[nsp] Can't get Cisco VPN Client -> PIX to work

Brian signal at shreve.net
Fri Apr 25 16:48:22 EDT 2003 

It turned out I was traversing NAT on the VPN Client side, and didn't
know that was a nono.  I upgraded to 6.3.1 and enabled "isakmp
nat-traversal" and everything works great now.

I do have a question, regarding split-tunneling.  I have split-tunneling
enabled so that clients can access normal Internet stuff in the clear,
and stuff to the VPN encrypted.  This works well.  On the VPN client
when I goto Status->Statistics->Routes  I see the remote routes I have
declared in the split-tunnel access-list, just like I would expect.  It
shows no routes however under "Local Lan Routes".  It works, but I don't
see routes there, and I was confused with that.  This is with clients
3.6.3 and 3.6.4 and PIX 6.3.1.

Brian


On Thu, 2003-04-24 at 15:38, Charlie Winckless wrote:
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > Brian,
> > 
> > The key line to note here would be atts are not acceptable.  
> > This is meaning
> > the attributes you have defined for the policy are not 
> > matching the settings
> > configured for the VPN client.  Either dh group, pfs, timeout 
> > values maybe,
> > or a non matching encryption/hash pair.
> > 
> 
> I'd definitely second this. 
> 
> I believe, in fact, you're seeing a mismatch on the hash.
> 
> Use md5, not SHA, in your isakmp policy
> 
> 
> (Alternately, with an old client, it could be the DH group,
> which is 2 for post 3.0 (?) and 1 for older versions)
> 
> > Or, you could try issuing an "ISAKMP IDENTITY ADDRESS" line.
> > 
> 
> This should be the default.
> 
> > And get 6.3.  It now supports NAT Transparency like the VPN 
> > Concentrator. 
> > Don't know how well it works, but would like to know.
> > 
> 
> It also supports LOCAL username authentication, so I 
> can get users and passwords without a RADIUS server.
> 
> I also haven't tested it in the last month since it's
> release, but it was some definite nice features from
> the release notes.
> 
> - -- Charlie
> 
> > Jarrod
> > kang
> > 
> > On 24 Apr 2003, Brian wrote:
> > 
> > :
> > :I am having troubles getting a simple VPN up and running on a PIX.
> >  I :have tried PIX 6.1.4 and now am using 6.2.2.  I have tried VPN
> > Client :3.x.
> > :
> > :On the VPN client, it is very simple, all I do is give it the
> > outside :interface IP of the PIX to connect to, tell it group 
> > "vpn3000" and the
> > :correct password, and thats all I should need to do.
> > :
> > :On the PIX, here is the relevent part of the config:
> > :
> > :access-list 110 permit ip 10.1.1.0 255.255.255.0 10.4.1.0 
> > 255.255.255.0
> > :ip address outside 207.254.193.39 255.255.255.240
> > :ip address inside 10.1.1.1 255.255.255.0
> > :ip local pool vpnpool 10.4.1.1-10.4.1.255
> > :nat (inside) 0 access-list 110
> > :sysopt connection permit-ipsec
> > :crypto ipsec transform-set myset esp-des esp-md5-hmac
> > :crypto dynamic-map cisco 1 set transform-set myset
> > :crypto map dyn-map 20 ipsec-isakmp dynamic cisco
> > :crypto map dyn-map interface outside
> > :isakmp enable outside
> > :isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
> > :isakmp policy 20 authentication pre-share
> > :isakmp policy 20 encryption des
> > :isakmp policy 20 hash sha
> > :isakmp policy 20 group 2
> > :isakmp policy 20 lifetime 86400
> > :vpngroup vpn3000 address-pool vpnpool
> > :vpngroup vpn3000 dns-server 207.254.192.2
> > :vpngroup vpn3000 wins-server 207.253.192.23
> > :vpngroup vpn3000 default-domain shreve.net
> > :vpngroup vpn3000 idle-time 1800
> > :vpngroup vpn3000 password ********
> > :
> > :
> > :I have tried the above with and without the "isakmp key" 
> > line.  I have
> > :tried almost every basic config I could find at cisco.com, 
> > but none are
> > :working for me, I always get the following debug:
> > :
> > :crypto_isakmp_process_block: src 207.254.222.205, dest
> > 207.254.193.39 :VPN Peer: ISAKMP: Added new peer:
> > ip:207.254.222.205 Total 
> > VPN Peers:1
> > :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> > incremented to:1 Total
> > :VPN Peers:1
> > :OAK_AG exchange
> > :ISAKMP (0): processing SA payload. message ID = 0
> > :
> > :ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
> > :ISAKMP:      encryption... What? 7?
> > :ISAKMP:      hash SHA
> > :ISAKMP:      default group 2
> > :ISAKMP:      extended auth pre-share
> > :ISAKMP:      life type in seconds
> > :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> > :ISAKMP:          attribute 3584
> > :ISAKMP (0): atts are not acceptable. Next payload is 3
> > :ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
> > :ISAKMP:      encryption... What? 7?
> > :ISAKMP:      hash MD5
> > :ISAKMP:      default group 2
