

pdm location 192.168.3.0 255.255.255.0 outside

pdm location 192.168.10.28 255.255.255.255 inside

pdm location 192.168.10.137 255.255.255.255 inside

pdm location 192.168.10.143 255.255.255.255 inside

pdm location 192.168.10.168 255.255.255.255 inside

pdm location 192.168.10.195 255.255.255.255 inside

pdm location 192.168.10.217 255.255.255.255 inside

pdm location 192.168.10.233 255.255.255.255 inside

pdm location 192.168.10.240 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 104

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.62.67 192.168.10.20 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.78 192.168.10.233 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.70 192.168.10.240 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.71 192.168.10.195 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.77 192.168.10.217 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.74 192.168.10.168 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.69 192.168.10.18 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.73 192.168.10.115 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.75 192.168.10.143 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.76 192.168.10.29 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.68 192.168.10.206 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.72 192.168.10.89 netmask 255.255.255.255 0 0 

access-group acl_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.62.65 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server RADIUS protocol radius 

aaa-server LOCAL protocol local 

aaa-server partnerauth protocol radius 

aaa-server partnerauth (inside) host 192.168.10.20 7auth7 timeout 5

http server enable

http 192.168.0.0 255.255.0.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set eacvpns esp-des esp-md5-hmac 

crypto ipsec transform-set eacvpns2 esp-3des esp-md5-hmac 

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer x.x.192.218

crypto map transam 1 set transform-set eacvpns

crypto map transam 3 ipsec-isakmp

crypto map transam 3 match address 103

crypto map transam 3 set peer x.x.104.125

crypto map transam 3 set transform-set eacvpns

crypto map transam 5 ipsec-isakmp

crypto map transam 5 match address 105

crypto map transam 5 set peer x.x.190.73

crypto map transam 5 set transform-set eacvpns2

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address x.x.104.125 netmask 255.255.255.248 

isakmp key ******** address x.x.192.218 netmask 255.255.255.248 

isakmp key ******** address x.x.190.73 netmask 255.255.255.255 

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 35

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

management-access inside

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:7c030a18368b08a051a41d74203e43dc

Open in new window

0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 21851337
>crypto map transam 5 match address 105
>access-list 105 permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
                                                       ^^
ACL 105 makes no sense. It should be:
access-list 105 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0
                                                     ^^
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 2

Author Comment

by:mnswhit
ID: 21852453
Didn't notice that error, however that didn't seem to fix my issue, I'm still getting the same error logs.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 21854771
You have the same error on acl 104 applied to NAT 0
>access-list 104 permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0

should be
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0

Can you post result of "show cry is sa" from the PIX?
0
 
LVL 2

Author Comment

by:mnswhit
ID: 21859294
This is what it looks like when I try to connect:
     Firewall# sh cry is sa
     Total     : 3
     Embryonic : 1
             dst               src        state     pending     created
        x.x.62.66   x.x.104.125    QM_IDLE         0           1
        x.x.62.66   x.x192.218    QM_IDLE         0           1
        x.x.62.66  x.x.114.115    AG_NO_STATE   0           0

But it ends up going back to this:

     Firewall# sh cry is sa
     Total     : 2
     Embryonic : 0
             dst               src        state     pending     created
        x.x.62.66   x.x.104.125    QM_IDLE         0           1
        x.x.62.66   x.x.192.218    QM_IDLE         0           1


