mjeet
asked on
VPN Tunnel between Linksys WRV210 and Cisco PIX
Trying to establish a VPN tunnel between a Linksys WRV210 (public IP: a.a.a.a; private IP subnet: 192.168.150.0) and a Cisco PIX (public IP: b.b.b.b; private IP subnet: 192.168.1.0)
First of all if I initiate the connection from the linksys to the cisco using the public IP address b.b.b.b the linksys tries to compare the PEER_ID to the IP and fails The logs are below
003 [MON 16:22:06] "TunnelA" #11: initiating Main Mode
004 [MON 16:22:06] "TunnelA" #11: [WRV210 Response:] ISAKMP SA (Main Mode) Initiation
005 [MON 16:22:06] "TunnelA" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
006 [MON 16:22:06] "TunnelA" #11: STATE_MAIN_I2: sent MI2, expecting MR2
007 [MON 16:22:06] "TunnelA" #11: received Vendor ID payload [XAUTH]
008 [MON 16:22:06] "TunnelA" #11: received Vendor ID payload [Dead Peer Detection]
009 [MON 16:22:06] "TunnelA" #11: received Vendor ID payload [Cisco-Unity]
010 [MON 16:22:06] "TunnelA" #11: ignoring unknown Vendor ID payload [8d7d9cca51c5ba5979642c409 1e56146]
011 [MON 16:22:06] "TunnelA" #11: I did not send a certificate because I do not have one.
012 [MON 16:22:07] "TunnelA" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
013 [MON 16:22:07] "TunnelA" #11: STATE_MAIN_I3: sent MI3, expecting MR3
014 [MON 16:22:07] "TunnelA" #11: Main mode peer ID is ID_FQDN: '@aaaa.aaa.aaa'
015 [MON 16:22:07] "TunnelA" #11: we require peer to have ID 'b.b.b.b'', but peer declares '@aaaa.aaa.aaa'
016 [MON 16:22:07] "TunnelA" #11: sending encrypted notification INVALID_ID_INFORMATION to b.b.b.b:500
017 [MON 16:27:12] "TunnelA" #11: next payload type of ISAKMP Hash Payload has an unknown value: 209
018 [MON 16:27:12] "TunnelA" #11: malformed payload in packet
019 [MON 16:27:12] "TunnelA" #11: sending notification PAYLOAD_MALFORMED to b.b.b.b:500
NOTE: The PIX Peer ID FQDN is a dummy FQDN that does not/cannot resolve and cannot be changed since there are a lot of previously connected VPN Tunnels on it.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------
Then if I remove the remote IP and have the PIX initiate the connection I get the following error:
The IPSec SA could not be found for 192.168.150.0/24 === a.a.a.a ... b.b.b.b === 192.168.1.0/24
Has anyone ever successfully created a VPN tunnel between a Cisco PIX and Linksys Router?
First of all if I initiate the connection from the linksys to the cisco using the public IP address b.b.b.b the linksys tries to compare the PEER_ID to the IP and fails The logs are below
003 [MON 16:22:06] "TunnelA" #11: initiating Main Mode
004 [MON 16:22:06] "TunnelA" #11: [WRV210 Response:] ISAKMP SA (Main Mode) Initiation
005 [MON 16:22:06] "TunnelA" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
006 [MON 16:22:06] "TunnelA" #11: STATE_MAIN_I2: sent MI2, expecting MR2
007 [MON 16:22:06] "TunnelA" #11: received Vendor ID payload [XAUTH]
008 [MON 16:22:06] "TunnelA" #11: received Vendor ID payload [Dead Peer Detection]
009 [MON 16:22:06] "TunnelA" #11: received Vendor ID payload [Cisco-Unity]
010 [MON 16:22:06] "TunnelA" #11: ignoring unknown Vendor ID payload [8d7d9cca51c5ba5979642c409
011 [MON 16:22:06] "TunnelA" #11: I did not send a certificate because I do not have one.
012 [MON 16:22:07] "TunnelA" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
013 [MON 16:22:07] "TunnelA" #11: STATE_MAIN_I3: sent MI3, expecting MR3
014 [MON 16:22:07] "TunnelA" #11: Main mode peer ID is ID_FQDN: '@aaaa.aaa.aaa'
015 [MON 16:22:07] "TunnelA" #11: we require peer to have ID 'b.b.b.b'', but peer declares '@aaaa.aaa.aaa'
016 [MON 16:22:07] "TunnelA" #11: sending encrypted notification INVALID_ID_INFORMATION to b.b.b.b:500
017 [MON 16:27:12] "TunnelA" #11: next payload type of ISAKMP Hash Payload has an unknown value: 209
018 [MON 16:27:12] "TunnelA" #11: malformed payload in packet
019 [MON 16:27:12] "TunnelA" #11: sending notification PAYLOAD_MALFORMED to b.b.b.b:500
NOTE: The PIX Peer ID FQDN is a dummy FQDN that does not/cannot resolve and cannot be changed since there are a lot of previously connected VPN Tunnels on it.
--------------------------
Then if I remove the remote IP and have the PIX initiate the connection I get the following error:
The IPSec SA could not be found for 192.168.150.0/24 === a.a.a.a ... b.b.b.b === 192.168.1.0/24
Has anyone ever successfully created a VPN tunnel between a Cisco PIX and Linksys Router?
ASKER
The screenshot is attached.
I have tried enabling and disabling PFS. Also I have tried setting the encryption/authentication to Auto but still no luck.
The PIX is managed by another company but I'll try to get the config.
linksys-VPN.jpg
I have tried enabling and disabling PFS. Also I have tried setting the encryption/authentication to Auto but still no luck.
The PIX is managed by another company but I'll try to get the config.
linksys-VPN.jpg
Your end looks OK. Let's wait and see that the PIX end looks like.
FYI, the ISAKMP key lifetime and the IPSEC key lifetime must match whatever is configured on the PIX.
The policy on the PIX must match 3DES/MD5/DH group 2
Did they provide you any information on the setup?
FYI, the ISAKMP key lifetime and the IPSEC key lifetime must match whatever is configured on the PIX.
The policy on the PIX must match 3DES/MD5/DH group 2
Did they provide you any information on the setup?
ASKER
They provided me with their IP and said the encryption/authentication is set to 3DES/MD5. We also made sure the pix had DH Group2 set. The only thing we didn't do was check the lifetimes for ISAKMP and IPSEC keys.
ASKER
But the error I am receiving on my end is
015 [MON 16:22:07] "TunnelA" #11: we require peer to have ID 'b.b.b.b'', but peer declares '@aaaa.aaa.aaa'
Is there a way to configure the linksys to ignore the FQDN setup on the PIX and just go with the IP?
015 [MON 16:22:07] "TunnelA" #11: we require peer to have ID 'b.b.b.b'', but peer declares '@aaaa.aaa.aaa'
Is there a way to configure the linksys to ignore the FQDN setup on the PIX and just go with the IP?
You have the remote secure gateway set to IP address.
Try changing it to FQDN and see what happens.
Try changing it to FQDN and see what happens.
ASKER
But the FQDN configured on the PIX is invalid. It does not resolve to the PIX's IP address so the linksys won't reach the right IP..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Changing the peer ID on the Cisco helped resolve the issue.
Did you trie to enable or disable Nat traversal?
Can you post the PIX config?
On the Linksys, do you have PFS enabled? It is not enabled by default on the PIX.
Can you post screenshots of the Linksys vpn configuration?