02-28-2007 09:50 AM
I'm using a couple of vpn clients (latest Mac OS X and Windows versions) to test connections to a pix running 6.3(5). When I connect and check the debugs, it looks as though phase 1 completes without an issue, but phase 2 never starts.
The RADIUS server in this configuration doesn't actually exist. This is a lab setup as I'm configuring these in a controlled environment before they go into production at my customer site where they will be replacing an existing PIX. The radius server currently lives at the client site and is in production with the existing PIX there. I changed the client auth to LOCAL from partnerauth, no change.
sysopt connection permit-ipsec
crypto ipsec transform-set 3DES-SHA-SET esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-MD5-SET esp-3des esp-md5-hmac
crypto ipsec transform-set DES-MD5-SET esp-des esp-md5-hmac
crypto dynamic-map DMAP1 10 set transform-set 3DES-MD5-SET
crypto map CMAP1 10 ipsec-isakmp dynamic DMAP1
crypto map CMAP1 client authentication partnerauth
crypto map CMAP1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup apollogroup address-pool client-dynamic
vpngroup apollogroup dns-server 192.168.247.17 192.168.247.1
vpngroup apollogroup split-tunnel acl_no-nat
vpngroup apollogroup idle-time 1800
vpngroup apollogroup password ********
02-28-2007 09:51 AM
PIX debugs enclosed:
apollofw01(config)# show debug
debug crypto ipsec 1
debug crypto isakmp 1
debug crypto engine
debug crypto ca 1
apollofw01(config)#
crypto_isakmp_process_block:src:192.168.100.190, dest:68.179.112.101 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are acceptable.
crypto_isakmp_process_block:src:192.168.100.190, dest:68.179.112.101 spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:192.168.100.190, dest:68.179.112.101 spt:500 dpt:500
ISAKMP: error, msg not encrypted
ISAKMP (0): deleting SA: src 192.168.100.190, dst 68.179.112.101
ISADB: reaper checking SA 0x3859eec, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 192.168.100.190/500 not found - peers:0
02-28-2007 12:34 PM
What does the logs in the VPN client say?
Can you please enable logging on the VPN client and send it.
Let me take a look at the information.
Thanks
Gilbert
02-28-2007 12:38 PM
I was able to determine that the problem was with the group password.
02-28-2007 12:45 PM
I figured that would be the problem and thats why I asked for the client logs :)
Cheers
Gilbert
Rate this post, if it helps!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: