It fails because PIX is trying to do config mode when Linksys connects over VPN (trying to assign ip address and so on as it would for a VPN client).
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 I believe the above statement is used for the Linksys only. If so, then add "no-xauth" at the end: isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/ipsec/c ommands.htm#xtocid185911 Clear the tunnel and it should work like a charm :-). -- Lidiya White -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Craig Columbus Sent: Thursday, April 18, 2002 8:39 AM To: [EMAIL PROTECTED] Subject: PIX VPN Connection to Linksys Router [7:41821] Here's the deal: I've got a PIX that serves as a security gateway for a Cisco VPN Client 3.1. Settings are basically DES/MD5/ESP with pre-shared key. Part of the VPN3.1 client requires vpngroup name, as defined in the configuration on the PIX. I just bought one of the Linksys BEFVP41 VPN routers to test connectivity to the PIX. The Linksys doesn't understand vpngroup associations, so I need to configure the PIX to also allow the connection based solely on pre-shared key. I think I've got it configured properly, and VPN Client-to-PIX connections work fine, but negotiations break down at phase 2 when connecting with the Linksys. It's probably something simple that I'm missing because I've been staring at it too long. Anyone have any ideas? PIX relevant config (sanitized): access-list bypassingnat permit ip 10.0.0.0 255.0.0.0 192.168.100.0 255.255.255.0 ip local pool mypool 192.168.100.1-192.168.100.254 nat (inside) 0 access-list bypassingnat sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set strong esp-des esp-md5-hmac crypto dynamic-map users 11 set transform-set strong crypto map remote 11 ipsec-isakmp dynamic users crypto map remote client configuration address initiate crypto map remote client configuration address respond crypto map remote interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp identity address isakmp client configuration address-pool local mypool outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup vpn3000 address-pool mypool vpngroup vpn3000 dns-server 10.x.x.x vpngroup vpn3000 default-domain xxxxxxxx vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password ******** Debug from PIX (sanitized....y.y.69.129 is the Linksys, x.x.67.2 is the public interface of the PIX): crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption DES-CBC ISAKMP: hash MD5 ISAKMP: auth pre-share ISAKMP: default group 1 ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 ISAKMP (0): atts are acceptable. Next payload is 3 ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 OAK_QM exchange ISAKMP (0:0): Need config/address ISAKMP (0:0): initiating peer config to y.y.69.129. ID = 3267015605 (0xc2bab3b 5) return status is IKMP_NO_ERROR crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 ISAKMP (0): retransmitting phase 2... crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 ISAKMP (0): retransmitting phase 2... crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2 Finally it just times out trying to retransmit phase 2. Thanks in advance! Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41885&t=41821 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]