Firewall Wizards mailing list archives

RE: Pix501 - Concentrator

From: "Melson, Paul" <PMelson () sequoianet com>
Date: Mon, 9 Feb 2004 09:09:09 -0500

First off, I'd upgrade your 501 to 3DES (it's free now).  It may require
a CCO login, but it's worth the time to get your PIX registered and get
the free license.
https://www.cisco.com/pcgi-bin/Software/Crypto/crypto_main.pl?prod_refer
=pix3des

Changing your transform-set on the PIX to use 3DES with the new license
might actually solve your problem all by itself, though I wouldn't
necessarily count on that.  

The error message you're getting indicates that the two devices can't
agree on an IPSec SA, and crypto/hashing aren't the only issues there.
Check the access-list on the PIX including subnet masks - it should be a
perfect mirror image of the source and destination of the LAN-to-LAN
tunnel on the Concentrator - no more, no less.  Look closely at timeouts
as they must match as well.  Also check to make sure that PFS is either
enabled or disabled for that tunnel on both devices.  

If all else fails, refer to the Cisco PIX 6.3 VPN implementation guide
here:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/co
nfig/index.htm

Good luck!

PaulM

-----Original Message-----
Hello, 

I thought giving this group a try and see if there is (there 
must be..)
an expert on compatability with Pix501 and Concentrator 3005. I am
trying desperately not to pull my remaining hair out, so you folks are
my last hope :-) 

Setup: Concentrator 3005 (4.0.4) and Pix501 DES license only (6.3/PDM
3.0.1) 
Goal: setup a VPN (what else) 
Problem: Concentrator not accepting SA/IKE proposal 

The setup couldn't any simpler, but the concentrator complains "All
IPSec SA proposals found unacceptable!" and then next logn: "QM FSM
error (P2 struct &0x1e5c120, mess id 0xe9af52c5)!" 


Pix501 side: uses 2 standard transform sets (esp-des 
esp-md5/sha-hmac),
crypto map applied to outside interface. ACL's are checked. IKE: des
md5/sha, DH 1, key: pre-share 

Concentrator: Auth: ESP/MD5/HMAC-128 Encryp: DES-56. IKE Proposal:
pre-shared keys Auth Alg: MD5/HMAc-128, Enc Alg: DES-56, DH group: 1
(all matching the settings on the Pix. 

I must be missing something and any help is very much appreciated.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Pix501 - Concentrator Frank Delle (Feb 07)
- <Possible follow-ups>
- RE: Pix501 - Concentrator Melson, Paul (Feb 09)
- RE: Pix501 - Concentrator Frank Dellé (Feb 09)
- RE: Pix501 - Concentrator Luc Billot (lbillot) (Feb 09)