Solved

Linksys to PIX VPN connection

Posted on 2008-06-19
11
3,098 Views
Last Modified: 2010-04-21
I just purchased this linksys router and trying to configure it for one of our remote offices to connect to my main office. but reguardless of how I configure it, I seem to consistently get this NO_PROPOSAL_CHOSEN error. I'm using a Linksys WRVS4400 for remote office and a PIX 515 for main office.

Here's my Linksys Config

     IPSec VPN Tunnel: Enable
     Tunnel Name: eacvpns2

     Local Security Gateway type: IP Only
     IP address: x.x.x.x
     Local Security Group Type: Subnet
     IP Address: 192.168.5.1
     Subnet Mask: 255.255.255.0

     Remote Security Gateway: IP Only
     IP address: x.x.x.x (pix external IP address)
     Remote Security Group Type: Subnet
     IP Address: 192.168.10.0
     Subnet Mask: 255.255.255.0

     Keying Mode: IKE with Preshared Key
     phase 1
     Encryption: 3DES
     Authenticaion: MD5
     Group: 1024-bit
     key life time: 86400

     phase 2
     Encryption: 3DES
     Authentication: MD5
     Perfect Forward Secrecy: Disabled
     Preshared Key: testing
     Group: 1024-bit
     key life time: 86400

     Agressive mode: off
     Netbios Broadcast: off

my PIX config looks like this.

     crypto ipsec transform-set eacvpns esp-des esp-md5-hmac
     crypto ipsec transform-set eacvpns2 esp-3des esp-md5-hmac
     crypto map transam 1 ipsec-isakmp
     crypto map transam 1 match address 101
     crypto map transam 1 set peer x.x.x.x (remote office w/ pix)
     crypto map transam 1 set transform-set eacvpns
     crypto map transam 3 ipsec-isakmp
     crypto map transam 3 match address 103
     crypto map transam 3 set peer x.x.x.x (remote office w/ pix)
     crypto map transam 3 set transform-set eacvpns
     crypto map transam 5 ipsec-isakmp
     crypto map transam 5 match address 105
     crypto map transam 5 set peer x.x.x.x (remote office w/ Linksys WRVS4400N)
     crypto map transam 5 set transform-set eacvpns2
     crypto map transam interface outside
     isakmp enable outside
     isakmp key ******** address x.x.x.x netmask 255.255.255.248 (remote office w/ pix)
     isakmp key ******** address x.x.x.x netmask 255.255.255.248 (remote office w/ pix)
     isakmp key ******** address x.x.x.x netmask 255.255.255.248 no-xauth no-config-mode (remote office w/ Linksys WRVS4400N)
     isakmp identity address
     isakmp policy 10 authentication pre-share
     isakmp policy 10 encryption des
     isakmp policy 10 hash md5
     isakmp policy 10 group 2
     isakmp policy 10 lifetime 86400
     isakmp policy 20 authentication pre-share
     isakmp policy 20 encryption 3des
     isakmp policy 20 hash md5
     isakmp policy 20 group 2
     isakmp policy 20 lifetime 86400

Here's a copy of my Linksys Logs

Jun 19 15:03:57 - Configuration changed!
Jun 19 15:03:59 - [VPN Log]: shutting down
Jun 19 15:03:59 - [VPN Log]: forgetting secrets
Jun 19 15:03:59 - [VPN Log]: "eacvpns2": deleting connection
Jun 19 15:03:59 - [VPN Log]: "eacvpns2" #2: deleting state (STATE_QUICK_I1)
Jun 19 15:03:59 - [VPN Log]: "eacvpns2" #1: deleting state (STATE_AGGR_I2)
Jun 19 15:03:59 - [VPN Log]: ERROR: "eacvpns2": pfkey write() of SADB_X_DELFLOW message 6 for flow int.0@0.0.0.0 failed. Errno 14: Bad address
Jun 19 15:04:00 - [VPN Log]: "eacvpns2": unroute-client output: 0
Jun 19 15:04:00 - [VPN Log]: shutting down interface ipsec0/eth1 172.16.77.112:4500
Jun 19 15:04:00 - [VPN Log]: shutting down interface ipsec0/eth1 172.16.77.112:500
Jun 19 15:04:00 - IPSEC EVENT: KLIPS device ipsec0 shut down.
Jun 19 15:04:03 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
Jun 19 15:04:03 - [VPN Log]: @(#) built on Sep 3 2007:16:44:42:
Jun 19 15:04:03 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
Jun 19 15:04:03 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
Jun 19 15:04:03 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
Jun 19 15:04:03 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 19 15:04:03 - [VPN Log]: starting up 1 cryptographic helpers
Jun 19 15:04:03 - [VPN Log]: started helper pid=2589 (fd:5)
Jun 19 15:04:03 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
Jun 19 15:04:03 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
Jun 19 15:04:03 - [VPN Log]: Warning: empty directory
Jun 19 15:04:03 - [VPN Log]: added connection description "eacvpns2"
Jun 19 15:04:03 - [VPN Log]: listening for IKE messages
Jun 19 15:04:03 - [VPN Log]: adding interface ipsec0/eth1 172.16.77.112:500
Jun 19 15:04:03 - [VPN Log]: adding interface ipsec0/eth1 172.16.77.112:4500
Jun 19 15:04:03 - [VPN Log]: loading secrets from "/etc/ipsec.secrets"
Jun 19 15:04:05 - [VPN Log]: "eacvpns2": route-client output: 0
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: initiating Main Mode
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [XAUTH]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [Dead Peer Detection]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received Vendor ID payload [Cisco-Unity]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring unknown Vendor ID payload [16df04afde729f9719c0a5dfe0d66fb5]
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: I did not send a certificate because I do not have one.
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK+DONTREKEY+UP {using isakmp#1}
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received and ignored informational message
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 19 15:04:05 - [VPN Log]: "eacvpns2" #1: received and ignored informational message
Jun 19 15:04:12 - ipsec0: no IPv6 routers present
Jun 19 15:05:15 - [VPN Log]: "eacvpns2" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

