Hi
Is there anyone with experience on setting up PIX - ASL to help me.
I have ASL 4 to set up against a remote PIX witch I do not have access to. The log on ASL and the config received from the remote PIX administrator is attached. The ASL is normaly easy to set up and I use the following settings.
ISAKMP
Lifetime 7800
MD5
3DES
DH Group 1
IPSEC
Lifetime 3600
3DES
MD5
No PFS
Both ASL and PIX is set up with several existing VPN connections to other VPN endpoints.
The *PSK* is identical on both sides.
PIX
access-list 110 permit ip 192.168.1.1 255.255.255.255 10.1.1.1 255.255.255.255
access-list 110 permit ip 192.168.1.2 255.255.255.255 10.1.1.2 255.255.255.255
nat (inside) 0 access-list 110 sysopt connection permit-ipsec sysopt route dnat
crypto ipsec transform-set pixvpn esp-3des esp-md5-hmac
crypto map vpn 100 ipsec-isakmp
crypto map vpn 100 match address 110
crypto map vpn 100 set peer a.b.c.d
crypto map vpn 100 set transform-set pixvpn
crypto map vpn interface outside
isakmp enable outside
isakmp key *PSK* address a.b.c.d netmask 255.255.255.255
isakmp identity address
isakmp policy 100 authentication pre-share
isakmp policy 100 encryption 3des
isakmp policy 100 hash md5
isakmp policy 100 group 1
isakmp policy 100 lifetime 7800
ASL LOG
Aug 4 10:41:20 (none) pluto[12119]: "connection_10" #579: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
Aug 4 10:41:20 (none) pluto[12119]: "connection_10" #579: starting keying attempt 54 of an unlimited number
Aug 4 10:41:20 (none) pluto[12119]: "connection_10" #581: initiating Main Mode to replace #579
Aug 4 10:41:20 (none) pluto[12119]: "connection_10" #581: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 10:41:20 (none) pluto[12119]: "connection_10" #581: ignoring Vendor ID payload [Dead Peer Detection]
Aug 4 10:41:20 (none) pluto[12119]: "connection_10" #581: ignoring Vendor ID payload [556b0bc936425f58...]
Aug 4 10:42:30 (none) pluto[12119]: "connection_10" #581: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
Aug 4 10:42:30 (none) pluto[12119]: "connection_10" #581: starting keying attempt 55 of an unlimited number
Aug 4 10:42:30 (none) pluto[12119]: "connection_10" #583: initiating Main Mode to replace #581
Aug 4 10:42:31 (none) pluto[12119]: "connection_10" #583: ignoring Vendor ID payload [Cisco-Unity]
Aug 4 10:42:31 (none) pluto[12119]: "connection_10" #583: ignoring Vendor ID payload [Dead Peer Detection]
Aug 4 10:42:31 (none) pluto[12119]: "connection_10" #583: ignoring Vendor ID payload [556b0bc920e1305e...]
Aug 4 10:43:41 (none) pluto[12119]: "connection_10" #583: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
Thanks
Rune
This thread was automatically locked due to age.
