02-20-2007 08:40 AM - edited 03-11-2019 02:35 AM
I'm using 4.9.01(0030) for Mac with no problems at all. I've tried both 3.6.3 (Rel) and 4.8.02.0010 for Windows, but neither of them connect.
The Mac version gives me a username/password prompt, the Windows version gives me nothing. If I turn off authentication on the PIX, the Mac client connects up fine, while the Windows version does not.
Anyone seen this before? The Mac and the PC are behind the same NAT device with no special rules that could affect the operation of one machine or another.
I might say that my Windows installation is messed up, however I have other people on Windows who are unable to connect using the Windows client either so I think that validates the stability of this particular windows installation.
Client logs and corresponding PIX debugs for both Windows and Mac clients are attached.
Any ideas are appreciated.
PIX IPSec Config:
crypto ipsec transform-set pix-set esp-des esp-sha-hmac
crypto ipsec transform-set client-set esp-3des esp-md5-hmac
crypto dynamic-map client-map 10 set transform-set client-set
crypto dynamic-map client-map 10 set security-association lifetime seconds 1800 kilobytes 4608000
crypto dynamic-map site-map 10 set transform-set pix-set
crypto dynamic-map site-map 10 set security-association lifetime seconds 1800 kilobytes 4608000
crypto map pix-map 40 ipsec-isakmp dynamic site-map
crypto map pix-map 50 ipsec-isakmp dynamic client-map
crypto map pix-map client authentication partnerauth
crypto map pix-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local client-dynamic outside
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 3600
vpngroup apollogroup address-pool client-dynamic
vpngroup apollogroup dns-server 192.168.247.17 192.168.247.1
vpngroup apollogroup split-tunnel acl_no-nat
vpngroup apollogroup idle-time 1800
vpngroup apollogroup password ********
02-20-2007 10:30 AM
Hi,
VPN Client for Windows does not support DES with SHA combination.
crypto ipsec transform-set pix-set esp-des esp-sha-hmac
crypto map pix-map 40 ipsec-isakmp dynamic site-map
Change the transform set, and you will be good to go !!!
*Please rate the post if it helped.
-Kanishka
02-20-2007 10:37 AM
But it does support 3des/md5, right? That transform-set is referenced at sequence 50 which should be called after sequence 40, regardless as to whether or not an unsupported combination is found in sequence, 50?
02-20-2007 10:44 AM
All you have to do is :
no rypto map pix-map 40 ipsec-isakmp dynamic site-map
that shud do it !
-Kanishka
02-20-2007 10:52 AM
Of course, but then my site-to-site VPNs break :) I need them both to work (and I'd like to avoid having to reconfigure the site-to-site VPNs if possible).
02-20-2007 11:39 AM
Hi,
You dont need all the redundant statements there, to make your S2S and Vpn clients to work, just remove the following statements by doing :
no crypto map pix-map 40 ipsec-isakmp dynamic site-map
And then add :
crypto dynamic-map client-map 10 set transform-set client-set pix-set
That wud take care of client as well as S2S conenctions.
HTH
-Kanishka
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: