1. Home
  2. Cisco Systems
  3. After upgrading PIX 506E don't resolve VPN connection

After upgrading PIX 506E don't resolve VPN connection

Few days ago I posted same message incorrectly. Really I want to say "Once upgraded I can NOT connect with VPN." but I missed NOT word.

Before to upgrade Firewall version and PDM I was using VPN perfectly. Once upgraded I can NOT connect with VPN.

Show ver before upgrade:

Cisco PIX Firewall Version 6.1(2) Cisco PIX Device Manager Version 1.1(2) Compiled on Fri 16-Nov-01 14:28 by morlee Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 299 MHz Flash E28F640J3 @ 0x300, 8MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0009.b718.b578, irq 10 1: ethernet1: address is 0009.b718.b579, irq 11 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES: Disabled Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled Websense: Enabled Inside Hosts: Unlimited Throughput: Unlimited ISAKMP peers: Unlimited

Show ver after upgrade:

Cisco PIX Firewall Version 6.3(4) Cisco PIX Device Manager Version 3.0(2) Compiled on Fri 02-Jul-04 00:07 by morlee pixfirewall up 1 day 23 hours Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz Flash E28F640J3 @ 0x300, 8MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0009.b718.b578, irq 10 1: ethernet1: address is 0009.b718.b579, irq 11 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Disabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: Unlimited Throughput: Unlimited IKE peers: Unlimited

After upgrade I don't have change configuration.

How can I resolve it?

THANKS!

Reply to
jaisol
Loading thread data ...

In article , jaisol wrote: :Few days ago I posted same message incorrectly. :Really I want to say "Once upgraded I can NOT connect with VPN." but I :missed NOT word.

You didn't respond to my DES + SHA shot in the dark ?

Reply to
Walter Roberson

Sorry, I forgot to answer.

You are refering to:

I'll take a shot in the dark: The OP does not have the 3DES license, so s/he must be using DES encryption for the VPN. Somewhere between 6.1 and 6.3, support was dropped for the combination of DES and SHA, so the OP may need to change transform sets to esp-des esp-md5-hmac

I'm a newbie PIX user and I didn't understand what I have to do.

I appreciate you can be more specific when you mention "so the OP may need to change transform sets to esp-des esp-md5-hmac "

Thanks again.

Reply to
jaisol

Check your configuration. There are two places where you can define encrypting and hashing algorithms. The lines you are looking for look probably like these:

  1. Crypto map settings

a) crypto ipsec transform-set [keyword] esp-des esp-sha-hmac b) crypto ipsec transform-set [keyword] esp-des esp-md5-hmac crypto map [name] [number] set transform-set [keyword]

  1. Isakmp settings

isakmp policy [number] encryption des a) isakmp policy [number] hash sha b) isakmp policy [number] hash md5

As you can see it is possible to use two different hashing algorithms: sha and md5. If your current combination is des and sha (a), then you might want to change to des/md5 (b). Note that the changes must be done at both ends.

Reply to
Jyri Korhonen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.