Windows VPN Client cannot connect to PIX 6.2(1), Mac VPN Client can

jlixfeld · ‎02-20-2007

I'm using 4.9.01(0030) for Mac with no problems at all. I've tried both 3.6.3 (Rel) and 4.8.02.0010 for Windows, but neither of them connect.

The Mac version gives me a username/password prompt, the Windows version gives me nothing. If I turn off authentication on the PIX, the Mac client connects up fine, while the Windows version does not.

Anyone seen this before? The Mac and the PC are behind the same NAT device with no special rules that could affect the operation of one machine or another.

I might say that my Windows installation is messed up, however I have other people on Windows who are unable to connect using the Windows client either so I think that validates the stability of this particular windows installation.

Client logs and corresponding PIX debugs for both Windows and Mac clients are attached.

Any ideas are appreciated.

PIX IPSec Config:

crypto ipsec transform-set pix-set esp-des esp-sha-hmac

crypto ipsec transform-set client-set esp-3des esp-md5-hmac

crypto dynamic-map client-map 10 set transform-set client-set

crypto dynamic-map client-map 10 set security-association lifetime seconds 1800 kilobytes 4608000

crypto dynamic-map site-map 10 set transform-set pix-set

crypto dynamic-map site-map 10 set security-association lifetime seconds 1800 kilobytes 4608000

crypto map pix-map 40 ipsec-isakmp dynamic site-map

crypto map pix-map 50 ipsec-isakmp dynamic client-map

crypto map pix-map client authentication partnerauth

crypto map pix-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local client-dynamic outside

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 3600

vpngroup apollogroup address-pool client-dynamic

vpngroup apollogroup dns-server 192.168.247.17 192.168.247.1

vpngroup apollogroup split-tunnel acl_no-nat

vpngroup apollogroup idle-time 1800

vpngroup apollogroup password ********

kaachary · ‎02-20-2007

Hi,

VPN Client for Windows does not support DES with SHA combination.

crypto ipsec transform-set pix-set esp-des esp-sha-hmac

crypto map pix-map 40 ipsec-isakmp dynamic site-map

Change the transform set, and you will be good to go !!!

*Please rate the post if it helped.

-Kanishka

jlixfeld · ‎02-20-2007

But it does support 3des/md5, right? That transform-set is referenced at sequence 50 which should be called after sequence 40, regardless as to whether or not an unsupported combination is found in sequence, 50?

kaachary · ‎02-20-2007

All you have to do is :

no rypto map pix-map 40 ipsec-isakmp dynamic site-map

that shud do it !

-Kanishka

jlixfeld · ‎02-20-2007

Of course, but then my site-to-site VPNs break :) I need them both to work (and I'd like to avoid having to reconfigure the site-to-site VPNs if possible).

kaachary · ‎02-20-2007

Hi,

You dont need all the redundant statements there, to make your S2S and Vpn clients to work, just remove the following statements by doing :

no crypto map pix-map 40 ipsec-isakmp dynamic site-map

And then add :

crypto dynamic-map client-map 10 set transform-set client-set pix-set

That wud take care of client as well as S2S conenctions.

HTH

-Kanishka