PIX 501 -> Linksys BEFSX41 via IPSec

Discussion in 'Cisco' started by MyndPhlyp, Oct 11, 2005.

  1. MyndPhlyp

    MyndPhlyp Guest

    I have a Linksys BEFSX41 behind an ADSL modem (static IP address) I want to
    connect to with an IPSec tunnel originating from a PIX 501 (also behind an
    ADSL modem but with a dynamic IP address).

    The Linksys is configured to use DES/SHA for Phase 1 and 3DES/SHA for Phase
    2.

    I've tried various isakmp policy encryption/hash combinations but cannot
    seem to get past Phase 1 negotiations.

    Can one of you sharp individuals give me an idea of what is needed for
    configuration on the PIX to get this working?

    local ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
    current_peer: Remote_Site:0
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
    failed: 0
    #pkts no sa (send) 32, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0
    local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: Remote_Site
    path mtu 1500, ipsec overhead 0, media mtu 1500
    current outbound spi: 0
    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:
     
    MyndPhlyp, Oct 11, 2005
    #1
    1. Advertisements

  2. :I have a Linksys BEFSX41 behind an ADSL modem (static IP address) I want to
    :connect to with an IPSec tunnel originating from a PIX 501 (also behind an
    :ADSL modem but with a dynamic IP address).

    :The Linksys is configured to use DES/SHA for Phase 1 and 3DES/SHA for Phase
    :2.

    :I've tried various isakmp policy encryption/hash combinations but cannot
    :seem to get past Phase 1 negotiations.

    DES SHA is not supported on the PIX, only DES MD5. Try 3DES SHA for
    your phase 1.

    I have the reverse configuration working without [much] difficulty. I
    still get issues sometimes when the ISP changes the IP address
    underneath me, and I still get the occasional oddity where the most
    active TCP sessios hangs but all the other sessions are fine [this is
    the fault of the BEFSX41, and happens sometimes when the keys are
    rolling over.]
     
    Walter Roberson, Oct 11, 2005
    #2
    1. Advertisements

  3. MyndPhlyp

    MyndPhlyp Guest

    Odd that DES/SHA is not supported on the PIX 501. It appears to be one of
    the standard "crypto ipsec transform-set" configurations. (I can't tell
    right now 'cus the PIX VPN configuration has the PDM all confused with
    something about access lists. A little clean-up is in order before
    proceeding.) 3DES/SHA seems to be out of the question for Phase 1. The
    so-called Advanced settings for the tunnel won't let me kick it up from DES
    to 3DES; it keeps reverting back down. Hmm ... lowest common denominator ...
    DES/MD5. Oh I am _SO_ glad I spent money on 3DES.

    Looks like my problem was a little more basic though (and it will be a
    couple of weeks before I can return to the task at hand). The ADSL modem was
    getting in the way. Changing it over to bridge mode and letting the BEFSX41
    do the PPPoE at least got me to the gate. Then I got sidetracked playing
    around with WinXP, an Air Card, the BEFSX41, and Microsoft's poor
    implementation of L2TP/IPSec. Just as I threw in the towel for the day I
    stumbled across some information that /*seems*/ promising for that mix.

    I appreciate your response though. I'll see about avoiding DES/SHA for Phase
    1.
     
    MyndPhlyp, Oct 11, 2005
    #3
  4. MyndPhlyp

    jcharth Guest

    I had a similar problem, i dont think it made much sense put my crypto
    map name had a dash and when i changed my crypto map name without the
    dash the ipsec tunnel worked. I set up md5 3des and the group 1 is for
    768 group 2 is for 1024. i did not check pfs.
     
    jcharth, Oct 11, 2005
    #4
  5. MyndPhlyp

    MyndPhlyp Guest

    I've found the PIX 501 complains when placing a dash in a name (access-list
    names, object-group names, host/network names) and got into the habit of
    using the underscore. I'm surprised (only because I haven't tried it) the
    PIX allowed you to create a crypto map name with a dash. The hard-coded
    transform-set names all have dashes in them though (i.e., ESP-3DES-MD5) so
    why not?

    I think my limiting factors are going to be WinXP (on the notebook with the
    Air Card) and the Linksys BEFSX41.

    The BEFSX41 will not let me tweak up Phase 1 to 3DES on the Advanced
    Settings even though that is what I'm setting back on the main VPN page.
    Every time I tried it, saved the configuration, and reinspected, it reverted
    back to DES with no warnings or errors. It could be a firmware bug. After
    all it has been probably a year since the BEFSX41 has seen an upgrade (and
    it's not like Linksys hasn't had its share of bugs in that HTTP interface).
    I'll have to look into that ... if I remember.

    But I degress. Using the information earlier in this thread (from Walter
    Roberson) the PIX aparently doesn't like DES/SHA. Since I cannot tweak Phase
    1 up to 3DES on the BEFSX41, that leaves me with just DES/MD5. Or maybe I'm
    just misunderstanding.

    PFS is definitely needed in this situation. The remote end is a traveling
    notebook, which means I cannot lock down the tunnel to a static IP address.
    It also doesn't help that my PIX's WAN address is dynamicly assigned.

    Whether or not I can use Group 2 is yet to be seen. WinXP will definitely be
    the limiting factor there. Lots of trial and error ahead of me yet.
    Fortunately I have a week or two to Google around to see what else I can
    uncover for configuration notes.
     
    MyndPhlyp, Oct 12, 2005
    #5
  6. MyndPhlyp

    jcharth Guest

    setup a linux router with two nicks, enable routing, use the redwall
    live cd and test it out. just put it on the table.
     
    jcharth, Oct 14, 2005
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.