[nsp] Can't get Cisco VPN Client -> PIX to work

Charlie Winckless CharlieW at netarch.com
Thu Apr 24 15:38:09 EDT 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Brian,
> 
> The key line to note here would be atts are not acceptable.  
> This is meaning
> the attributes you have defined for the policy are not 
> matching the settings
> configured for the VPN client.  Either dh group, pfs, timeout 
> values maybe,
> or a non matching encryption/hash pair.
> 

I'd definitely second this. 

I believe, in fact, you're seeing a mismatch on the hash.

Use md5, not SHA, in your isakmp policy


(Alternately, with an old client, it could be the DH group,
which is 2 for post 3.0 (?) and 1 for older versions)

> Or, you could try issuing an "ISAKMP IDENTITY ADDRESS" line.
> 

This should be the default.

> And get 6.3.  It now supports NAT Transparency like the VPN 
> Concentrator. 
> Don't know how well it works, but would like to know.
> 

It also supports LOCAL username authentication, so I 
can get users and passwords without a RADIUS server.

I also haven't tested it in the last month since it's
release, but it was some definite nice features from
the release notes.

- -- Charlie

> Jarrod
> kang
> 
> On 24 Apr 2003, Brian wrote:
> 
> :
> :I am having troubles getting a simple VPN up and running on a PIX.
>  I :have tried PIX 6.1.4 and now am using 6.2.2.  I have tried VPN
> Client :3.x.
> :
> :On the VPN client, it is very simple, all I do is give it the
> outside :interface IP of the PIX to connect to, tell it group 
> "vpn3000" and the
> :correct password, and thats all I should need to do.
> :
> :On the PIX, here is the relevent part of the config:
> :
> :access-list 110 permit ip 10.1.1.0 255.255.255.0 10.4.1.0 
> 255.255.255.0
> :ip address outside 207.254.193.39 255.255.255.240
> :ip address inside 10.1.1.1 255.255.255.0
> :ip local pool vpnpool 10.4.1.1-10.4.1.255
> :nat (inside) 0 access-list 110
> :sysopt connection permit-ipsec
> :crypto ipsec transform-set myset esp-des esp-md5-hmac
> :crypto dynamic-map cisco 1 set transform-set myset
> :crypto map dyn-map 20 ipsec-isakmp dynamic cisco
> :crypto map dyn-map interface outside
> :isakmp enable outside
> :isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
> :isakmp policy 20 authentication pre-share
> :isakmp policy 20 encryption des
> :isakmp policy 20 hash sha
> :isakmp policy 20 group 2
> :isakmp policy 20 lifetime 86400
> :vpngroup vpn3000 address-pool vpnpool
> :vpngroup vpn3000 dns-server 207.254.192.2
> :vpngroup vpn3000 wins-server 207.253.192.23
> :vpngroup vpn3000 default-domain shreve.net
> :vpngroup vpn3000 idle-time 1800
> :vpngroup vpn3000 password ********
> :
> :
> :I have tried the above with and without the "isakmp key" 
> line.  I have
> :tried almost every basic config I could find at cisco.com, 
> but none are
> :working for me, I always get the following debug:
> :
> :crypto_isakmp_process_block: src 207.254.222.205, dest
> 207.254.193.39 :VPN Peer: ISAKMP: Added new peer:
> ip:207.254.222.205 Total 
> VPN Peers:1
> :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> incremented to:1 Total
> :VPN Peers:1
> :OAK_AG exchange
> :ISAKMP (0): processing SA payload. message ID = 0
> :
> :ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
> :ISAKMP:      encryption... What? 7?
> :ISAKMP:      hash SHA
> :ISAKMP:      default group 2
> :ISAKMP:      extended auth pre-share
> :ISAKMP:      life type in seconds
> :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> :ISAKMP:          attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
> :ISAKMP:      encryption... What? 7?
> :ISAKMP:      hash MD5
> :ISAKMP:      default group 2
> :ISAKMP:      extended auth pre-share
> :ISAKMP:      life type in seconds
> :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> :ISAKMP:          attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
> :ISAKMP:      encryption... What? 7?
> :ISAKMP:      hash SHA
> :ISAKMP:      default group 2
> :ISAKMP:      auth pre-share
> :ISAKMP:      life type in seconds
> :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> :ISAKMP:          attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
> :ISAKMP:      encryption... What? 7?
> :ISAKMP:      hash MD5
> :ISAKMP:      default group 2
> :ISAKMP:      auth pre-share
> :ISAKMP:      life type in seconds
> :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> :ISAKMP:          attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
> :ISAKMP:      encryption... What? 7?
> :ISAKMP:      hash SHA
> :ISAKMP:      default group 2
> :ISAKMP:      extended auth pre-share
> :ISAKMP:      life type in seconds
> :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> :ISAKMP:          attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
> :ISAKMP:      encryption... What? 7?
> :ISAKMP:      hash MD5
> :ISAKMP:      default group 2
> :ISAKMP:      extended auth pre-share
> :ISAKMP:      life type in seconds
> :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> :ISAKMP:          attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
> :ISAKMP:      encryption... What? 7?
> :ISAKMP:      hash SHA
> :ISAKMP:      default group 2
> :ISAKMP:      auth pre-share
> :ISAKMP:      life type in seconds
> :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> :ISAKMP:          attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
> :ISAKMP:      encryption... What? 7?
> :ISAKMP:      hash MD5
> :ISAKMP:      default group 2
> :ISAKMP:      auth pre-share
> :ISAKMP:      life type in seconds
> :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> :ISAKMP:          attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
> :ISAKMP:      encryption 3DES-CBC
> :ISAKMP:      hash SHA
> :ISAKMP:      default group 2
> :ISAKMP:      extended auth pre-share
> :ISAKMP:      life type in seconds
> :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4
> :crypto_isakmp_process_block: src 207.254.222.205, dest
> 207.254.193.39 :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> incremented to:2 Total
> :VPN Peers:1
> :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> decremented to:1 Total
> :VPN Peers:1
> :crypto_isakmp_process_block: src 207.254.222.205, dest
> 207.254.193.39 :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> incremented to:2 Total
> :VPN Peers:1
> :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> decremented to:1 Total
> :VPN Peers:1
> :crypto_isakmp_process_block: src 207.254.222.205, dest
> 207.254.193.39 :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> incremented to:2 Total
> :VPN Peers:1
> :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> decremented to:1 Total
> :VPN Peers:1
> :ISAKMP (0): retransmitting phase 1...
> :ISAKMP (0): retransmitting phase 1...
> :ISAKMP (0): deleting SA: src 207.254.222.205, dst 207.254.193.39
> :ISADB: reaper checking SA 0x80fccf30, conn_id = 0  DELETE IT!
> :
> :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> decremented to:0 Total
> :VPN Peers:1
> :VPN Peer: ISAKMP: Deleted peer: ip:207.254.222.205 Total VPN
> peers:0 :
> :
> :Can anyone help me out here?  I honestly am not very 
> familiar with VPN
> :setup, but I am trying to absorb all I can from cisco.com. 
> :
> :Brian
> :
> :
> :
> :
> :
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPqhLKsrtF6HAen5cEQJjHwCfVpuIvFaz06/NyNGk0pUhJ3q7sZAAnRm0
Jy26b80TWstyEWwJAgmWzwM+
=tLXh
-----END PGP SIGNATURE-----


More information about the cisco-nsp mailing list