[nsp] Can't get Cisco VPN Client -> PIX to work

Brian signal at shreve.net
Thu Apr 24 14:06:50 EDT 2003 

I am having troubles getting a simple VPN up and running on a PIX.  I
have tried PIX 6.1.4 and now am using 6.2.2.  I have tried VPN Client
3.x.

On the VPN client, it is very simple, all I do is give it the outside
interface IP of the PIX to connect to, tell it group "vpn3000" and the
correct password, and thats all I should need to do.

On the PIX, here is the relevent part of the config:

access-list 110 permit ip 10.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
ip address outside 207.254.193.39 255.255.255.240
ip address inside 10.1.1.1 255.255.255.0
ip local pool vpnpool 10.4.1.1-10.4.1.255
nat (inside) 0 access-list 110
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool vpnpool
vpngroup vpn3000 dns-server 207.254.192.2
vpngroup vpn3000 wins-server 207.253.192.23
vpngroup vpn3000 default-domain shreve.net
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********


I have tried the above with and without the "isakmp key" line.  I have
tried almost every basic config I could find at cisco.com, but none are
working for me, I always get the following debug:

crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
VPN Peer: ISAKMP: Added new peer: ip:207.254.222.205 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:1 Total
VPN Peers:1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption... What? 7?
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:          attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption... What? 7?
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:          attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP:      encryption... What? 7?
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:          attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP:      encryption... What? 7?
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:          attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP:      encryption... What? 7?
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:          attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP:      encryption... What? 7?
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:          attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP:      encryption... What? 7?
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:          attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP:      encryption... What? 7?
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:          attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4
crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:2 Total
VPN Peers:1
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:1 Total
VPN Peers:1
crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:2 Total
VPN Peers:1
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:1 Total
VPN Peers:1
crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:2 Total
VPN Peers:1
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:1 Total
VPN Peers:1
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src 207.254.222.205, dst 207.254.193.39
ISADB: reaper checking SA 0x80fccf30, conn_id = 0  DELETE IT!

VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:0 Total
VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:207.254.222.205 Total VPN peers:0


Can anyone help me out here?  I honestly am not very familiar with VPN
setup, but I am trying to absorb all I can from cisco.com. 

Brian




-- 
-----------------------------------------------
Brian Feeny, CCIE #8036	   e: signal at shreve.net
Network Engineer	   p: 318.222.2638x109	
ShreveNet Inc.		   f: 318.221.6612 
	     	      ip address outside 207.254.193.39 255.255.255.240
ip address inside 10.1.1.1 255.255.255.0

More information about the cisco-nsp mailing list