[nsp] Can't get Cisco VPN Client -> PIX to work
Charlie Winckless
CharlieW at netarch.com
Thu Apr 24 15:38:09 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> Brian,
>
> The key line to note here would be atts are not acceptable.
> This is meaning
> the attributes you have defined for the policy are not
> matching the settings
> configured for the VPN client. Either dh group, pfs, timeout
> values maybe,
> or a non matching encryption/hash pair.
>
I'd definitely second this.
I believe, in fact, you're seeing a mismatch on the hash.
Use md5, not SHA, in your isakmp policy
(Alternately, with an old client, it could be the DH group,
which is 2 for post 3.0 (?) and 1 for older versions)
> Or, you could try issuing an "ISAKMP IDENTITY ADDRESS" line.
>
This should be the default.
> And get 6.3. It now supports NAT Transparency like the VPN
> Concentrator.
> Don't know how well it works, but would like to know.
>
It also supports LOCAL username authentication, so I
can get users and passwords without a RADIUS server.
I also haven't tested it in the last month since it's
release, but it was some definite nice features from
the release notes.
- -- Charlie
> Jarrod
> kang
>
> On 24 Apr 2003, Brian wrote:
>
> :
> :I am having troubles getting a simple VPN up and running on a PIX.
> I :have tried PIX 6.1.4 and now am using 6.2.2. I have tried VPN
> Client :3.x.
> :
> :On the VPN client, it is very simple, all I do is give it the
> outside :interface IP of the PIX to connect to, tell it group
> "vpn3000" and the
> :correct password, and thats all I should need to do.
> :
> :On the PIX, here is the relevent part of the config:
> :
> :access-list 110 permit ip 10.1.1.0 255.255.255.0 10.4.1.0
> 255.255.255.0
> :ip address outside 207.254.193.39 255.255.255.240
> :ip address inside 10.1.1.1 255.255.255.0
> :ip local pool vpnpool 10.4.1.1-10.4.1.255
> :nat (inside) 0 access-list 110
> :sysopt connection permit-ipsec
> :crypto ipsec transform-set myset esp-des esp-md5-hmac
> :crypto dynamic-map cisco 1 set transform-set myset
> :crypto map dyn-map 20 ipsec-isakmp dynamic cisco
> :crypto map dyn-map interface outside
> :isakmp enable outside
> :isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
> :isakmp policy 20 authentication pre-share
> :isakmp policy 20 encryption des
> :isakmp policy 20 hash sha
> :isakmp policy 20 group 2
> :isakmp policy 20 lifetime 86400
> :vpngroup vpn3000 address-pool vpnpool
> :vpngroup vpn3000 dns-server 207.254.192.2
> :vpngroup vpn3000 wins-server 207.253.192.23
> :vpngroup vpn3000 default-domain shreve.net
> :vpngroup vpn3000 idle-time 1800
> :vpngroup vpn3000 password ********
> :
> :
> :I have tried the above with and without the "isakmp key"
> line. I have
> :tried almost every basic config I could find at cisco.com,
> but none are
> :working for me, I always get the following debug:
> :
> :crypto_isakmp_process_block: src 207.254.222.205, dest
> 207.254.193.39 :VPN Peer: ISAKMP: Added new peer:
> ip:207.254.222.205 Total
> VPN Peers:1
> :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt
> incremented to:1 Total
> :VPN Peers:1
> :OAK_AG exchange
> :ISAKMP (0): processing SA payload. message ID = 0
> :
> :ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
> :ISAKMP: encryption... What? 7?
> :ISAKMP: hash SHA
> :ISAKMP: default group 2
> :ISAKMP: extended auth pre-share
> :ISAKMP: life type in seconds
> :ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
> :ISAKMP: attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
> :ISAKMP: encryption... What? 7?
> :ISAKMP: hash MD5
> :ISAKMP: default group 2
> :ISAKMP: extended auth pre-share
> :ISAKMP: life type in seconds
> :ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
> :ISAKMP: attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
> :ISAKMP: encryption... What? 7?
> :ISAKMP: hash SHA
> :ISAKMP: default group 2
> :ISAKMP: auth pre-share
> :ISAKMP: life type in seconds
> :ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
> :ISAKMP: attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
> :ISAKMP: encryption... What? 7?
> :ISAKMP: hash MD5
> :ISAKMP: default group 2
> :ISAKMP: auth pre-share
> :ISAKMP: life type in seconds
> :ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
> :ISAKMP: attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
> :ISAKMP: encryption... What? 7?
> :ISAKMP: hash SHA
> :ISAKMP: default group 2
> :ISAKMP: extended auth pre-share
> :ISAKMP: life type in seconds
> :ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
> :ISAKMP: attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
> :ISAKMP: encryption... What? 7?
> :ISAKMP: hash MD5
> :ISAKMP: default group 2
> :ISAKMP: extended auth pre-share
> :ISAKMP: life type in seconds
> :ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
> :ISAKMP: attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
> :ISAKMP: encryption... What? 7?
> :ISAKMP: hash SHA
> :ISAKMP: default group 2
> :ISAKMP: auth pre-share
> :ISAKMP: life type in seconds
> :ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
> :ISAKMP: attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
> :ISAKMP: encryption... What? 7?
> :ISAKMP: hash MD5
> :ISAKMP: default group 2
> :ISAKMP: auth pre-share
> :ISAKMP: life type in seconds
> :ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
> :ISAKMP: attribute 3584
> :ISAKMP (0): atts are not acceptable. Next payload is 3
> :ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
> :ISAKMP: encryption 3DES-CBC
> :ISAKMP: hash SHA
> :ISAKMP: default group 2
> :ISAKMP: extended auth pre-share
> :ISAKMP: life type in seconds
> :ISAKMP: life duration (VPI) of 0x0 0x20 0xc4
> :crypto_isakmp_process_block: src 207.254.222.205, dest
> 207.254.193.39 :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt
> incremented to:2 Total
> :VPN Peers:1
> :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt
> decremented to:1 Total
> :VPN Peers:1
> :crypto_isakmp_process_block: src 207.254.222.205, dest
> 207.254.193.39 :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt
> incremented to:2 Total
> :VPN Peers:1
> :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt
> decremented to:1 Total
> :VPN Peers:1
> :crypto_isakmp_process_block: src 207.254.222.205, dest
> 207.254.193.39 :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt
> incremented to:2 Total
> :VPN Peers:1
> :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt
> decremented to:1 Total
> :VPN Peers:1
> :ISAKMP (0): retransmitting phase 1...
> :ISAKMP (0): retransmitting phase 1...
> :ISAKMP (0): deleting SA: src 207.254.222.205, dst 207.254.193.39
> :ISADB: reaper checking SA 0x80fccf30, conn_id = 0 DELETE IT!
> :
> :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt
> decremented to:0 Total
> :VPN Peers:1
> :VPN Peer: ISAKMP: Deleted peer: ip:207.254.222.205 Total VPN
> peers:0 :
> :
> :Can anyone help me out here? I honestly am not very
> familiar with VPN
> :setup, but I am trying to absorb all I can from cisco.com.
> :
> :Brian
> :
> :
> :
> :
> :
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
iQA/AwUBPqhLKsrtF6HAen5cEQJjHwCfVpuIvFaz06/NyNGk0pUhJ3q7sZAAnRm0
Jy26b80TWstyEWwJAgmWzwM+
=tLXh
-----END PGP SIGNATURE-----
More information about the cisco-nsp
mailing list