1. Home
  2. Cisco Systems
  3. linksys ipsec with pix 501 6.3 anyone?

linksys ipsec with pix 501 6.3 anyone?

Hello I am unable to setup a tunnel between a pix and a linksys vpn router. I get NO-PROPOSAL-CHOSEN "check your encryption, authentication and pfs settings"

My settings are. The local secure group is the subnet behind nat in both routers the pix and the linksys. The remote secure group is the subnet behind the pix on the linksys and the subnet behine the linksys in the pix. The remote secure gateway is the external address of the pix in the linksys and the external address of the linksys in the pix. encryption DES auth MD5. AutoIKE. No PFS enable in the pix or the linksys. Pre-shared key 123456 in both. key life time 86400 in both. Under advanced settings I tried 768-bit and group 1 in the pix. I also tried 1024-bit and group 2 in the pix. The tunnel sims to be working on the pix, but on the linksys it wont connect.

Any Ideas?

Reply to
jcharth
Loading thread data ...

In article , wrote: :Hello I am unable to setup a tunnel between a pix and a linksys vpn :router. I get NO-PROPOSAL-CHOSEN "check your encryption, authentication :and pfs settings"

Which Linksys? I have two here beside me that work without difficulty.

Do you have the 3DES key for your PIX 501?

Reply to
Walter Roberson

Looks like I do, right?.

Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled Maximum Physical Interfaces: 2 Maximum Interfaces: 2 Cut-through Proxy: Enabled Guards: Enabled URL-filtering: Enabled Inside Hosts: 10 Throughput: Unlimited IKE peers: 10

I am trying with DES and I get the following output

OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10 ISAKMP (0): atts are acceptable. Next payload is 3 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 VPN Peer: ISAKMP: Peer ip:10.1.1.101/500 Ref cnt incremented to:2 Total VPN Peer s:1 crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 99618033

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP: encaps is 1 ISAKMP: authenticator is HMAC-MD5 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): SA not acceptable! ISAKMP (0): sending NOTIFY message 14 protocol 0 return status is IKMP_ERR_NO_RETRANS

Seems like it works but then it does not.

Reply to
jcharth

thanks for the reply. In case anyone has this problem, i named my tranform-set my-set, i dont think the linksys liked the dash. I took i called the transform-set myset and it worked.

Reply to
jcharth

Check Phase II parameters. Have you chosen the right ones both on the PIX and the Linksys. Seems that PIX has only one proposal. Perhaps DF group... How have you set up the Linksys for phase II?

Alex.

Reply to
AM

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.