[c-nsp] Problem with VPN to PIX

Marcus Keane mkeane at microsoft.com
Tue Apr 5 01:20:51 EDT 2005 

It's been a while since I played with this, but could this line be your
problem:

crypto map mymap client authentication LOCAL

I believe this line is for xauth authentication and windows doesn't
support this. User authentication is done by ppp.
Marcus

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Ted Mittelstaedt
> Sent: Tuesday, 5 April 2005 14:20
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Problem with VPN to PIX
> 
> Hi All,
> 
>   OK I am stumped on a problem and I've looked over this config a
dozen
> times
> and I don't know why it's not working.  I'd greatly appreciate any
> suggestions
> other than to run the Cisco VPN client.  (I'll shoot any smartass that
> suggests
> that, and no it don't work either, I already tried)
> 
>   Setup is a PIX 506 running PIX 6.3.4  VPN client is Windows XP SP2,
and
> also I tested with Win98 running Microsoft's IPSec VPN client.  The
> clients are
> configured to use IPSec/L2TP with a preshared key.  They don't work,
do
> not authenticate.  I get a log entry on the PIX about isakmp
handshaking
> starting up and that's it.
> The clients just hang during the initial connection.
> 
>   The exact same PIX and same Windows clients work perfectly if I wipe
> the
> PIX config and replace it with a PIX config that does PPTP and change
the
> clients to use pptp.
> 
>   I've also tried "isakmp policy 20 group 2" with no difference.
> 
> Here's the PIX config:
> 
> : Written by enable_15 at 15:06:25.973 UTC Mon Apr 4 2005
> PIX Version 6.3(4)
> interface ethernet0 auto
> interface ethernet1 auto
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password XXXXXXXXXXX encrypted
> passwd XXXXXXXXXX encrypted
> hostname YYYYYYYYY
> domain-name ZZZZZZZZ.com
> fixup protocol dns maximum-length 512
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol tftp 69
> names
> access-list eatme-incoming permit tcp 65.75.16.0 255.255.255.0 any eq
> 3389
> access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.254.0
> 255.255.255.0
> access-list l2tp permit udp host 189.17.44.166 any eq 1701
> pager lines 24
> logging on
> logging buffered debugging
> mtu outside 1500
> mtu inside 1500
> ip address outside 189.17.44.166 255.255.255.252
> ip address inside 192.168.1.1 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool l2tp 192.168.254.1-192.168.254.254
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list nonat
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask
> 255.255.255.255 0 0
> access-group eatme-incoming in interface outside
> conduit permit icmp any any
> route outside 0.0.0.0 0.0.0.0 189.17.44.165 1
> timeout xlate 0:05:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> tftp-server outside 65.75.64.2 XXXXXXXXXXX.txt
> floodguard enable
> sysopt connection permit-l2tp
> crypto ipsec transform-set l2tp esp-des esp-md5-hmac
> crypto ipsec transform-set l2tp mode transport
> crypto ipsec security-association lifetime seconds 3600
> crypto dynamic-map dyna 20 match address l2tp
> crypto dynamic-map dyna 20 set transform-set l2tp
> crypto map mymap 10 ipsec-isakmp dynamic dyna
> crypto map mymap client authentication LOCAL
> crypto map mymap interface outside
> isakmp enable outside
> isakmp key 12345678 address 0.0.0.0 netmask 0.0.0.0
> isakmp policy 20 authentication pre-share
> isakmp policy 20 encryption des
> isakmp policy 20 hash md5
> isakmp policy 20 group 1
> isakmp policy 20 lifetime 86400
> telnet 192.168.1.0 255.255.255.0 inside
> telnet timeout 10
> ssh 65.75.20.0 255.255.255.0 outside
> ssh timeout 5
> console timeout 0
> vpdn group l2tpipsec accept dialin l2tp
> vpdn group l2tpipsec ppp authentication chap
> vpdn group l2tpipsec ppp authentication mschap
> vpdn group l2tpipsec client configuration address local l2tp
> vpdn group l2tpipsec client configuration dns 192.168.1.2 26.13.2.4
> vpdn group l2tpipsec client configuration wins 192.168.1.2
> vpdn group l2tpipsec client accounting RADIUS
> vpdn group l2tpipsec client authentication local
> vpdn group l2tpipsec l2tp tunnel hello 60
> vpdn username testuser password AAAAAAAABBBBCCCC
> vpdn enable outside
> dhcpd address 192.168.1.100-192.168.1.149 inside
> dhcpd dns 192.168.1.2 26.13.2.4
> dhcpd wins 192.168.1.2
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd option 46 hex 08
> dhcpd enable inside
> terminal width 80
> : end
> $
> 
> Any suggestions?  This is the one config Cisco doesen't seem to have
on
> file
> for the PIXen.  (no, I do not want to use a 3rd party generated
> certificate)
> 
> Ted
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list