PIX 501 -> Linksys BEFSX41 via IPSec

I have a Linksys BEFSX41 behind an ADSL modem (static IP address) I want to
connect to with an IPSec tunnel originating from a PIX 501 (also behind an
ADSL modem but with a dynamic IP address).

The Linksys is configured to use DES/SHA for Phase 1 and 3DES/SHA for Phase
2.

I've tried various isakmp policy encryption/hash combinations but cannot
seem to get past Phase 1 negotiations.

Can one of you sharp individuals give me an idea of what is needed for
configuration on the PIX to get this working?

local ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
current_peer: Remote_Site:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#pkts no sa (send) 32, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: Remote_Site
path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:

 

:I have a Linksys BEFSX41 behind an ADSL modem (static IP address) I want to
:connect to with an IPSec tunnel originating from a PIX 501 (also behind an
:ADSL modem but with a dynamic IP address).

:The Linksys is configured to use DES/SHA for Phase 1 and 3DES/SHA for Phase
:2.

:I've tried various isakmp policy encryption/hash combinations but cannot
:seem to get past Phase 1 negotiations.

DES SHA is not supported on the PIX, only DES MD5. Try 3DES SHA for
your phase 1.

I have the reverse configuration working without [much] difficulty. I
still get issues sometimes when the ISP changes the IP address
underneath me, and I still get the occasional oddity where the most
active TCP sessios hangs but all the other sessions are fine [this is
the fault of the BEFSX41, and happens sometimes when the keys are
rolling over.]

 

Odd that DES/SHA is not supported on the PIX 501. It appears to be one of
the standard "crypto ipsec transform-set" configurations. (I can't tell
right now 'cus the PIX VPN configuration has the PDM all confused with
something about access lists. A little clean-up is in order before
proceeding.) 3DES/SHA seems to be out of the question for Phase 1. The
so-called Advanced settings for the tunnel won't let me kick it up from DES
to 3DES; it keeps reverting back down. Hmm ... lowest common denominator ...
DES/MD5. Oh I am _SO_ glad I spent money on 3DES.

Looks like my problem was a little more basic though (and it will be a
couple of weeks before I can return to the task at hand). The ADSL modem was
getting in the way. Changing it over to bridge mode and letting the BEFSX41
do the PPPoE at least got me to the gate. Then I got sidetracked playing
around with WinXP, an Air Card, the BEFSX41, and Microsoft's poor
implementation of L2TP/IPSec. Just as I threw in the towel for the day I
stumbled across some information that /*seems*/ promising for that mix.

I appreciate your response though. I'll see about avoiding DES/SHA for Phase
1.

 

I had a similar problem, i dont think it made much sense put my crypto
map name had a dash and when i changed my crypto map name without the
dash the ipsec tunnel worked. I set up md5 3des and the group 1 is for
768 group 2 is for 1024. i did not check pfs.

 

I've found the PIX 501 complains when placing a dash in a name (access-list
names, object-group names, host/network names) and got into the habit of
using the underscore. I'm surprised (only because I haven't tried it) the
PIX allowed you to create a crypto map name with a dash. The hard-coded
transform-set names all have dashes in them though (i.e., ESP-3DES-MD5) so
why not?

I think my limiting factors are going to be WinXP (on the notebook with the
Air Card) and the Linksys BEFSX41.

The BEFSX41 will not let me tweak up Phase 1 to 3DES on the Advanced
Settings even though that is what I'm setting back on the main VPN page.
Every time I tried it, saved the configuration, and reinspected, it reverted
back to DES with no warnings or errors. It could be a firmware bug. After
all it has been probably a year since the BEFSX41 has seen an upgrade (and
it's not like Linksys hasn't had its share of bugs in that HTTP interface).
I'll have to look into that ... if I remember.

But I degress. Using the information earlier in this thread (from Walter
Roberson) the PIX aparently doesn't like DES/SHA. Since I cannot tweak Phase
1 up to 3DES on the BEFSX41, that leaves me with just DES/MD5. Or maybe I'm
just misunderstanding.

PFS is definitely needed in this situation. The remote end is a traveling
notebook, which means I cannot lock down the tunnel to a static IP address.
It also doesn't help that my PIX's WAN address is dynamicly assigned.

Whether or not I can use Group 2 is yet to be seen. WinXP will definitely be
the limiting factor there. Lots of trial and error ahead of me yet.
Fortunately I have a week or two to Google around to see what else I can
uncover for configuration notes.

 

setup a linux router with two nicks, enable routing, use the redwall
live cd and test it out. just put it on the table.