PIX 6.3(5) + VPNClient

jlixfeld · ‎02-28-2007

I'm using a couple of vpn clients (latest Mac OS X and Windows versions) to test connections to a pix running 6.3(5). When I connect and check the debugs, it looks as though phase 1 completes without an issue, but phase 2 never starts.

The RADIUS server in this configuration doesn't actually exist. This is a lab setup as I'm configuring these in a controlled environment before they go into production at my customer site where they will be replacing an existing PIX. The radius server currently lives at the client site and is in production with the existing PIX there. I changed the client auth to LOCAL from partnerauth, no change.

sysopt connection permit-ipsec

crypto ipsec transform-set 3DES-SHA-SET esp-3des esp-sha-hmac

crypto ipsec transform-set 3DES-MD5-SET esp-3des esp-md5-hmac

crypto ipsec transform-set DES-MD5-SET esp-des esp-md5-hmac

crypto dynamic-map DMAP1 10 set transform-set 3DES-MD5-SET

crypto map CMAP1 10 ipsec-isakmp dynamic DMAP1

crypto map CMAP1 client authentication partnerauth

crypto map CMAP1 interface outside

isakmp enable outside

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup apollogroup address-pool client-dynamic

vpngroup apollogroup dns-server 192.168.247.17 192.168.247.1

vpngroup apollogroup split-tunnel acl_no-nat

vpngroup apollogroup idle-time 1800

vpngroup apollogroup password ********

jlixfeld · ‎02-28-2007

PIX debugs enclosed:

apollofw01(config)# show debug

debug crypto ipsec 1

debug crypto isakmp 1

debug crypto engine

debug crypto ca 1

apollofw01(config)#

crypto_isakmp_process_block:src:192.168.100.190, dest:68.179.112.101 spt:500 dpt:500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are acceptable.

crypto_isakmp_process_block:src:192.168.100.190, dest:68.179.112.101 spt:500 dpt:500

ISAKMP: error, msg not encrypted

crypto_isakmp_process_block:src:192.168.100.190, dest:68.179.112.101 spt:500 dpt:500

ISAKMP: error, msg not encrypted

ISAKMP (0): deleting SA: src 192.168.100.190, dst 68.179.112.101

ISADB: reaper checking SA 0x3859eec, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 192.168.100.190/500 not found - peers:0

ggilbert · ‎02-28-2007

What does the logs in the VPN client say?

Can you please enable logging on the VPN client and send it.

Let me take a look at the information.

Thanks

Gilbert

jlixfeld · ‎02-28-2007

I was able to determine that the problem was with the group password.

ggilbert · ‎02-28-2007

I figured that would be the problem and thats why I asked for the client logs :)

Cheers

Gilbert

Rate this post, if it helps!!