- You’re not using Cisco’s EasyVPN on your PIX as a client. If you do so, you cannot also have your PIX be a IPSec VPN server. I don’t know if you can have your PIX as an EasyVPN server and a standard IPSec VPN server, but I doubt it. I’d avoid the EasyVPN technology altogether. YMMV.
- Remote internal IP address range: 192.168.0.0/24
- Remote external IP address: dynamic
- Home office internal IP address range: 10.0.0.0/24
- Home office external IP address: static
Setup your transform set (how traffic will be encrypted and authenticated over the tunnel):crypto ipsec transform-set (name your transform set here) esp-3des esp-md5-hmacAssociate your transform set with a dynamic map, because you have a dynamic IP on the remote end:crypto dynamic-map (name your dynamic map here) 1 set transform set (name of transform set from previous line)Setup your crypto map to map to your dynamic map:crypto map (name your crypto map here) 10 ipsec-isakmp dynamic (name of your dynamic map here)Associate your crypto map to the outside interface, so traffic going to the remote peer will be encrypted:crypto map (name of crypto map from the previous line) interface outside
Enable IPSec tunnel negotiation on the outside interface:isakmp enable outsideSetup your shared secret to start the tunnel with any remote address (remember, the remote address is dynamic):isakmp key (put in a complex shared secret here) address 0.0.0.0 netmask 0.0.0.0Setup the PIX to send its outside IP as its identifier to the remote router. This is necessary for the tunnel to negotiate with the WRV200:isakmp identity addressSetup how the security associations are negotiated (encryption and authentication). This must match the VPN configuration on the WRV200:isakmp policy 10 authentication pre-shareisakmp policy 10 encryption 3desisakmp policy 10 hash shaisakmp policy 10 group 2isakmp policy 10 lifetime 86400
Under the Setup section, go to the Basic Setup tab and configure the Lan Setup section to use the IP range – 192.168.0.0/24
[Optional – I wanted my remote clients to be able to see my home office computers by name – so I added the home office DNS server as DNS IP Address 1 (i.e. 10.0.0.2), and the Linksys itself as DNS IP Address 2 (i.e. 192.168.0.1)]
On the VPN tab, go to the IPSec VPN tab and configure a Tunnel Entry:
- Select a tunnel (the first tunnel is Tunnel A
- Set the VPN Tunnel to be Enabled
- Give the tunnel a name (i.e. ToHomeOffice)
- If your home office PIX is NATted on the outside interface, you’ll need to enable NAT-Traversal – provided the device in front of your PIX will allow NAT-Traversal. I didn’t have the problem, so you’ll need more info from elsewhere if you need to do this.
- Setup the Local Secure Group to be your WRV200 router’s subnet (i.e. 192.168.0.0, 255.255.255.0), or the static address of the one remote host you want to traverse the tunnel. If you choose a single host, make sure you assign that IP outside of the router’s DHCP scope!
- Setup the Remote Secure Group to be your home office’s subnet (i.e. 10.0.0.0, 255.255.255.0).
- Setup the Remote Secure Gateway to be the outside IP address of your PIX.
- Setup Key Management to use the same methods as the PIX. For the example above, that would be:
- Key Exchange Method: Auto (IKE)
- Operation Mode: Main
- ISAKMP Encryption Method: 3DES
- ISAKMP Authentication Method: SHA1
- ISAKMP DH Group: Group 2: 1024-bits
- ISAKMP Key Lifetime(s): 86400
- PFS (Perfect Forward Secrecy): Enabled
- IPSec Encryption Method: 3DES
- IPSec Authentication: MD5
- IPSec DH Group: Same as the ISAKMP
- IPSec Key Lifetime(s): 3600
- Pre-Shared Key: (Same as the complex shared secret in the PIX line that starts with isakmp key)
I enabled Dead Peer Detection to Recover Connection when it drops, as well as If IKE failed more than 5 times block this unauthorized IP for 60 seconds, and Anti-replay.
That’s it! Now there are two ways to see what’s happening with your tunnel, and both are useful for troubleshooting:
On the PIX, at the console (or an SSH connection), do:
debug crypto ipsec
debug crypto isakmp
and watch the messages scroll by.
On the Linksys, under the VPN section, you can go to the VPN Summary tab and see the status of the tunnel. You can dive deeper into the tunnel there as well, and see the errors in the VPN log.
Also, some commands to check the status of the tunnel on the PIX:
show crypto isakmp sa—View all current IKE security associations (SAs) at a peer.
show crypto ipsec sa—View the settings used by current security associations.
clear crypto isakmp sa—(from configuration mode) Clear all active IKE connections.
clear crypto ipsec sa—(from configuration mode) Delete all IPSec security associations.
Before deploying your remote router, I’d recommend going into the Administration section, under the Management tab, and setting up Remote Management of the router from the home office – i.e. the external IP address of the PIX.
Also, if you use a VOIP phone on this router, you can set the port that the phone is plugged into to have higher priority than the rest of the ports. Go to the QoS section, and to the Port-based QoS tab, and enable QoS. Then set the port to have High Priority.
Hopefully this set of instructions help at least one other person with the pain of setting up this type of VPN!