I just recently added 3des to my PIX, so I know that's not an issue. I've tried running with agressive mode on and off, and many other things that I've found on the web. I'm at a loss as to what to try next
0
Comment
Question by:mnswhit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
11 Comments
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 21836114
>isakmp key ******** address x.x.x.x netmask 255.255.255.248
Netmask should be 255.255.255.255 - host specific

 Local Security Group Type: Subnet
     IP Address: 192.168.5.1  <== this must be 192.168.5.0
     Subnet Mask: 255.255.255.0
0
 
LVL 2

Author Comment

by:mnswhit
ID: 21849389
I made the changes, but didn't seem to change the log entries at all. still can't connect
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21849589
Can you post the PIX config?
0
Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

 
LVL 2

Author Comment

by:mnswhit
ID: 21851039
Here it is.
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password NQzjhlBXd7zn61Ax encrypted
passwd NQzjhlBXd7zn61Ax encrypted
hostname Firewall
domain-name evertsair.biz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.26 Srv02X
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list 103 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list 104 permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list 105 permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0 
no pager
logging on
logging timestamp
logging trap debugging
logging history warnings
logging facility 16
logging host inside 192.168.10.45
icmp permit any outside
icmp permit any inside
mtu outside 1460
mtu inside 1460
mtu intf2 1460
ip address outside x.x.62.66 255.255.255.240
ip address inside 192.168.10.2 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.250.1-192.168.250.20
pdm location 192.168.10.20 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.10.108 255.255.255.255 inside
pdm location 192.168.250.0 255.255.255.0 outside
pdm location 192.168.10.21 255.255.255.255 inside
pdm location 192.168.10.15 255.255.255.255 inside
pdm location Srv02X 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.10.28 255.255.255.255 inside
pdm location 192.168.10.137 255.255.255.255 inside
pdm location 192.168.10.143 255.255.255.255 inside
pdm location 192.168.10.168 255.255.255.255 inside
pdm location 192.168.10.195 255.255.255.255 inside
pdm location 192.168.10.217 255.255.255.255 inside
pdm location 192.168.10.233 255.255.255.255 inside
pdm location 192.168.10.240 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 104
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.62.67 192.168.10.20 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.78 192.168.10.233 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.70 192.168.10.240 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.71 192.168.10.195 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.77 192.168.10.217 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.74 192.168.10.168 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.69 192.168.10.18 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.73 192.168.10.115 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.75 192.168.10.143 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.76 192.168.10.29 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.68 192.168.10.206 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.72 192.168.10.89 netmask 255.255.255.255 0 0 
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.62.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
aaa-server partnerauth protocol radius 
aaa-server partnerauth (inside) host 192.168.10.20 7auth7 timeout 5
http server enable
http 192.168.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set eacvpns esp-des esp-md5-hmac 
crypto ipsec transform-set eacvpns2 esp-3des esp-md5-hmac 
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer x.x.192.218
crypto map transam 1 set transform-set eacvpns
crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 103
crypto map transam 3 set peer x.x.104.125
crypto map transam 3 set transform-set eacvpns
crypto map transam 5 ipsec-isakmp
crypto map transam 5 match address 105
crypto map transam 5 set peer x.x.190.73
crypto map transam 5 set transform-set eacvpns2
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.104.125 netmask 255.255.255.248 
isakmp key ******** address x.x.192.218 netmask 255.255.255.248 
isakmp key ******** address x.x.190.73 netmask 255.255.255.255 
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 35
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:7c030a18368b08a051a41d74203e43dc

Open in new window

0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 21851337
>crypto map transam 5 match address 105
>access-list 105 permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
                                                       ^^
ACL 105 makes no sense. It should be:
access-list 105 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0
                                                     ^^
0
 
