[c-nsp] Problem with VPN to PIX

Marcus Keane mkeane at microsoft.com
Tue Apr 5 03:24:05 EDT 2005


Just to add to this, Luan seemed to be on the right track with the doc
reference he sent. You may not have seen his mail yet.
Marcus

> -----Original Message-----
> From: Marcus Keane
> Sent: Tuesday, 5 April 2005 17:19
> To: Ted Mittelstaedt; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Problem with VPN to PIX
> 
> The line is certainly there in the sample config but I would guess it
> isn't helping in your case as windows doesn't support xauth. You've
told
> the PIX with this command to authenticate before going onto quick
mode. I
> haven't checked but windows will probably either ignore the attribute
> request or send a notify. I would think it unlikely that the PIX would
> just continue on to quick mode anyway.
> 
> As to your question about the transform set and main mode policy, it's
> difficult to say without seeing the result of the crypto debug and
what
> proposal is sent by windows(and whether it's accepted by the pix). I
just
> checked my winxp box here and it doesn't seem to support aes for
IPSec, so
> you'd probably be better with 3des and sha for both main and quick
modes.
> HTH,
> Marcus
> 
> > -----Original Message-----
> > From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com]
> > Sent: Tuesday, 5 April 2005 16:58
> > To: Marcus Keane; cisco-nsp at puck.nether.net
> > Subject: RE: [c-nsp] Problem with VPN to PIX
> >
> >  Cisco uses that line in their posted config for l2tp:
> >
> > http://www.cisco.com/warp/public/110/l2tp-ipsec.html
> >
> >
> >   Could it possibly require a different transform set?
> > Perhaps;
> >
> > crypto ipsec transform-set l2tp esp-aes-256 esp-sha-hmac
> >
> > isakmp policy 20 encryption aes-256
> > isakmp policy 20 hash sha
> >
> >
> > Ted
> >
> > > -----Original Message-----
> > > From: Marcus Keane [mailto:mkeane at microsoft.com]
> > > Sent: Monday, April 04, 2005 10:21 PM
> > > To: Ted Mittelstaedt; cisco-nsp at puck.nether.net
> > > Subject: RE: [c-nsp] Problem with VPN to PIX
> > >
> > >
> > > It's been a while since I played with this, but could this line be
> your
> > > problem:
> > >
> > > crypto map mymap client authentication LOCAL
> > >
> > > I believe this line is for xauth authentication and windows
doesn't
> > > support this. User authentication is done by ppp.
> > > Marcus
> > >
> > > > -----Original Message-----
> > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > > > bounces at puck.nether.net] On Behalf Of Ted Mittelstaedt
> > > > Sent: Tuesday, 5 April 2005 14:20
> > > > To: cisco-nsp at puck.nether.net
> > > > Subject: [c-nsp] Problem with VPN to PIX
> > > >
> > > > Hi All,
> > > >
> > > >   OK I am stumped on a problem and I've looked over this config
a
> > > dozen
> > > > times
> > > > and I don't know why it's not working.  I'd greatly appreciate
any
> > > > suggestions
> > > > other than to run the Cisco VPN client.  (I'll shoot any
> > > smartass that
> > > > suggests
> > > > that, and no it don't work either, I already tried)
> > > >
> > > >   Setup is a PIX 506 running PIX 6.3.4  VPN client is Windows XP
> SP2,
> > > and
> > > > also I tested with Win98 running Microsoft's IPSec VPN client.
The
> > > > clients are
> > > > configured to use IPSec/L2TP with a preshared key.  They don't
work,
> > > do
> > > > not authenticate.  I get a log entry on the PIX about isakmp
> > > handshaking
> > > > starting up and that's it.
> > > > The clients just hang during the initial connection.
> > > >
> > > >   The exact same PIX and same Windows clients work perfectly
> > > if I wipe
> > > > the
> > > > PIX config and replace it with a PIX config that does PPTP and
> change
> > > the
> > > > clients to use pptp.
> > > >
> > > >   I've also tried "isakmp policy 20 group 2" with no difference.
> > > >
> > > > Here's the PIX config:
> > > >
> > > > : Written by enable_15 at 15:06:25.973 UTC Mon Apr 4 2005
> > > > PIX Version 6.3(4)
> > > > interface ethernet0 auto
> > > > interface ethernet1 auto
> > > > nameif ethernet0 outside security0
> > > > nameif ethernet1 inside security100
> > > > enable password XXXXXXXXXXX encrypted
> > > > passwd XXXXXXXXXX encrypted
> > > > hostname YYYYYYYYY
> > > > domain-name ZZZZZZZZ.com
> > > > fixup protocol dns maximum-length 512
> > > > fixup protocol ftp 21
> > > > fixup protocol h323 h225 1720
