Quick VPN through PIX

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by ed001, Aug 1, 2006.

  1. ed001

    ed001 Network Guru Member

    I have a PIX 506e at home and I am trying to connect to one of my clients with the Quick VPN client (WRV54G). It works if I pull a Linksys or D-Link router out of my closet but when I put the PIX back in line it doesn't work. I believe it hangs on verifying network. Any suggestions would be great. I have configured the PIX for IPSEC and PPTP pass and not for L2TP.
    Thanks in advance!!!
  2. Toxic

    Toxic Administrator Staff Member

    QuickVPN afaik uses ports 443 or 60443 to connect to the VPN router. is the PIX somehow blocking any of these outgoing ports?
  3. DocLarge

    DocLarge Super Moderator Staff Member Member

    I've noticed the exact same probolem with my pix 501. If I use my SMCBR18VPN, Netgear DG834G, or WRV54G, it works, but as soon as I put my pix online, it's instant death for the packet.

    I tried using the pix pass thru command for udp 500 (fixup protocol 500 isakmp) and still got nowhere. You know, you could also try this:

    - fixup protocol esp-ike

    I got that from eric_stewart and I don't remember whether or not if that worked (I've switched back to SOHO routers for a moment).

    I'll put my pix back on line tonight and try it myself also.

  4. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Yeah...the "fixup" mentioned turns on IPSec VPN pass-thru. It instructs the PIX to inspect the IKE Phase I and IKE Phase II exchanges and thus keeps track of the VPN peers...forwarding the packets to the correct peer as the VPN is built across the PIX.

    Only problem is that the PIX expects Phase I to use ISAKMP (ie: UDP port 500 both source & destination) whereas QuickVPN uses SSL on port 443 (or port 60443) to exchange credentials/policies and to perform authentication instead of ISAKMP in Phase I. I think this confuses the PIX and it gives up as it can't track the VPN peers.

    And to think that Linksys is a subsidiary of Cisco...shame shame.

    I think the solution is probably to turn *off* the fixup and hope for the best. Weird, but it might work.

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice