Cisco 1841 to Netgear FVS318 VPN connection

Question

I've got a site-to-site VPN that was previously between a Cisco 1841 and a Cisco PIX 515. The PIX dropped dead yesterday, and I had to swap in a cheap Netgear firewall to restore basic internet access. I'm hoping to re-establish this tunnel before my replacement Cisco shows up, but the Netgear isn't making it easy.

Let's say the Cisco end is 1.1.1.1 and the Netgear end is 2.2.2.2.

Here's the relevant config from the Cisco end:

crypto isakmp policy 11
    encr 3des
    authentication pre-share
    group 2
crypto isakmp key redactedKey address 2.2.2.2
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
    set peer 2.2.2.2
    set transform-set sharks
    match address 120

IKE settings entered in Netgear Local Local identity type: WAN IP Address Local identity data: 2.2.2.2

Remote Remote identntiy type: Remote WAN IP Remote identity data: [grayed out]

IKE SA Params encryption algo: 3DES Auth algo: SHA-1 Auth method: PSK: redactedKey DH group: group 2 SA Life time: 28800

VPN policy configuration Remote address: 1.1.1.1 Local IP: any Remote IP: range: 192.168.1.1-192.168.1.254 (LAN IP range of remote) But then there are fields to enter AH and ESP configuration- settings that don't appear to be in the Cisco config. I leave these all blank.

But, when I attempt to apply these settings the NG spits out this unhelpful error: ERROR : AH or ESP condition not support

I don't have any reference to AH or ESP encryption keys in my Cisco config, so I'm not sure what to fill in here.

Any suggestions?

What are the fields that the NetGear wants that aren't in the Cisco config? One mismatch in your IKE config to correct - Cisco lifetime defaults to 86400, while the Netgear has 28800. — Shane Madden, Aug 26 '11 at 18:13
Shane: the Netgear wanted to know: SPI - Incoming _______ (hex, 3-8 chars) SPI - Outgoing _______ (hex, 3-8 chars) [ ] Enable Encryption Encryption algorithm: Key - In ________ Key - Out ________ [ ] Enable authentication Auth algo: Key - In: ______ Key - Out: ______ My mistake was not checking the Enable Encryption and Enable Authentication fields. The Netgear GUI lays this out in such a way that you're lead to believe that you must enter keys when selecting these fields. The Cisco config indicates esp-des and esp-md5, so I set Encryption to DES and Auth to MD5. It's all good now! — ndespres, Aug 26 '11 at 18:46
Great! Once the question's 8 hours old, you can add your own answer to it, which will help future googlers with this same issue. :) — Shane Madden, Aug 26 '11 at 18:55

score 0 · Answer 1 · answered Sep 07 '11 at 23:18

0

Make sure the encryption in this manner is set to DES and the Auth to MD5

answered Sep 07 '11 at 23:18

Aaron

2,968
1
23
36

score 0 · Accepted Answer · answered Sep 16 '11 at 21:52

My mistake was not checking the Enable Encryption and Enable Authentication fields. The Netgear GUI lays this out in such a way that you're lead to believe that you must enter keys when selecting these fields. The Cisco config indicates esp-des and esp-md5, so I set Encryption to DES and Auth to MD5. It's all good now!

Cisco 1841 to Netgear FVS318 VPN connection

2 Answers2