linksys ipsec with pix 501 6.3 anyone?

Discussion in 'Cisco' started by jcharth, Oct 3, 2005.

  1. jcharth

    jcharth Guest

    Hello I am unable to setup a tunnel between a pix and a linksys vpn
    router. I get NO-PROPOSAL-CHOSEN "check your encryption, authentication
    and pfs settings"

    My settings are. The local secure group is the subnet behind nat in
    both routers the pix and the linksys. The remote secure group is the
    subnet behind the pix on the linksys and the subnet behine the linksys
    in the pix. The remote secure gateway is the external address of the
    pix in the linksys and the external address of the linksys in the pix.
    encryption DES auth MD5. AutoIKE. No PFS enable in the pix or the
    linksys. Pre-shared key 123456 in both. key life time 86400 in both.
    Under advanced settings I tried 768-bit and group 1 in the pix. I also
    tried 1024-bit and group 2 in the pix. The tunnel sims to be working on
    the pix, but on the linksys it wont connect.

    Any Ideas?
     
    jcharth, Oct 3, 2005
    #1
    1. Advertisements

  2. :Hello I am unable to setup a tunnel between a pix and a linksys vpn
    :router. I get NO-PROPOSAL-CHOSEN "check your encryption, authentication
    :and pfs settings"

    Which Linksys? I have two here beside me that work without difficulty.

    Do you have the 3DES key for your PIX 501?
     
    Walter Roberson, Oct 3, 2005
    #2
    1. Advertisements

  3. jcharth

    jcharth Guest

    Looks like I do, right?.

    Failover: Disabled
    VPN-DES: Enabled
    VPN-3DES-AES: Enabled
    Maximum Physical Interfaces: 2
    Maximum Interfaces: 2
    Cut-through Proxy: Enabled
    Guards: Enabled
    URL-filtering: Enabled
    Inside Hosts: 10
    Throughput: Unlimited
    IKE peers: 10


    I am trying with DES and I get the following output

    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
    ISAKMP: encryption DES-CBC
    ISAKMP: hash SHA
    ISAKMP: auth pre-share
    ISAKMP: default group 1
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy
    ISAKMP: encryption DES-CBC
    ISAKMP: hash MD5
    ISAKMP: auth pre-share
    ISAKMP: default group 1
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x0 0xe 0x10
    ISAKMP (0): atts are acceptable. Next payload is 3
    ISAKMP (0): SA is doing pre-shared key authentication using id type
    ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500
    dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500
    dpt:500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated

    ISAKMP (0): ID payload
    next-payload : 8
    type : 1
    protocol : 17
    port : 500
    length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending NOTIFY message 24578 protocol 1
    ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
    ISAKMP (0): sending NOTIFY message 24576 protocol 1
    VPN Peer: ISAKMP: Peer ip:10.1.1.101/500 Ref cnt incremented to:2 Total
    VPN Peer
    s:1
    crypto_isakmp_process_block:src:10.1.1.101, dest:10.1.2.21 spt:500
    dpt:500
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 99618033

    ISAKMP : Checking IPSec proposal 1

    ISAKMP: transform 1, ESP_DES
    ISAKMP: attributes in transform:
    ISAKMP: SA life type in seconds
    ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
    ISAKMP: encaps is 1
    ISAKMP: authenticator is HMAC-MD5
    ISAKMP (0): atts not acceptable. Next payload is 0
    ISAKMP (0): SA not acceptable!
    ISAKMP (0): sending NOTIFY message 14 protocol 0
    return status is IKMP_ERR_NO_RETRANS


    Seems like it works but then it does not.
     
    jcharth, Oct 3, 2005
    #3
  4. jcharth

    jcharth Guest

    thanks for the reply. In case anyone has this problem, i named my
    tranform-set my-set, i dont think the linksys liked the dash. I took i
    called the transform-set myset and it worked.
     
    jcharth, Oct 3, 2005
    #4
  5. jcharth

    AM Guest

    Check Phase II parameters. Have you chosen the right ones both on the PIX and the Linksys. Seems
    that PIX has only one proposal. Perhaps DF group...
    How have you set up the Linksys for phase II?

    Alex.
     
    AM, Oct 3, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.