[c-nsp] Problem with VPN to PIX

Ted Mittelstaedt tedm at toybox.placo.com
Tue Apr 5 02:57:47 EDT 2005 

 Cisco uses that line in their posted config for l2tp:

http://www.cisco.com/warp/public/110/l2tp-ipsec.html


  Could it possibly require a different transform set?
Perhaps;

crypto ipsec transform-set l2tp esp-aes-256 esp-sha-hmac

isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha


Ted

> -----Original Message-----
> From: Marcus Keane [mailto:mkeane at microsoft.com]
> Sent: Monday, April 04, 2005 10:21 PM
> To: Ted Mittelstaedt; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Problem with VPN to PIX
>
>
> It's been a while since I played with this, but could this line be your
> problem:
>
> crypto map mymap client authentication LOCAL
>
> I believe this line is for xauth authentication and windows doesn't
> support this. User authentication is done by ppp.
> Marcus
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Ted Mittelstaedt
> > Sent: Tuesday, 5 April 2005 14:20
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Problem with VPN to PIX
> >
> > Hi All,
> >
> >   OK I am stumped on a problem and I've looked over this config a
> dozen
> > times
> > and I don't know why it's not working.  I'd greatly appreciate any
> > suggestions
> > other than to run the Cisco VPN client.  (I'll shoot any
> smartass that
> > suggests
> > that, and no it don't work either, I already tried)
> >
> >   Setup is a PIX 506 running PIX 6.3.4  VPN client is Windows XP SP2,
> and
> > also I tested with Win98 running Microsoft's IPSec VPN client.  The
> > clients are
> > configured to use IPSec/L2TP with a preshared key.  They don't work,
> do
> > not authenticate.  I get a log entry on the PIX about isakmp
> handshaking
> > starting up and that's it.
> > The clients just hang during the initial connection.
> >
> >   The exact same PIX and same Windows clients work perfectly
> if I wipe
> > the
> > PIX config and replace it with a PIX config that does PPTP and change
> the
> > clients to use pptp.
> >
> >   I've also tried "isakmp policy 20 group 2" with no difference.
> >
> > Here's the PIX config:
> >
> > : Written by enable_15 at 15:06:25.973 UTC Mon Apr 4 2005
> > PIX Version 6.3(4)
> > interface ethernet0 auto
> > interface ethernet1 auto
> > nameif ethernet0 outside security0
> > nameif ethernet1 inside security100
> > enable password XXXXXXXXXXX encrypted
> > passwd XXXXXXXXXX encrypted
> > hostname YYYYYYYYY
> > domain-name ZZZZZZZZ.com
> > fixup protocol dns maximum-length 512
> > fixup protocol ftp 21
> > fixup protocol h323 h225 1720
> > fixup protocol h323 ras 1718-1719
> > fixup protocol http 80
> > fixup protocol rsh 514
> > fixup protocol rtsp 554
> > fixup protocol sip 5060
> > fixup protocol sip udp 5060
> > fixup protocol skinny 2000
> > fixup protocol smtp 25
> > fixup protocol sqlnet 1521
> > fixup protocol tftp 69
> > names
> > access-list eatme-incoming permit tcp 65.75.16.0 255.255.255.0 any eq
> > 3389
> > access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.254.0
> > 255.255.255.0
> > access-list l2tp permit udp host 189.17.44.166 any eq 1701
> > pager lines 24
> > logging on
> > logging buffered debugging
> > mtu outside 1500
> > mtu inside 1500
> > ip address outside 189.17.44.166 255.255.255.252
> > ip address inside 192.168.1.1 255.255.255.0
> > ip audit info action alarm
> > ip audit attack action alarm
> > ip local pool l2tp 192.168.254.1-192.168.254.254
> > pdm logging informational 100
> > pdm history enable
> > arp timeout 14400
> > global (outside) 1 interface
> > nat (inside) 0 access-list nonat
> > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask
> > 255.255.255.255 0 0
> > access-group eatme-incoming in interface outside
> > conduit permit icmp any any
> > route outside 0.0.0.0 0.0.0.0 189.17.44.165 1
> > timeout xlate 0:05:00
> > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> > 1:00:00
> > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > timeout uauth 0:05:00 absolute
> > aaa-server TACACS+ protocol tacacs+
> > aaa-server TACACS+ max-failed-attempts 3
> > aaa-server TACACS+ deadtime 10
> > aaa-server RADIUS protocol radius
> > aaa-server RADIUS max-failed-attempts 3
> > aaa-server RADIUS deadtime 10
> > aaa-server LOCAL protocol local
> > no snmp-server location
> > no snmp-server contact
> > snmp-server community public
> > no snmp-server enable traps
> > tftp-server outside 65.75.64.2 XXXXXXXXXXX.txt
> > floodguard enable
> > sysopt connection permit-l2tp
> > crypto ipsec transform-set l2tp esp-des esp-md5-hmac
> > crypto ipsec transform-set l2tp mode transport
> > crypto ipsec security-association lifetime seconds 3600
> > crypto dynamic-map dyna 20 match address l2tp
> > crypto dynamic-map dyna 20 set transform-set l2tp
> > crypto map mymap 10 ipsec-isakmp dynamic dyna
> > crypto map mymap client authentication LOCAL
> > crypto map mymap interface outside
> > isakmp enable outside
> > isakmp key 12345678 address 0.0.0.0 netmask 0.0.0.0
> > isakmp policy 20 authentication pre-share
> > isakmp policy 20 encryption des
> > isakmp policy 20 hash md5
> > isakmp policy 20 group 1
> > isakmp policy 20 lifetime 86400
> > telnet 192.168.1.0 255.255.255.0 inside
> > telnet timeout 10
> > ssh 65.75.20.0 255.255.255.0 outside
> > ssh timeout 5
> > console timeout 0
> > vpdn group l2tpipsec accept dialin l2tp
> > vpdn group l2tpipsec ppp authentication chap
> > vpdn group l2tpipsec ppp authentication mschap
> > vpdn group l2tpipsec client configuration address local l2tp
> > vpdn group l2tpipsec client configuration dns 192.168.1.2 26.13.2.4
> > vpdn group l2tpipsec client configuration wins 192.168.1.2
> > vpdn group l2tpipsec client accounting RADIUS
> > vpdn group l2tpipsec client authentication local
> > vpdn group l2tpipsec l2tp tunnel hello 60
> > vpdn username testuser password AAAAAAAABBBBCCCC
> > vpdn enable outside
> > dhcpd address 192.168.1.100-192.168.1.149 inside
> > dhcpd dns 192.168.1.2 26.13.2.4
> > dhcpd wins 192.168.1.2
> > dhcpd lease 3600
> > dhcpd ping_timeout 750
> > dhcpd option 46 hex 08
> > dhcpd enable inside
> > terminal width 80
> > : end
> > $
> >
> > Any suggestions?  This is the one config Cisco doesen't seem to have
> on
> > file
> > for the PIXen.  (no, I do not want to use a 3rd party generated
> > certificate)
> >
> > Ted
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list