FYI, changing the address on the astlinux side definably helped. However, even after doing that and adding double-quotes the pre-shared key (on the PIX side only) we are still not connecting. The final error is "phase1 negotiation failed due to time up", phase 2 is also failing (due to timeout on phase 1). We will try to analyze the logging on the PIX side next, but because the device is EOL, I we won't get any support from Cisco.
We are using "Group 2" for phase 1 in the PIX; should we be using something else? I'm also checking if the PIX is configured for main mode. Any other ideas? -----Original Message----- From: Lonnie Abelbeck [mailto:li...@lonnie.abelbeck.com] Sent: Tuesday, September 15, 2009 10:52 AM To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] VPN with Cisco PIX On Sep 15, 2009, at 8:33 AM, David Kerr wrote: > > > On Tue, Sep 15, 2009 at 9:10 AM, Lonnie Abelbeck <li...@lonnie.abelbeck.com > > wrote: > > On Sep 14, 2009, at 10:17 PM, Tom Mazzotta wrote: > > > 3. Regarding the addressing, astlinux lead me to believe that it > > supported a dynamic end-point because the default value in the > local- > > host ip field is $EXTIP. Is this a legit value, or should I change > > it to the actual IP used by the WAN i/f, even if it might change in > > the future? Is it possible that a future version might support at > > least one dynamic endpoint? > > If you are using DHCP for the external interface, then you can't use > $EXTIP as the local-host value, instead use the actual IP address. (or > 0.0.0.0 wildcard) > > Would it be possible to use a URL and DNS lookup? For example > xxxx.dyndns.org that is registered and kept up-to-date with inadyn? > > David No, not with IPsec using 'main' mode, the actual IP address is a part of the security policy. Using certificates is a solution, but trunk/0.7 does not support that. Also a FQDN 'could' be used as an identity, but that requires the use of 'aggressive' mode which has security issues, so we chose not to support that. Lonnie ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.