[c-nsp] Problem with VPN to PIX

Marcus Keane mkeane at microsoft.com
Tue Apr 5 03:19:26 EDT 2005 

The line is certainly there in the sample config but I would guess it
isn't helping in your case as windows doesn't support xauth. You've told
the PIX with this command to authenticate before going onto quick mode.
I haven't checked but windows will probably either ignore the attribute
request or send a notify. I would think it unlikely that the PIX would
just continue on to quick mode anyway.

As to your question about the transform set and main mode policy, it's
difficult to say without seeing the result of the crypto debug and what
proposal is sent by windows(and whether it's accepted by the pix). I
just checked my winxp box here and it doesn't seem to support aes for
IPSec, so you'd probably be better with 3des and sha for both main and
quick modes.
HTH,
Marcus

> -----Original Message-----
> From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com]
> Sent: Tuesday, 5 April 2005 16:58
> To: Marcus Keane; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Problem with VPN to PIX
> 
>  Cisco uses that line in their posted config for l2tp:
> 
> http://www.cisco.com/warp/public/110/l2tp-ipsec.html
> 
> 
>   Could it possibly require a different transform set?
> Perhaps;
> 
> crypto ipsec transform-set l2tp esp-aes-256 esp-sha-hmac
> 
> isakmp policy 20 encryption aes-256
> isakmp policy 20 hash sha
> 
> 
> Ted
> 
> > -----Original Message-----
> > From: Marcus Keane [mailto:mkeane at microsoft.com]
> > Sent: Monday, April 04, 2005 10:21 PM
> > To: Ted Mittelstaedt; cisco-nsp at puck.nether.net
> > Subject: RE: [c-nsp] Problem with VPN to PIX
> >
> >
> > It's been a while since I played with this, but could this line be
your
> > problem:
> >
> > crypto map mymap client authentication LOCAL
> >
> > I believe this line is for xauth authentication and windows doesn't
> > support this. User authentication is done by ppp.
> > Marcus
> >
> > > -----Original Message-----
> > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > > bounces at puck.nether.net] On Behalf Of Ted Mittelstaedt
> > > Sent: Tuesday, 5 April 2005 14:20
> > > To: cisco-nsp at puck.nether.net
> > > Subject: [c-nsp] Problem with VPN to PIX
> > >
> > > Hi All,
> > >
> > >   OK I am stumped on a problem and I've looked over this config a
> > dozen
> > > times
> > > and I don't know why it's not working.  I'd greatly appreciate any
> > > suggestions
> > > other than to run the Cisco VPN client.  (I'll shoot any
> > smartass that
> > > suggests
> > > that, and no it don't work either, I already tried)
> > >
> > >   Setup is a PIX 506 running PIX 6.3.4  VPN client is Windows XP
SP2,
> > and
> > > also I tested with Win98 running Microsoft's IPSec VPN client.
The
> > > clients are
> > > configured to use IPSec/L2TP with a preshared key.  They don't
work,
> > do
> > > not authenticate.  I get a log entry on the PIX about isakmp
> > handshaking
> > > starting up and that's it.
> > > The clients just hang during the initial connection.
> > >
> > >   The exact same PIX and same Windows clients work perfectly
> > if I wipe
> > > the
> > > PIX config and replace it with a PIX config that does PPTP and
change
> > the
> > > clients to use pptp.
> > >
> > >   I've also tried "isakmp policy 20 group 2" with no difference.
> > >
> > > Here's the PIX config:
> > >
> > > : Written by enable_15 at 15:06:25.973 UTC Mon Apr 4 2005
> > > PIX Version 6.3(4)
> > > interface ethernet0 auto
> > > interface ethernet1 auto
> > > nameif ethernet0 outside security0
> > > nameif ethernet1 inside security100
> > > enable password XXXXXXXXXXX encrypted
> > > passwd XXXXXXXXXX encrypted
> > > hostname YYYYYYYYY
> > > domain-name ZZZZZZZZ.com
> > > fixup protocol dns maximum-length 512
> > > fixup protocol ftp 21
> > > fixup protocol h323 h225 1720
> > > fixup protocol h323 ras 1718-1719
> > > fixup protocol http 80
> > > fixup protocol rsh 514
> > > fixup protocol rtsp 554