LVL 2

Author Comment

by:mnswhit
ID: 21852453
Didn't notice that error, however that didn't seem to fix my issue, I'm still getting the same error logs.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 21854771
You have the same error on acl 104 applied to NAT 0
>access-list 104 permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0

should be
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0

Can you post result of "show cry is sa" from the PIX?
0
 
LVL 2

Author Comment

by:mnswhit
ID: 21859294
This is what it looks like when I try to connect:
     Firewall# sh cry is sa
     Total     : 3
     Embryonic : 1
             dst               src        state     pending     created
        x.x.62.66   x.x.104.125    QM_IDLE         0           1
        x.x.62.66   x.x192.218    QM_IDLE         0           1
        x.x.62.66  x.x.114.115    AG_NO_STATE   0           0

But it ends up going back to this:

     Firewall# sh cry is sa
     Total     : 2
     Embryonic : 0
             dst               src        state     pending     created
        x.x.62.66   x.x.104.125    QM_IDLE         0           1
        x.x.62.66   x.x.192.218    QM_IDLE         0           1


Just incase it ketches your eye that the IP is different than the one I listed in my config earlier. I moved the linksys to a different ISP for troubleshooting. I'm reposting my cisco config.
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
hostname Firewall
domain-name evertsair.biz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.10.26 Srv02X
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list 103 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list 104 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list 105 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0 
no pager
logging on
logging timestamp
logging trap debugging
logging history warnings
logging facility 16
logging host inside 192.168.10.45
icmp permit any outside
icmp permit any inside
mtu outside 1460
mtu inside 1460
mtu intf2 1460
ip address outside x.x.62.66 255.255.255.240
ip address inside 192.168.10.2 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip verify reverse-path interface outside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.250.1-192.168.250.20
pdm location 192.168.10.20 255.255.255.255 inside
pdm location 192.168.0.0 255.255.0.0 inside
pdm location 192.168.10.108 255.255.255.255 inside
pdm location 192.168.250.0 255.255.255.0 outside
pdm location 192.168.10.21 255.255.255.255 inside
pdm location 192.168.10.15 255.255.255.255 inside
pdm location Srv02X 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.10.28 255.255.255.255 inside
pdm location 192.168.10.137 255.255.255.255 inside
pdm location 192.168.10.143 255.255.255.255 inside
pdm location 192.168.10.168 255.255.255.255 inside
pdm location 192.168.10.195 255.255.255.255 inside
pdm location 192.168.10.217 255.255.255.255 inside
pdm location 192.168.10.233 255.255.255.255 inside
pdm location 192.168.10.240 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 104
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.62.67 192.168.10.20 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.78 192.168.10.233 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.70 192.168.10.240 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.71 192.168.10.195 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.77 192.168.10.217 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.74 192.168.10.168 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.69 192.168.10.18 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.73 192.168.10.115 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.75 192.168.10.143 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.76 192.168.10.29 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.68 192.168.10.206 netmask 255.255.255.255 0 0 
static (inside,outside) x.x.62.72 192.168.10.89 netmask 255.255.255.255 0 0 
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.192.62.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
aaa-server partnerauth protocol radius 
aaa-server partnerauth (inside) host 192.168.10.20 7auth7 timeout 5
http server enable
http 192.168.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set eacvpns esp-des esp-md5-hmac 
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer x.x.192.218
crypto map transam 1 set transform-set eacvpns
crypto map transam 3 ipsec-isakmp
crypto map transam 3 match address 103
crypto map transam 3 set peer x.x.104.125
crypto map transam 3 set transform-set eacvpns
crypto map transam 5 ipsec-isakmp
crypto map transam 5 match address 105
crypto map transam 5 set peer x.x.114.115
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address x.x.104.125 netmask 255.255.255.248 
isakmp key ******** address x.x.192.218 netmask 255.255.255.248 
isakmp key ******** address x.x.114.115 netmask 255.255.255.255 
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 35
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:108940d419f11498305c354ada97fd02

Open in new window

0
 
LVL 2

Author Comment

by:mnswhit
ID: 21860052
ok, a little google search made me realize that I forgot to save my config on reboot, so some of that last config list didn't have enough info to work anyways.....I got it online, But not in the location that I need it online. I'll make another post in about an hour, once I test this connection out at the actual location.
0
 
LVL 2

Author Comment

by:mnswhit
ID: 21861566
It worked. Thank you for your help. Debug mode really helped me track down the errors, and google gave this link, which turns out was you as well. Helped me get the final touches on my config.

http://www.experts-exchange.com/Security/Software_Firewalls/Q_21638685.html

0
 
LVL 2

Author Closing Comment

by:mnswhit
ID: 31469014
Each of your suggestions fixed an issue. The end result answer that got me up and running wasn't on this page, but it was your post and your suggestion.
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question