1. Home
  2. Cisco Systems
  3. PIX 501 -> Linksys BEFSX41 via IPSec

PIX 501 -> Linksys BEFSX41 via IPSec

I have a Linksys BEFSX41 behind an ADSL modem (static IP address) I want to connect to with an IPSec tunnel originating from a PIX 501 (also behind an ADSL modem but with a dynamic IP address).

The Linksys is configured to use DES/SHA for Phase 1 and 3DES/SHA for Phase

  2. I've tried various isakmp policy encryption/hash combinations but cannot seem to get past Phase 1 negotiations.

Can one of you sharp individuals give me an idea of what is needed for configuration on the PIX to get this working?

local ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0) current_peer: Remote_Site:0 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #pkts no sa (send) 32, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: Remote_Site path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0 inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas:

Reply to
MyndPhlyp
Loading thread data ...

In article , MyndPhlyp wrote: :I have a Linksys BEFSX41 behind an ADSL modem (static IP address) I want to :connect to with an IPSec tunnel originating from a PIX 501 (also behind an :ADSL modem but with a dynamic IP address).

:The Linksys is configured to use DES/SHA for Phase 1 and 3DES/SHA for Phase :2.

:I've tried various isakmp policy encryption/hash combinations but cannot :seem to get past Phase 1 negotiations.

DES SHA is not supported on the PIX, only DES MD5. Try 3DES SHA for your phase 1.

I have the reverse configuration working without [much] difficulty. I still get issues sometimes when the ISP changes the IP address underneath me, and I still get the occasional oddity where the most active TCP sessios hangs but all the other sessions are fine [this is the fault of the BEFSX41, and happens sometimes when the keys are rolling over.]

Reply to
Walter Roberson

Odd that DES/SHA is not supported on the PIX 501. It appears to be one of the standard "crypto ipsec transform-set" configurations. (I can't tell right now 'cus the PIX VPN configuration has the PDM all confused with something about access lists. A little clean-up is in order before proceeding.) 3DES/SHA seems to be out of the question for Phase 1. The so-called Advanced settings for the tunnel won't let me kick it up from DES to 3DES; it keeps reverting back down. Hmm ... lowest common denominator ... DES/MD5. Oh I am _SO_ glad I spent money on 3DES.

Looks like my problem was a little more basic though (and it will be a couple of weeks before I can return to the task at hand). The ADSL modem was getting in the way. Changing it over to bridge mode and letting the BEFSX41 do the PPPoE at least got me to the gate. Then I got sidetracked playing around with WinXP, an Air Card, the BEFSX41, and Microsoft's poor implementation of L2TP/IPSec. Just as I threw in the towel for the day I stumbled across some information that /*seems*/ promising for that mix.

I appreciate your response though. I'll see about avoiding DES/SHA for Phase

1.
Reply to
MyndPhlyp

I had a similar problem, i dont think it made much sense put my crypto map name had a dash and when i changed my crypto map name without the dash the ipsec tunnel worked. I set up md5 3des and the group 1 is for

768 group 2 is for 1024. i did not check pfs.
Reply to
jcharth

I've found the PIX 501 complains when placing a dash in a name (access-list names, object-group names, host/network names) and got into the habit of using the underscore. I'm surprised (only because I haven't tried it) the PIX allowed you to create a crypto map name with a dash. The hard-coded transform-set names all have dashes in them though (i.e., ESP-3DES-MD5) so why not?

I think my limiting factors are going to be WinXP (on the notebook with the Air Card) and the Linksys BEFSX41.

The BEFSX41 will not let me tweak up Phase 1 to 3DES on the Advanced Settings even though that is what I'm setting back on the main VPN page. Every time I tried it, saved the configuration, and reinspected, it reverted back to DES with no warnings or errors. It could be a firmware bug. After all it has been probably a year since the BEFSX41 has seen an upgrade (and it's not like Linksys hasn't had its share of bugs in that HTTP interface). I'll have to look into that ... if I remember.

But I degress. Using the information earlier in this thread (from Walter Roberson) the PIX aparently doesn't like DES/SHA. Since I cannot tweak Phase

1 up to 3DES on the BEFSX41, that leaves me with just DES/MD5. Or maybe I'm just misunderstanding.

PFS is definitely needed in this situation. The remote end is a traveling notebook, which means I cannot lock down the tunnel to a static IP address. It also doesn't help that my PIX's WAN address is dynamicly assigned.

Whether or not I can use Group 2 is yet to be seen. WinXP will definitely be the limiting factor there. Lots of trial and error ahead of me yet. Fortunately I have a week or two to Google around to see what else I can uncover for configuration notes.

Reply to
MyndPhlyp

setup a linux router with two nicks, enable routing, use the redwall live cd and test it out. just put it on the table.

Reply to
jcharth

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.