AmericanBridge
asked on
Linksys WRV210 to Cisco ASA 5510
I am attempting to connect a Linksys WRV210 to a Cisco ASA 5510 via Ipsec VPN tunnel. I see the initial Phase 1 come across but it is saying there is a mismatch in the configuration. I know it's usually one or more parameters are off but both sides cannot be configured 'exactly' the same because of their difference in operating system builds.
Does anyone know of a walkthrough or configuration list to connect the Linksys WRV210 to a Cisco ASA 5510 via ipsec VPN site-to-site tunnel?
Thanks in advance.
Does anyone know of a walkthrough or configuration list to connect the Linksys WRV210 to a Cisco ASA 5510 via ipsec VPN site-to-site tunnel?
Thanks in advance.
ASKER
ASA 5510 configuration
object-group network NYTEST
description NYTEST
network-object 172.28.128.0 255.255.255.0
access-list nonat extended permit ip object-group Headquarters object-group NYTEST
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer 71.236.76.13
crypto map outside_map 40 set transform-set 3DES ESP-3DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 28800
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
tunnel-group 71.236.76.13 type ipsec-l2l
tunnel-group 71.236.76.13 general-attributes
tunnel-group 71.236.76.13 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
Linksys WRV210 configuration
(See attached file
object-group network NYTEST
description NYTEST
network-object 172.28.128.0 255.255.255.0
access-list nonat extended permit ip object-group Headquarters object-group NYTEST
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer 71.236.76.13
crypto map outside_map 40 set transform-set 3DES ESP-3DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 28800
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
tunnel-group 71.236.76.13 type ipsec-l2l
tunnel-group 71.236.76.13 general-attributes
tunnel-group 71.236.76.13 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
Linksys WRV210 configuration
(See attached file
ASKER
Attached file
1.JPG
1.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well I messed around with the encryption and DH groups and came out on top. The linksys is very picky about remote LAN IP address and subnet whereas the ASA will accept a more open subnet that includes the remote LAN ip address and subnet.
The IP subnet listed under the Remote Server Group on the Linksys needs to match what you have under the crypto map <...> match address on the ASA or the Linksys will not complete phase 2 of the tunnel.
Excluding public IPs and the passphrase, post the VPN policy you have on each one:
i.e.
ASA
LOCAL LAN:ASA_LAN
Remote LAN:WRV_LAN
Phase1:
Nomal Mode
3des md5
group 1
PFS on
3600
Phase2:
3des MD5
Group1
28800
WRV:
LOCAL LAN: WRV_LAN
REMOTE LAN: ASA_LAN
Phase1
Main Mode
3des md5
group1
PFS on
3600
Phase 2:
3des md5
group1
28800
etc.