Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 506 VPN -> Linksys WRV54G

Status
Not open for further replies.
freeb26

freeb26

Technical User
Apr 14, 2003
22
CA
Hi,

Any help would be appreciated. I am having no joy setting up a VPN tunnel between a PIX 506 and a Linksys WRV54G.

On the linksys side I have encrytion set to DES with MD5 authen. The local network is 192.168.1.0/24 and the remote pix network is 192.168.0.0/24.

Basically looks pretty simple on the linksys side.

My pix config (done through the PDM) looks like this. if you can see my obvious mistake please let me know.

thanks,

PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ciscopix.com
access-list outside_cryptomap_20 permit ip Chicago 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_40 permit ip any 192.168.0.192 255.255.255.192
ip address outside 66.222.222.22 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 66.222.222.21 1
route inside 192.168.1.0 255.255.255.0 192.168.0.200 1
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map_1 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map_1 40 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.222.2.222
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 64.222.2.222 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup CAB address-pool CAB
vpngroup CAB split-tunnel CAB_splitTunnelAcl
vpngroup CAB idle-time 600
vpngroup CAB password ********
telnet timeout 5
ssh Chicago 255.255.255.0 inside
 
Sort by date Sort by votes
if you run debug crypto ipsec and ping the linksys side what is coming back?
 
Upvote 0 Downvote
I tried running the debug crypto ipsec command and get nothing. I do see it running though. I also see through the PDM that a IKE tunnel comes up.

If I monitor the IPSEC VPN through the PDM I get the following.

Details for Chicago/255.255.255.0/1/0 192.168.1.0/255.255.255.0/1/0 at Fri Feb 24 09:56:27 EST 2006

local ident (addr/mask/prot/port): (Chicago/255.255.255.0/1/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/1/0)
current_peer: 64....:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 66...., remote crypto endpt.: 64....
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
 
Upvote 0 Downvote
The PDM is not great for debugging!
If you get a ping running then enter the following command on the pix:

show isakmp sa

Is it showing as being created.
 
Upvote 0 Downvote
Where is this acl ?

nat (inside) 0 access-list inside_outbound_nat0_acl

access-list inside_outbound_nat0_ac

didnt see it established in the config. Importantfi you want traffic to go through the tunnel

Make This.
access-list inside_outbound_nat0_acl 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

Personally I dislike PDM. Post back and let us know the status.
 
Upvote 0 Downvote
I do have the following line; Chicago = 192.168.0.0/24

access-list inside_outbound_nat0_acl permit ip Chicago 255.255.255.0 192.168.1.0 255.255.255.0

This is what I get when I - show isakmp sa.

pixfirewall(config)# show isakmp sa
Total : 1
Embryonic : 1
dst src state pending created
66.222.222.22 64.222.2.222 MM_NO_STATE 0 0

and then it becomes

otal : 3
Embryonic : 0
dst src state pending created
66.222.222.22 64.222.2.222 QM_IDLE



Thanks for all the help so far.

 
Upvote 0 Downvote
Do a ping from your internal network to the remote network then do a debug ICMP Trace on the pix. Post the results.
 
Upvote 0 Downvote
13: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=37889 length=40
14: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=38145 length=40
15: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=38401 length=40
16: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=38657 length=40
17: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=38913 length=40
 
Upvote 0 Downvote
ok do that again but this time also do

debug crypto isakmp
term mon

To turn off terminal monitoring do

term no mon
 
Upvote 0 Downvote
This may be more than you need.

-----
pixfirewall# debug crypto isakmp
pixfirewall# 120: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=21507 length=40
pixfirewall# 121: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=21763 length=40
122: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=22019 length=40

crypto_isakmp_process_block:src:64.222.2.222, dest:66.222.222.22 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 0 against priority 20 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:64.222.2.222, dest:66.222.222.22 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:64.222.2.222, dest:66.222.222.22 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer struct for 64.222.2.222, peer port 62465
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 28
ISAKMP (0): Total payload length: 32
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:64.222.2.222/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:64.222.2.222/500 Ref cnt incremented to:1 Total VPN Peers:1127: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=23299 length=40
128: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=23555 length=40

crypto_isakmp_process_block:src:64.222.2.222, dest:66.222.222.22 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload129: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=23811 length=40
130: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=24067 length=40

crypto_isakmp_process_block:src:64.222.2.222, dest:66.222.222.22 spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload133: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=24835 length=40
134: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=25091 length=40

pixfirewall# 138: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=26115 length=40
debug ICMP Trace139: ICMP echo-request from inside:192.168.0.189 to 192.168.1.121 ID=512 seq=26371 length=40
no debug ICMP Trace
ICMP trace off

crypto_isakmp_process_block:src:64.222.2.222, dest:66.222.222.22 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 0 against priority 20 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:64.222.2.222, dest:66.222.222.22 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:64.222.2.222, dest:66.222.222.22 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 28
ISAKMP (0): Total payload length: 32
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Peer ip:64.222.2.222/500 Ref cnt incremented to:2 Total VPN Peers:1
pixfirewall# no debug crypto isakmp
pixfirewall#
 
Upvote 0 Downvote
Can you verify the settings on the Linksys.

Every setting for VPN that is. PFS, networks, encryption type etc..
 
Upvote 0 Downvote
Can you do a ping from the remote network(linksys) side to your internal and see what comes up on the linsys firewall log and advise.
 
Upvote 0 Downvote
The Linksys is a piece of crap. It all looks good on the linksys side. Everything is simple but I cannot get it to work.

I have ordered a pix 501. I have never had this kind of issue when setting up a VPN between two pix devices. I should have done this from the start and not wasted my time on a cheap linksys solution. I have subsequently read alot of very negative reviews about the WRV54G.

Thanks for all the help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
828
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
338
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
983
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
268
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
217
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top