For anyone who cares, I found the solution to the problem. Linksys 3rd level support is still working on it and I'm slightly amused that they haven't found the answer yet.
As it turns out, there's a configuration option on the Linksys for the Remote Secure Group. One of the options is to set this group to "ANY" to allow any remote host to establish a tunnel. The "ANY" setting does not work with the PIX...you have to set the remote network manually on the Linksys. So, after manually setting the remote network, everything popped up and is working smoothly. Thanks to everyone who responded. Craig At 10:38 AM 4/18/2002 -0400, you wrote: >Here's the deal: >I've got a PIX that serves as a security gateway for a Cisco VPN Client >3.1. Settings are basically DES/MD5/ESP with pre-shared key. Part of the >VPN3.1 client requires vpngroup name, as defined in the configuration on >the PIX. >I just bought one of the Linksys BEFVP41 VPN routers to test connectivity >to the PIX. The Linksys doesn't understand vpngroup associations, so I >need to configure the PIX to also allow the connection based solely on >pre-shared key. >I think I've got it configured properly, and VPN Client-to-PIX connections >work fine, but negotiations break down at phase 2 when connecting with the >Linksys. It's probably something simple that I'm missing because I've been >staring at it too long. Anyone have any ideas? > >PIX relevant config (sanitized): > >access-list bypassingnat permit ip 10.0.0.0 255.0.0.0 192.168.100.0 >255.255.255.0 >ip local pool mypool 192.168.100.1-192.168.100.254 >nat (inside) 0 access-list bypassingnat >sysopt connection permit-ipsec >no sysopt route dnat >crypto ipsec transform-set strong esp-des esp-md5-hmac >crypto dynamic-map users 11 set transform-set strong >crypto map remote 11 ipsec-isakmp dynamic users >crypto map remote client configuration address initiate >crypto map remote client configuration address respond >crypto map remote interface outside >isakmp enable outside >isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 >isakmp identity address >isakmp client configuration address-pool local mypool outside >isakmp policy 10 authentication pre-share >isakmp policy 10 encryption des >isakmp policy 10 hash md5 >isakmp policy 10 group 1 >isakmp policy 10 lifetime 86400 >isakmp policy 20 authentication pre-share >isakmp policy 20 encryption des >isakmp policy 20 hash md5 >isakmp policy 20 group 2 >isakmp policy 20 lifetime 86400 >vpngroup vpn3000 address-pool mypool >vpngroup vpn3000 dns-server 10.x.x.x >vpngroup vpn3000 default-domain xxxxxxxx >vpngroup vpn3000 idle-time 1800 >vpngroup vpn3000 password ******** > >Debug from PIX (sanitized....y.y.69.129 is the Linksys, x.x.67.2 is the >public interface of the PIX): > >crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 >OAK_MM exchange >ISAKMP (0): processing SA payload. message ID = 0 > >ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy >ISAKMP: encryption DES-CBC >ISAKMP: hash SHA >ISAKMP: auth pre-share >ISAKMP: default group 1 >ISAKMP: life type in seconds >ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 >ISAKMP (0): atts are not acceptable. Next payload is 3 >ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy >ISAKMP: encryption DES-CBC >ISAKMP: hash MD5 >ISAKMP: auth pre-share >ISAKMP: default group 1 >ISAKMP: life type in seconds >ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 >ISAKMP (0): atts are acceptable. Next payload is 3 >ISAKMP (0): SA is doing pre-shared key authentication using id type >ID_IPV4_ADDR >return status is IKMP_NO_ERROR >crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 >OAK_MM exchange >ISAKMP (0): processing KE payload. message ID = 0 > >ISAKMP (0): processing NONCE payload. message ID = 0 > >return status is IKMP_NO_ERROR >crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 >OAK_MM exchange >ISAKMP (0): processing ID payload. message ID = 0 >ISAKMP (0): processing HASH payload. message ID = 0 >ISAKMP (0): SA has been authenticated > >ISAKMP (0): ID payload > next-payload : 8 > type : 1 > protocol : 17 > port : 500 > length : 8 >ISAKMP (0): Total payload length: 12 >return status is IKMP_NO_ERROR >crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 >OAK_QM exchange >ISAKMP (0:0): Need config/address >ISAKMP (0:0): initiating peer config to y.y.69.129. ID = 3267015605 >(0xc2bab3b >5) >return status is IKMP_NO_ERROR >crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 >ISAKMP (0): retransmitting phase 2... >crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 >ISAKMP (0): retransmitting phase 2... >crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 > >Finally it just times out trying to retransmit phase 2. > >Thanks in advance! > >Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41855&t=41821 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
