[nsp] Can't get Cisco VPN Client -> PIX to work

Jarrod Baumann jarrod at advmed.com
Thu Apr 24 16:04:38 EDT 2003 

Brian,

The key line to note here would be atts are not acceptable.  This is meaning
the attributes you have defined for the policy are not matching the settings
configured for the VPN client.  Either dh group, pfs, timeout values maybe,
or a non matching encryption/hash pair.

Look over your config and I bet something will stand out.

Or, you could try issuing an "ISAKMP IDENTITY ADDRESS" line.

And get 6.3.  It now supports NAT Transparency like the VPN Concentrator. 
Don't know how well it works, but would like to know.

Jarrod
kang

On 24 Apr 2003, Brian wrote:

:
:I am having troubles getting a simple VPN up and running on a PIX.  I
:have tried PIX 6.1.4 and now am using 6.2.2.  I have tried VPN Client
:3.x.
:
:On the VPN client, it is very simple, all I do is give it the outside
:interface IP of the PIX to connect to, tell it group "vpn3000" and the
:correct password, and thats all I should need to do.
:
:On the PIX, here is the relevent part of the config:
:
:access-list 110 permit ip 10.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
:ip address outside 207.254.193.39 255.255.255.240
:ip address inside 10.1.1.1 255.255.255.0
:ip local pool vpnpool 10.4.1.1-10.4.1.255
:nat (inside) 0 access-list 110
:sysopt connection permit-ipsec
:crypto ipsec transform-set myset esp-des esp-md5-hmac
:crypto dynamic-map cisco 1 set transform-set myset
:crypto map dyn-map 20 ipsec-isakmp dynamic cisco
:crypto map dyn-map interface outside
:isakmp enable outside
:isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
:isakmp policy 20 authentication pre-share
:isakmp policy 20 encryption des
:isakmp policy 20 hash sha
:isakmp policy 20 group 2
:isakmp policy 20 lifetime 86400
:vpngroup vpn3000 address-pool vpnpool
:vpngroup vpn3000 dns-server 207.254.192.2
:vpngroup vpn3000 wins-server 207.253.192.23
:vpngroup vpn3000 default-domain shreve.net
:vpngroup vpn3000 idle-time 1800
:vpngroup vpn3000 password ********
:
:
:I have tried the above with and without the "isakmp key" line.  I have
:tried almost every basic config I could find at cisco.com, but none are
:working for me, I always get the following debug:
:
:crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
:VPN Peer: ISAKMP: Added new peer: ip:207.254.222.205 Total VPN Peers:1
:VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:1 Total
:VPN Peers:1
:OAK_AG exchange
:ISAKMP (0): processing SA payload. message ID = 0
:
:ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
:ISAKMP:      encryption... What? 7?
:ISAKMP:      hash SHA
:ISAKMP:      default group 2
:ISAKMP:      extended auth pre-share
:ISAKMP:      life type in seconds
:ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
:ISAKMP:          attribute 3584
:ISAKMP (0): atts are not acceptable. Next payload is 3
:ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
:ISAKMP:      encryption... What? 7?
:ISAKMP:      hash MD5
:ISAKMP:      default group 2
:ISAKMP:      extended auth pre-share
:ISAKMP:      life type in seconds
:ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
:ISAKMP:          attribute 3584
:ISAKMP (0): atts are not acceptable. Next payload is 3
:ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
:ISAKMP:      encryption... What? 7?
:ISAKMP:      hash SHA
:ISAKMP:      default group 2
:ISAKMP:      auth pre-share
:ISAKMP:      life type in seconds
:ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
:ISAKMP:          attribute 3584
:ISAKMP (0): atts are not acceptable. Next payload is 3
:ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
:ISAKMP:      encryption... What? 7?
:ISAKMP:      hash MD5
:ISAKMP:      default group 2
:ISAKMP:      auth pre-share
:ISAKMP:      life type in seconds
:ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
:ISAKMP:          attribute 3584
:ISAKMP (0): atts are not acceptable. Next payload is 3
:ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
:ISAKMP:      encryption... What? 7?
:ISAKMP:      hash SHA
:ISAKMP:      default group 2
:ISAKMP:      extended auth pre-share
:ISAKMP:      life type in seconds
:ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
:ISAKMP:          attribute 3584
:ISAKMP (0): atts are not acceptable. Next payload is 3
:ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
:ISAKMP:      encryption... What? 7?
:ISAKMP:      hash MD5
:ISAKMP:      default group 2
:ISAKMP:      extended auth pre-share
:ISAKMP:      life type in seconds
:ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
:ISAKMP:          attribute 3584
:ISAKMP (0): atts are not acceptable. Next payload is 3
:ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
:ISAKMP:      encryption... What? 7?
:ISAKMP:      hash SHA
:ISAKMP:      default group 2
:ISAKMP:      auth pre-share
:ISAKMP:      life type in seconds
:ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
:ISAKMP:          attribute 3584
:ISAKMP (0): atts are not acceptable. Next payload is 3
:ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
:ISAKMP:      encryption... What? 7?
:ISAKMP:      hash MD5
:ISAKMP:      default group 2
:ISAKMP:      auth pre-share
:ISAKMP:      life type in seconds
:ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
:ISAKMP:          attribute 3584
:ISAKMP (0): atts are not acceptable. Next payload is 3
:ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
:ISAKMP:      encryption 3DES-CBC
:ISAKMP:      hash SHA
:ISAKMP:      default group 2
:ISAKMP:      extended auth pre-share
:ISAKMP:      life type in seconds
:ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4
:crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
:VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:2 Total
:VPN Peers:1
:VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:1 Total
:VPN Peers:1
:crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
:VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:2 Total
:VPN Peers:1
:VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:1 Total
:VPN Peers:1
:crypto_isakmp_process_block: src 207.254.222.205, dest 207.254.193.39
:VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt incremented to:2 Total
:VPN Peers:1
:VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:1 Total
:VPN Peers:1
:ISAKMP (0): retransmitting phase 1...
:ISAKMP (0): retransmitting phase 1...
:ISAKMP (0): deleting SA: src 207.254.222.205, dst 207.254.193.39
:ISADB: reaper checking SA 0x80fccf30, conn_id = 0  DELETE IT!
:
:VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt decremented to:0 Total
:VPN Peers:1
:VPN Peer: ISAKMP: Deleted peer: ip:207.254.222.205 Total VPN peers:0
:
:
:Can anyone help me out here?  I honestly am not very familiar with VPN
:setup, but I am trying to absorb all I can from cisco.com. 
:
:Brian
:
:
:
:
:

More information about the cisco-nsp mailing list