[nsp] Can't get Cisco VPN Client -> PIX to work
Brian
signal at shreve.net
Thu Apr 24 14:06:50 EDT 2003
I am having troubles getting a simple VPN up and running on a PIX. I
have tried PIX 6.1.4 and now am using 6.2.2. I have tried VPN Client
3.x.
On the VPN client, it is very simple, all I do is give it the outside
interface IP of the PIX to connect to, tell it group "vpn3000" and the
correct password, and thats all I should need to do.
On the PIX, here is the relevent part of the config:
access-list 110 permit ip 10.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
ip address outside 207.254.193.39 255.255.255.240
ip address inside 10.1.1.1 255.255.255.0
ip local pool vpnpool 10.4.1.1-10.4.1.255
nat (inside) 0 access-list 110
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool vpnpool
vpngroup vpn3000 dns-server 207.254.192.2
vpngroup vpn3000 wins-server 207.253.192.23
vpngroup vpn3000 default-domain shreve.net
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
I have tried the above with and without the "isakmp key" line. I have
tried almost every basic config I could find at cisco.com, but none are
working for me, I always get the following debug:
crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
VPN Peer: ISAKMP: Added new peer: ip:207.254.222.205 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:1 Total
VPN Peers:1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4
crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:2 Total
VPN Peers:1
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:1 Total
VPN Peers:1
crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:2 Total
VPN Peers:1
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:1 Total
VPN Peers:1
crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:2 Total
VPN Peers:1
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:1 Total
VPN Peers:1
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src 207.254.222.205, dst 207.254.193.39
ISADB: reaper checking SA 0x80fccf30, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:0 Total
VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:207.254.222.205 Total VPN peers:0
Can anyone help me out here? I honestly am not very familiar with VPN
setup, but I am trying to absorb all I can from cisco.com.
Brian
--
-----------------------------------------------
Brian Feeny, CCIE #8036 e: signal at shreve.net
Network Engineer p: 318.222.2638x109
ShreveNet Inc. f: 318.221.6612
ip address outside 207.254.193.39 255.255.255.240
ip address inside 10.1.1.1 255.255.255.0
More information about the cisco-nsp
mailing list