> > :ISAKMP:      extended auth pre-share
> > :ISAKMP:      life type in seconds
> > :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> > :ISAKMP:          attribute 3584
> > :ISAKMP (0): atts are not acceptable. Next payload is 3
> > :ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
> > :ISAKMP:      encryption... What? 7?
> > :ISAKMP:      hash SHA
> > :ISAKMP:      default group 2
> > :ISAKMP:      auth pre-share
> > :ISAKMP:      life type in seconds
> > :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> > :ISAKMP:          attribute 3584
> > :ISAKMP (0): atts are not acceptable. Next payload is 3
> > :ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
> > :ISAKMP:      encryption... What? 7?
> > :ISAKMP:      hash MD5
> > :ISAKMP:      default group 2
> > :ISAKMP:      auth pre-share
> > :ISAKMP:      life type in seconds
> > :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> > :ISAKMP:          attribute 3584
> > :ISAKMP (0): atts are not acceptable. Next payload is 3
> > :ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
> > :ISAKMP:      encryption... What? 7?
> > :ISAKMP:      hash SHA
> > :ISAKMP:      default group 2
> > :ISAKMP:      extended auth pre-share
> > :ISAKMP:      life type in seconds
> > :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> > :ISAKMP:          attribute 3584
> > :ISAKMP (0): atts are not acceptable. Next payload is 3
> > :ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
> > :ISAKMP:      encryption... What? 7?
> > :ISAKMP:      hash MD5
> > :ISAKMP:      default group 2
> > :ISAKMP:      extended auth pre-share
> > :ISAKMP:      life type in seconds
> > :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> > :ISAKMP:          attribute 3584
> > :ISAKMP (0): atts are not acceptable. Next payload is 3
> > :ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
> > :ISAKMP:      encryption... What? 7?
> > :ISAKMP:      hash SHA
> > :ISAKMP:      default group 2
> > :ISAKMP:      auth pre-share
> > :ISAKMP:      life type in seconds
> > :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> > :ISAKMP:          attribute 3584
> > :ISAKMP (0): atts are not acceptable. Next payload is 3
> > :ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
> > :ISAKMP:      encryption... What? 7?
> > :ISAKMP:      hash MD5
> > :ISAKMP:      default group 2
> > :ISAKMP:      auth pre-share
> > :ISAKMP:      life type in seconds
> > :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> > :ISAKMP:          attribute 3584
> > :ISAKMP (0): atts are not acceptable. Next payload is 3
> > :ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
> > :ISAKMP:      encryption 3DES-CBC
> > :ISAKMP:      hash SHA
> > :ISAKMP:      default group 2
> > :ISAKMP:      extended auth pre-share
> > :ISAKMP:      life type in seconds
> > :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4
> > :crypto_isakmp_process_block: src 207.254.222.205, dest
> > 207.254.193.39 :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> > incremented to:2 Total
> > :VPN Peers:1
> > :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> > decremented to:1 Total
> > :VPN Peers:1
> > :crypto_isakmp_process_block: src 207.254.222.205, dest
> > 207.254.193.39 :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> > incremented to:2 Total
> > :VPN Peers:1
> > :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> > decremented to:1 Total
> > :VPN Peers:1
> > :crypto_isakmp_process_block: src 207.254.222.205, dest
> > 207.254.193.39 :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> > incremented to:2 Total
> > :VPN Peers:1
> > :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> > decremented to:1 Total
> > :VPN Peers:1
> > :ISAKMP (0): retransmitting phase 1...
> > :ISAKMP (0): retransmitting phase 1...
> > :ISAKMP (0): deleting SA: src 207.254.222.205, dst 207.254.193.39
> > :ISADB: reaper checking SA 0x80fccf30, conn_id = 0  DELETE IT!
> > :
> > :VPN Peer: ISAKMP: Peer ip:207.254.222.205 Ref cnt 
> > decremented to:0 Total
> > :VPN Peers:1
> > :VPN Peer: ISAKMP: Deleted peer: ip:207.254.222.205 Total VPN
> > peers:0 :
> > :
> > :Can anyone help me out here?  I honestly am not very 
> > familiar with VPN
> > :setup, but I am trying to absorb all I can from cisco.com. 
> > :
> > :Brian
> > :
> > :
> > :
> > :
> > :
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.0.4
> 
> iQA/AwUBPqhLKsrtF6HAen5cEQJjHwCfVpuIvFaz06/NyNGk0pUhJ3q7sZAAnRm0
> Jy26b80TWstyEWwJAgmWzwM+
> =tLXh
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-- 
-----------------------------------------------
Brian Feeny, CCIE #8036	   e: signal at shreve.net
Network Engineer	   p: 318.222.2638x109	
ShreveNet Inc.		   f: 318.221.6612

More information about the cisco-nsp mailing list