Showing results for 
Search instead for 
Do you mean 
Reply
ng01
Posts: 3
Registered: ‎09-19-2008

BEFSX41 1.52.15 to PIX 6.3(4) VPN setup

I have setup a VPN from the Cisco VPN client v5 to my PIX, but when I try to setup a VPN from my Linksys, the PIX reports "reserved not zero on payload 5", which according to Cisco documentation means that the key doesn't match.  I've tried a single digit key, but get the same results. 
 
Has anyone else done what I'm trying to do, and if so, could you offer me suggestions or configuration examples, including the Advanced button on the Linksys?
 
Thanks for any help.
 
Expert
Expert
Posts: 12,649
Registered: ‎07-16-2006

Re: BEFSX41 1.52.15 to PIX 6.3(4) VPN setup

Why don't you post the exact configuration you have at the moment on the Linksys and the Cisco?
helm
Posts: 3,650
Registered: ‎09-07-2006

Re: BEFSX41 1.52.15 to PIX 6.3(4) VPN setup

Try updating the firmware on the linksys router.
ng01
Posts: 3
Registered: ‎09-19-2008

Re: BEFSX41 1.52.15 to PIX 6.3(4) VPN setup

Thanks for the responses.  I believe that the Linksys is already at the most current level, 1.52.15.  As for the configurations, here ya go:
 
pixfirewall# sh conf
: Saved
: Written by enable_15 at 09:57:51.381 UTC Mon Sep 22 2008
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name abc.com
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip any any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 208.173.246.248 255.255.255.255
ip address inside 192.168.27.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.27.100-192.168.27.254
pdm logging informational 100
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
route outside 0.0.0.0 0.0.0.0 208.173.246.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set gvnset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set gvnset
crypto map gvnmap 10 ipsec-isakmp dynamic dynmap
crypto map gvnmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup gvnclient address-pool ippool
vpngroup gvnclient dns-server 192.168.27.1
vpngroup gvnclient wins-server 192.168.27.1
vpngroup gvnclient default-domain abc.com
vpngroup gvnclient split-tunnel 101
vpngroup gvnclient idle-time 1800
vpngroup gvnclient password ********
telnet 192.168.27.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 60
console timeout 0
terminal width 80
pixfirewall#
 
 
 
As for the Linksys config,
 
local secure group: 192.168.3.0 255.255.255.0
remote secure group: 192.168.27.0 255.255.255.0
remote security gateway: 208.173.246.248
encryption: des
authentication: md5
auto ike
pfs:disabled
pre-shared key: same, even tried just a one character key
lifetime: 28000
 
advanced:
main mode
username checked: gvnclient
 
phase 1 & 2 are both:
encryption: des
authentication: md5
group: 1024
key lifetime: 28800
 
Like I said, the Cisco software client works fine, just can't my Linksys to do the same.
 
Thanks again.
 
 
Expert
Expert
Posts: 12,649
Registered: ‎07-16-2006

Re: BEFSX41 1.52.15 to PIX 6.3(4) VPN setup

That is a VPN group configuration on the PIX. This is not supported on the BEF. The BEF uses a simple plain IPSec tunnel without the Cisco additions like the groups or XAUTH. You have to set up the PIX like this with a simple IPSec tunnel using a shared key for ISAKMP.

What you have set up is the VPN client connection for the Cisco VPN client. That works differently.
ng01
Posts: 3
Registered: ‎09-19-2008

Re: BEFSX41 1.52.15 to PIX 6.3(4) VPN setup

Those darn guys at Cisco.  Anyway, I setup the PIX according to that article you pointed me to (thanks), and now the Linksys says that the VPN is "Connected", but I can't pass any traffic (ping, map a drive, etc.).  Any suggestions as to what I should look at?
 
Thanks again.
 
Expert
Expert
Posts: 12,649
Registered: ‎07-16-2006

Re: BEFSX41 1.52.15 to PIX 6.3(4) VPN setup

Check the logs. Does the BEF have a VPN log somewhere? It may show how far it gets. The PIX should have some debug logs for ipsec and isakmp. On IOS I would do an "debug crypto ipsec" and a "debug crypto isakmp". Then you see how far you get there, in particular whether the IPSec SA gets established or not. Once the IPSec SA is established the IPSec tunnel is up and running. If the IPSec SA is up then it is probably more a problem of some ACL/access list, NAT (i.e. the tunneled traffic is NATed although it should not), or some firewall (remember, that the source and destination IP addresses of the tunneled traffic is not rewritten, i.e. your computers must now accept incoming packets from the other LAN subnet).

The PIX should also have some "show" commands showing the status of the IPSec connection. You should find a lot more information how to troubleshoot IPSec connection on the cisco website. The PIX is probably the easier side to do the debugging...