I've got a site-to-site VPN that was previously between a Cisco 1841 and a Cisco PIX 515. The PIX dropped dead yesterday, and I had to swap in a cheap Netgear firewall to restore basic internet access. I'm hoping to re-establish this tunnel before my replacement Cisco shows up, but the Netgear isn't making it easy.
Let's say the Cisco end is 1.1.1.1 and the Netgear end is 2.2.2.2.
Here's the relevant config from the Cisco end:
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
crypto isakmp key redactedKey address 2.2.2.2
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer 2.2.2.2
set transform-set sharks
match address 120
IKE settings entered in Netgear
Local
Local identity type: WAN IP Address
Local identity data: 2.2.2.2
Remote
Remote identntiy type: Remote WAN IP
Remote identity data: [grayed out]
IKE SA Params
encryption algo: 3DES
Auth algo: SHA-1
Auth method: PSK: redactedKey
DH group: group 2
SA Life time: 28800
VPN policy configuration
Remote address: 1.1.1.1
Local IP: any
Remote IP: range: 192.168.1.1-192.168.1.254 (LAN IP range of remote)
But then there are fields to enter AH and ESP configuration- settings that don't appear to be in the Cisco config. I leave these all blank.
But, when I attempt to apply these settings the NG spits out this unhelpful error:
ERROR : AH or ESP condition not support
I don't have any reference to AH or ESP encryption keys in my Cisco config, so I'm not sure what to fill in here.
Any suggestions?
Best Answer
Make sure the encryption in this manner is set to DES and the Auth to MD5