I over the years with my lack of true understanding, I've added stuff to the PIX that I'm real unclear about. NOw I need to add more and before I jsut throw in the kitchen sink I'd like to understand more of what these thigns really are.
In a Nutshell I have 6 Types of Clients that I want to Support. L2L VPN, Preshare keys PIX 515 to PIX 515 (Static IP on both ends) VPN, Preshare keys PIX 515 (Static IP) to PIX 506 (Dynamic IP) VPN, Preshare keys PIX 515 (Static IP) to 1700 series router(Dynamic IP) VPN, Certificate Auth, Cisco VPN Client v4.x & v5.x
VPN, Preshared Keys/User Auth, L2TP, Vista x64 Client VPN, Preshared Keys/User Auth, L2TP, iPHone Client
Sothe First 4 are working, the last 2 are not. I'm getting the " All IPSec SA proposals found unacceptable" error, which all points to the Transforms and maps
I'm not sure why you jsut cant enable everything in one set, or in many sets, and then apply the many sets to one Map. I really do not understand the Maps and how they relate to groups and tunnel policies.
For what its worth, here is a list of the Transforms and Maps.
crypto ipsec transform-set vpnclient_set2 esp-3des esp-md5-hmac crypto ipsec transform-set vpnclient_set esp-des esp-md5-hmac crypto ipsec transform-set vpn-des-set esp-des esp-md5-hmac crypto ipsec transform-set olivet-set esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set scooter133_set esp-des esp-md5-hmac crypto ipsec transform-set scooter133_set2 esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 3600 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map dynmap 10 set transform-set vpnclient_set vpnclient_set2 crypto dynamic-map dynmap 10 set security-association lifetime seconds
28800 crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000 crypto dynamic-map olivet 1 set transform-set olivet-set crypto dynamic-map olivet 1 set security-association lifetime seconds 3600 crypto dynamic-map olivet 1 set security-association lifetime kilobytes 4608000 crypto dynamic-map vpn-des 2 set transform-set vpn-des-set crypto dynamic-map vpn-des 2 set security-association lifetime seconds 3600 crypto dynamic-map vpn-des 2 set security-association lifetime kilobytes 4608000 crypto dynamic-map scooter133 11 set transform-set scooter133_set scooter133_set2 crypto dynamic-map scooter133 11 set security-association lifetime seconds 28800 crypto dynamic-map scooter133 11 set security-association lifetime kilobytes 4608000 crypto map my_cry_map 999 ipsec-isakmp dynamic dynmap crypto map vpn-des-dyn-map 21 ipsec-isakmp dynamic vpn-des crypto map olivet-dyn-map 20 match address outside-HBG_cryptomap_20 crypto map olivet-dyn-map 20 set peer crypto map olivet-dyn-map 20 set transform-set ESP-3DES-SHA crypto map olivet-dyn-map 20 set security-association lifetime seconds 28800 crypto map olivet-dyn-map 20 set security-association lifetime kilobytes 4608000 crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet crypto map olivet-dyn-map interface outside-HBGAny insite would be appreciated.
Thanks!