can you share the pre-share key with "#$" characters in it? I want to see if I can replicate it in my lab enviroment.
czar <[EMAIL PROTECTED]> wrote: Hi All, First, the pix version was downgraded to v6.3 (from v7.2 - note: cisco informed the telco engineer there's a problem with this version as regards vpn). Still no success (albeit using pix config similar to the one suggested below and "key exchange for subnet" un-ticked at the CP side ). Finally, got it to work by changing the pre-shared secret code. The problem was in the pre-shared secret code. It had in sequence the "#$$" characters. Changed it to something else and it worked. Either SPLAT or pix or both cannot handle these chars in sequence (maybe a reserved char). Thanks for all your help and replies. czar czar wrote: > Thanks. I'll give it a try. > > BTW, the pix side is a telco. > > Cezar > > cisco4ng wrote: > >> suppernetting is not an issue in this case because both sides are >> using /24 network. >> So I don't think this is an issue. You didn't say what version >> of 7.x is running on the Pix? 7.0, 7.1 or 7.2(1) or 7.2(2). >> Do you also have remote access vpn configure on the Pix as well? >> It is likely that the answer will be on the pix side. Generally the >> configuration on the pix will be like this: >> access-list nonat permit ip Pix_side/24 CP_side/24 >> access-list 101 permit ip Pix_side/24 CP_side/24 >> nat (inside) 0 access-list nonat >> isakmp identity address >> isakmp enable outside >> isakmp key your-key address CP_external_IP no-xauth no-config (this >> is L2L VPN) >> isakmp policy 1 authe pre-share >> isakmp policy 1 encr 3des >> isakmp policy 1 hash md5 >> isakmp policy 1 group 2 >> isamkp policy 1 lifetime 86400 >> crypto ipsec trans 3des esp-3des esp-md5-hmac >> crypto map cmap 10 ipsec-isakmp >> crypto map cmap 10 set peer CP_external_IP >> crypto map cmap 10 set trans 3des >> crypto map cmap 10 set security-association lifetime seconds 3600 >> crypto map cmap 10 match address 101 >> crypto map cmap interface outside >> Remember these commands work for both Pix 6.x and 7.x. However, >> when you do a >> show run on 7.x, you will see the output a little differently due to >> new code in 7.x. >> Enter this into the Pix configuration and try again. On the CP >> side, run "vpn debug iketrunc" >> and initiate traffic from either side. After that that transfer the >> file $FWDIR/log/ike.elg and >> view it IKEView.exe that I sent you to see what wrong. You can also >> do "debug crypto >> isakmp 7" and "debug crypto ipsec 7" and see what wrong on the Cisco >> pix side. >> Good luck >> >> czar wrote: >> Hi All, >> >> I'm falling into the same trap/experience as what others (and someone >> more recent) have/are experiencing in establishing a successful vpn >> setup between r55 (hfa18) and pix (latest version 7). >> >> I have already have a working vpn between r55 and freeswan on debian >> (sarge). But with pix, no success - No valid SA issue. >> >> I've followed the suggestions (researching as well the archive of this >> mailing list) except changing "supernetting via dbedit". >> >> Anyway, here's the current setup. >> >> Working: vpn r55 to freeswan (our internal net address xxx/24 - >> external (freeswan side internal network - 192.168.177.0/24). Using >> 3des/md5. >> >> New (not working): vpn r55 to pix (our internal net address is same - >> external (not owned by us) pix side internal network is >> 192.168.88.0/24). Using 3des/md5. Time settings are the same. Could >> not get past "No valid SA". >> >> Looks like I have to change the supernetting? Any ideas? >> >> Also can anyone please provide me a copy of ikeview.exe (CP is not >> making it publicly available except if you're CSP). >> >> Any ideas how to resolve/troubleshoot this? >> >> Many thanks. >> Cezar >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [EMAIL PROTECTED] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [EMAIL PROTECTED] >> ================================================= >> >> >> --------------------------------- >> Ahhh...imagining that irresistible "new car" smell? >> Check outnew cars at Yahoo! Autos. >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, >> send an email to [EMAIL PROTECTED] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your >> subscription options, email >> [EMAIL PROTECTED] >> ================================================= >> > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= --------------------------------- Ahhh...imagining that irresistible "new car" smell? Check outnew cars at Yahoo! Autos. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