> > > fixup protocol sip 5060
> > > fixup protocol sip udp 5060
> > > fixup protocol skinny 2000
> > > fixup protocol smtp 25
> > > fixup protocol sqlnet 1521
> > > fixup protocol tftp 69
> > > names
> > > access-list eatme-incoming permit tcp 65.75.16.0 255.255.255.0 any
eq
> > > 3389
> > > access-list nonat permit ip 192.168.1.0 255.255.255.0
192.168.254.0
> > > 255.255.255.0
> > > access-list l2tp permit udp host 189.17.44.166 any eq 1701
> > > pager lines 24
> > > logging on
> > > logging buffered debugging
> > > mtu outside 1500
> > > mtu inside 1500
> > > ip address outside 189.17.44.166 255.255.255.252
> > > ip address inside 192.168.1.1 255.255.255.0
> > > ip audit info action alarm
> > > ip audit attack action alarm
> > > ip local pool l2tp 192.168.254.1-192.168.254.254
> > > pdm logging informational 100
> > > pdm history enable
> > > arp timeout 14400
> > > global (outside) 1 interface
> > > nat (inside) 0 access-list nonat
> > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > static (inside,outside) tcp interface 3389 192.168.1.2 3389
netmask
> > > 255.255.255.255 0 0
> > > access-group eatme-incoming in interface outside
> > > conduit permit icmp any any
> > > route outside 0.0.0.0 0.0.0.0 189.17.44.165 1
> > > timeout xlate 0:05:00
> > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
h225
> > > 1:00:00
> > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > > timeout uauth 0:05:00 absolute
> > > aaa-server TACACS+ protocol tacacs+
> > > aaa-server TACACS+ max-failed-attempts 3
> > > aaa-server TACACS+ deadtime 10
> > > aaa-server RADIUS protocol radius
> > > aaa-server RADIUS max-failed-attempts 3
> > > aaa-server RADIUS deadtime 10
> > > aaa-server LOCAL protocol local
> > > no snmp-server location
> > > no snmp-server contact
> > > snmp-server community public
> > > no snmp-server enable traps
> > > tftp-server outside 65.75.64.2 XXXXXXXXXXX.txt
> > > floodguard enable
> > > sysopt connection permit-l2tp
> > > crypto ipsec transform-set l2tp esp-des esp-md5-hmac
> > > crypto ipsec transform-set l2tp mode transport
> > > crypto ipsec security-association lifetime seconds 3600
> > > crypto dynamic-map dyna 20 match address l2tp
> > > crypto dynamic-map dyna 20 set transform-set l2tp
> > > crypto map mymap 10 ipsec-isakmp dynamic dyna
> > > crypto map mymap client authentication LOCAL
> > > crypto map mymap interface outside
> > > isakmp enable outside
> > > isakmp key 12345678 address 0.0.0.0 netmask 0.0.0.0
> > > isakmp policy 20 authentication pre-share
> > > isakmp policy 20 encryption des
> > > isakmp policy 20 hash md5
> > > isakmp policy 20 group 1
> > > isakmp policy 20 lifetime 86400
> > > telnet 192.168.1.0 255.255.255.0 inside
> > > telnet timeout 10
> > > ssh 65.75.20.0 255.255.255.0 outside
> > > ssh timeout 5
> > > console timeout 0
> > > vpdn group l2tpipsec accept dialin l2tp
> > > vpdn group l2tpipsec ppp authentication chap
> > > vpdn group l2tpipsec ppp authentication mschap
> > > vpdn group l2tpipsec client configuration address local l2tp
> > > vpdn group l2tpipsec client configuration dns 192.168.1.2
26.13.2.4
> > > vpdn group l2tpipsec client configuration wins 192.168.1.2
> > > vpdn group l2tpipsec client accounting RADIUS
> > > vpdn group l2tpipsec client authentication local
> > > vpdn group l2tpipsec l2tp tunnel hello 60
> > > vpdn username testuser password AAAAAAAABBBBCCCC
> > > vpdn enable outside
> > > dhcpd address 192.168.1.100-192.168.1.149 inside
> > > dhcpd dns 192.168.1.2 26.13.2.4
> > > dhcpd wins 192.168.1.2
> > > dhcpd lease 3600
> > > dhcpd ping_timeout 750
> > > dhcpd option 46 hex 08
> > > dhcpd enable inside
> > > terminal width 80
> > > : end
> > > $
> > >
> > > Any suggestions?  This is the one config Cisco doesen't seem to
have
> > on
> > > file
> > > for the PIXen.  (no, I do not want to use a 3rd party generated
> > > certificate)
> > >
> > > Ted
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >

More information about the cisco-nsp mailing list