Firewall Wizards mailing list archives
RE: Pix501 - Concentrator
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Mon, 9 Feb 2004 09:09:09 -0500
First off, I'd upgrade your 501 to 3DES (it's free now). It may require a CCO login, but it's worth the time to get your PIX registered and get the free license. https://www.cisco.com/pcgi-bin/Software/Crypto/crypto_main.pl?prod_refer =pix3des Changing your transform-set on the PIX to use 3DES with the new license might actually solve your problem all by itself, though I wouldn't necessarily count on that. The error message you're getting indicates that the two devices can't agree on an IPSec SA, and crypto/hashing aren't the only issues there. Check the access-list on the PIX including subnet masks - it should be a perfect mirror image of the source and destination of the LAN-to-LAN tunnel on the Concentrator - no more, no less. Look closely at timeouts as they must match as well. Also check to make sure that PFS is either enabled or disabled for that tunnel on both devices. If all else fails, refer to the Cisco PIX 6.3 VPN implementation guide here: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/co nfig/index.htm Good luck! PaulM
-----Original Message----- Hello, I thought giving this group a try and see if there is (there must be..) an expert on compatability with Pix501 and Concentrator 3005. I am trying desperately not to pull my remaining hair out, so you folks are my last hope :-) Setup: Concentrator 3005 (4.0.4) and Pix501 DES license only (6.3/PDM 3.0.1) Goal: setup a VPN (what else) Problem: Concentrator not accepting SA/IKE proposal The setup couldn't any simpler, but the concentrator complains "All IPSec SA proposals found unacceptable!" and then next logn: "QM FSM error (P2 struct &0x1e5c120, mess id 0xe9af52c5)!" Pix501 side: uses 2 standard transform sets (esp-des esp-md5/sha-hmac), crypto map applied to outside interface. ACL's are checked. IKE: des md5/sha, DH 1, key: pre-share Concentrator: Auth: ESP/MD5/HMAC-128 Encryp: DES-56. IKE Proposal: pre-shared keys Auth Alg: MD5/HMAc-128, Enc Alg: DES-56, DH group: 1 (all matching the settings on the Pix. I must be missing something and any help is very much appreciated.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Pix501 - Concentrator Frank Delle (Feb 07)
- <Possible follow-ups>
- RE: Pix501 - Concentrator Melson, Paul (Feb 09)
- RE: Pix501 - Concentrator Frank Dellé (Feb 09)
- RE: Pix501 - Concentrator Luc Billot (lbillot) (Feb 09)