VPN Issue - loosing more of my grey hair - Cabling-Design.com Forums

- T
- topher
  
  Contact options for registered users
posted
16 years ago

Sun, Nov 18, 2007 10:47 PM

PIX 515e v7.2(2) to Linksys BEFSX41 VPN Endpoint

Error

713904 - IP = {my.home.ip}, Received encrypted packet with no matching SA, dropping

113019 - Group = DefaultRAGroup, Username = , IP = {my.home.ip}, Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

713902 - Group = DefaultRAGroup, IP = {my.home.ip}, Removing peer from correlator table failed, no match!

713902 - Group = DefaultRAGroup, IP = {my.home.ip}, QM FSM error (P2 struct &0x2872030, mess id 0xbaa20a88)!

713119 - Group = DefaultRAGroup, IP = {my.home.ip}, PHASE 1 COMPLETED

713903 - Group = DefaultRAGroup, IP = {my.home.ip}, Freeing previously allocated memory for authorization-dn-attributes

On the PIX: access-list vpnsite123 permit ip 10.0.0.0 255.255.255.0 192.168.123.0

255.255.255.0 access-list no_nat permit ip 10.0.0.0 255.255.255.0 192.168.123.0 255.255.255.0 nat (inside) 0 access-list no_nat crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 30 ipsec-isakmp crypto map outside_map 30 match address vpnsite123 crypto map outside_map 30 set peer {my.home.ip} crypto map outside_map 30 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp key {supersecret} address 0.0.0.0 netmask 0.0.0.0 no-xauth no- config-mode isakmp identity address isakmp nat-traversal 20 isakmp policy 30 authentication pre-share isakmp policy 30 encryption des isakmp policy 30 hash md5 isakmp policy 30 group 2 isakmp policy 30 lifetime 3600 isakmp enable outside

tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * isakmp keepalive disable

On the Linksys: Tunnel1 (*) Enabled Tunnel Name [TO_PIX] Local Secure Group Subnet | 192.168.123.0 | 255.255.255.0

Remote Secure Group Subnet | 10.0.0.0 | 255.255.255.0

remote Security Gateway = {pix.public.ip}

Encryption 3DES | Authentication MD5 Auto (IKE) PFS (*)Disabled Pre-shared Key {supersecret} Key Lifetime [3600] sec

[Advanced Settting] (*) Main Mode Proposal1 3DES | MD5 | 1024 | 3600

Phase 2 Proposal: 3DES | MD5 PFS:OFF | 1024-bit | 3600

Please help me before I go bald(er)

Thanks

'topher

-- Christopher Mattogno Northampton, MA US

- S
- Shawn Westerhoff
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Mon, Nov 19, 2007 7:20 PM

You need a tunnel group for the L2L. Be sure to name it the IP address of the Linksys.

tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key *

- N
- nakhmanson
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Mon, Nov 19, 2007 7:44 PM

your "isakmp policy 30" (which is using DES) does not match Lynksys's (which is using 3DES)

thanks Roman Nakhmanson

- G
- gopi
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Tue, Nov 20, 2007 7:29 AM

Hi Chris,

Your P2 proposal is not matching , By default pix place 28800 sec for ipsec

your Linksys configured for 3600 Please check that one...