Just incase it ketches your eye that the IP is different than the one I listed in my config earlier. I moved the linksys to a different ISP for troubleshooting. I'm reposting my cisco config.
: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

hostname Firewall

domain-name evertsair.biz

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 192.168.10.26 Srv02X

access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list 103 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 

access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 

access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list 105 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0 

no pager

logging on

logging timestamp

logging trap debugging

logging history warnings

logging facility 16

logging host inside 192.168.10.45

icmp permit any outside

icmp permit any inside

mtu outside 1460

mtu inside 1460

mtu intf2 1460

ip address outside x.x.62.66 255.255.255.240

ip address inside 192.168.10.2 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool ippool 192.168.250.1-192.168.250.20

pdm location 192.168.10.20 255.255.255.255 inside

pdm location 192.168.0.0 255.255.0.0 inside

pdm location 192.168.10.108 255.255.255.255 inside

pdm location 192.168.250.0 255.255.255.0 outside

pdm location 192.168.10.21 255.255.255.255 inside

pdm location 192.168.10.15 255.255.255.255 inside

pdm location Srv02X 255.255.255.255 inside

pdm location 192.168.1.0 255.255.255.0 inside

pdm location 192.168.1.0 255.255.255.0 outside

pdm location 192.168.3.0 255.255.255.0 outside

pdm location 192.168.10.28 255.255.255.255 inside

pdm location 192.168.10.137 255.255.255.255 inside

pdm location 192.168.10.143 255.255.255.255 inside

pdm location 192.168.10.168 255.255.255.255 inside

pdm location 192.168.10.195 255.255.255.255 inside

pdm location 192.168.10.217 255.255.255.255 inside

pdm location 192.168.10.233 255.255.255.255 inside

pdm location 192.168.10.240 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 104

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.62.67 192.168.10.20 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.78 192.168.10.233 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.70 192.168.10.240 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.71 192.168.10.195 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.77 192.168.10.217 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.74 192.168.10.168 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.69 192.168.10.18 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.73 192.168.10.115 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.75 192.168.10.143 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.76 192.168.10.29 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.68 192.168.10.206 netmask 255.255.255.255 0 0 

static (inside,outside) x.x.62.72 192.168.10.89 netmask 255.255.255.255 0 0 

access-group acl_in in interface outside

route outside 0.0.0.0 0.0.0.0 209.192.62.65 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+ 

aaa-server RADIUS protocol radius 

aaa-server LOCAL protocol local 

aaa-server partnerauth protocol radius 

aaa-server partnerauth (inside) host 192.168.10.20 7auth7 timeout 5

http server enable

http 192.168.0.0 255.255.0.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set eacvpns esp-des esp-md5-hmac 

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer x.x.192.218

crypto map transam 1 set transform-set eacvpns

crypto map transam 3 ipsec-isakmp

crypto map transam 3 match address 103

crypto map transam 3 set peer x.x.104.125

crypto map transam 3 set transform-set eacvpns

crypto map transam 5 ipsec-isakmp

crypto map transam 5 match address 105

crypto map transam 5 set peer x.x.114.115

crypto map transam interface outside

isakmp enable outside

isakmp key ******** address x.x.104.125 netmask 255.255.255.248 

isakmp key ******** address x.x.192.218 netmask 255.255.255.248 

isakmp key ******** address x.x.114.115 netmask 255.255.255.255 

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet 192.168.0.0 255.255.0.0 inside

telnet timeout 35

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

management-access inside

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 750

terminal width 80

Cryptochecksum:108940d419f11498305c354ada97fd02

Open in new window

0
 
LVL 2

Author Comment

by:mnswhit
ID: 21860052
ok, a little google search made me realize that I forgot to save my config on reboot, so some of that last config list didn't have enough info to work anyways.....I got it online, But not in the location that I need it online. I'll make another post in about an hour, once I test this connection out at the actual location.
0
 
LVL 2

Author Comment

by:mnswhit
ID: 21861566
It worked. Thank you for your help. Debug mode really helped me track down the errors, and google gave this link, which turns out was you as well. Helped me get the final touches on my config.

http://www.experts-exchange.com/Security/Software_Firewalls/Q_21638685.html

0
 
LVL 2

Author Closing Comment

by:mnswhit
ID: 31469014
Each of your suggestions fixed an issue. The end result answer that got me up and running wasn't on this page, but it was your post and your suggestion.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now