> > > > fixup protocol h323 ras 1718-1719
> > > > fixup protocol http 80
> > > > fixup protocol rsh 514
> > > > fixup protocol rtsp 554
> > > > fixup protocol sip 5060
> > > > fixup protocol sip udp 5060
> > > > fixup protocol skinny 2000
> > > > fixup protocol smtp 25
> > > > fixup protocol sqlnet 1521
> > > > fixup protocol tftp 69
> > > > names
> > > > access-list eatme-incoming permit tcp 65.75.16.0 255.255.255.0
any
> eq
> > > > 3389
> > > > access-list nonat permit ip 192.168.1.0 255.255.255.0
192.168.254.0
> > > > 255.255.255.0
> > > > access-list l2tp permit udp host 189.17.44.166 any eq 1701
> > > > pager lines 24
> > > > logging on
> > > > logging buffered debugging
> > > > mtu outside 1500
> > > > mtu inside 1500
> > > > ip address outside 189.17.44.166 255.255.255.252
> > > > ip address inside 192.168.1.1 255.255.255.0
> > > > ip audit info action alarm
> > > > ip audit attack action alarm
> > > > ip local pool l2tp 192.168.254.1-192.168.254.254
> > > > pdm logging informational 100
> > > > pdm history enable
> > > > arp timeout 14400
> > > > global (outside) 1 interface
> > > > nat (inside) 0 access-list nonat
> > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> > > > static (inside,outside) tcp interface 3389 192.168.1.2 3389
netmask
> > > > 255.255.255.255 0 0
> > > > access-group eatme-incoming in interface outside
> > > > conduit permit icmp any any
> > > > route outside 0.0.0.0 0.0.0.0 189.17.44.165 1
> > > > timeout xlate 0:05:00
> > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00
> h225
> > > > 1:00:00
> > > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> > > > timeout uauth 0:05:00 absolute
> > > > aaa-server TACACS+ protocol tacacs+
> > > > aaa-server TACACS+ max-failed-attempts 3
> > > > aaa-server TACACS+ deadtime 10
> > > > aaa-server RADIUS protocol radius
> > > > aaa-server RADIUS max-failed-attempts 3
> > > > aaa-server RADIUS deadtime 10
> > > > aaa-server LOCAL protocol local
> > > > no snmp-server location
> > > > no snmp-server contact
> > > > snmp-server community public
> > > > no snmp-server enable traps
> > > > tftp-server outside 65.75.64.2 XXXXXXXXXXX.txt
> > > > floodguard enable
> > > > sysopt connection permit-l2tp
> > > > crypto ipsec transform-set l2tp esp-des esp-md5-hmac
> > > > crypto ipsec transform-set l2tp mode transport
> > > > crypto ipsec security-association lifetime seconds 3600
> > > > crypto dynamic-map dyna 20 match address l2tp
> > > > crypto dynamic-map dyna 20 set transform-set l2tp
> > > > crypto map mymap 10 ipsec-isakmp dynamic dyna
> > > > crypto map mymap client authentication LOCAL
> > > > crypto map mymap interface outside
> > > > isakmp enable outside
> > > > isakmp key 12345678 address 0.0.0.0 netmask 0.0.0.0
> > > > isakmp policy 20 authentication pre-share
> > > > isakmp policy 20 encryption des
> > > > isakmp policy 20 hash md5
> > > > isakmp policy 20 group 1
> > > > isakmp policy 20 lifetime 86400
> > > > telnet 192.168.1.0 255.255.255.0 inside
> > > > telnet timeout 10
> > > > ssh 65.75.20.0 255.255.255.0 outside
> > > > ssh timeout 5
> > > > console timeout 0
> > > > vpdn group l2tpipsec accept dialin l2tp
> > > > vpdn group l2tpipsec ppp authentication chap
> > > > vpdn group l2tpipsec ppp authentication mschap
> > > > vpdn group l2tpipsec client configuration address local l2tp
> > > > vpdn group l2tpipsec client configuration dns 192.168.1.2
26.13.2.4
> > > > vpdn group l2tpipsec client configuration wins 192.168.1.2
> > > > vpdn group l2tpipsec client accounting RADIUS
> > > > vpdn group l2tpipsec client authentication local
> > > > vpdn group l2tpipsec l2tp tunnel hello 60
> > > > vpdn username testuser password AAAAAAAABBBBCCCC
> > > > vpdn enable outside
> > > > dhcpd address 192.168.1.100-192.168.1.149 inside
> > > > dhcpd dns 192.168.1.2 26.13.2.4
> > > > dhcpd wins 192.168.1.2
> > > > dhcpd lease 3600
> > > > dhcpd ping_timeout 750
> > > > dhcpd option 46 hex 08
> > > > dhcpd enable inside
> > > > terminal width 80
> > > > : end
> > > > $
> > > >
> > > > Any suggestions?  This is the one config Cisco doesen't seem to
have
> > > on
> > > > file
> > > > for the PIXen.  (no, I do not want to use a 3rd party generated
> > > > certificate)
> > > >
> > > > Ted
> > > >
> > > > _______________________________________________
> > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >




More information about the cisco-nsp mailing list