Pix 515E cannot get the VPN client to work

Answered Question
Jun 7th, 2007

Hi there,

I am having some difficulties configuring two things:

1. After a couple of hours struggling to create a tunnel (lan to lan) I finally got it to work. When I try to do the same for remote users using the Cisco vpn client I only get an error 412: the remote peer is no longer responding.

Client log:

Cisco Systems VPN Client Version 5.0.00.0340

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.0.6000

Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 15:30:11.745 06/07/07 Sev=Info/6 GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.

2 15:30:14.116 06/07/07 Sev=Info/4 CM/0x63100002

Begin connection process

3 15:30:14.120 06/07/07 Sev=Info/4 CM/0x63100004

Establish secure connection

4 15:30:14.122 06/07/07 Sev=Info/4 CM/0x63100024

Attempt connection with server "82.94.31.134"

5 15:30:14.128 06/07/07 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 82.94.31.134.

6 15:30:14.144 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 82.94.31.134

7 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

8 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

9 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

10 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

11 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

12 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

13 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

14 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

15 15:30:34.565 06/07/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16 15:30:35.077 06/07/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17 15:30:35.078 06/07/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "82.94.31.134" because of "DEL_REASON_PEER_NOT_RESPONDING"

18 15:30:35.078 06/07/07 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

19 15:30:35.120 06/07/07 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

20 15:30:35.121 06/07/07 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

21 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

22 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

23 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

24 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Attachted is the config file from the Pix 515e

2. I need to access RDP with port redirection. So when i access 82.x.x.x:4000 it would translate to 192.168.1.50:3389. So far I'm not able to get this to work.

Any help would be greatly appreciated.

Regards,

Jeroen

Attachment: 
I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 5 months ago

Does this do the trick?

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
acomiskey Thu, 06/07/2007 - 06:23

#1. Start by changing your vpn client pool to a different subnet, it should not be the same as your inside subnet.

ip local pool vpnclient 192.168.5.150-192.168.5.200

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

#2. If 82.x.x.x is your outside interface address then...

static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 82.x.x.x eq 4000

If it is another address then...

static (inside,outside) tcp 82.x.x.x 4000 192.168.1.50 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 82.x.x.x eq 4000

sabrasystems Thu, 06/07/2007 - 06:36

Thank you for the reply, I gave the commands as you told me but still i can not reach the terminal server on the other side. I know the terminal server is responding cause I can access it accross the working vpn tunnel.

Do you know why I have to enter a pre-shared key when i run the VPN wizzard (client access) from ASDM when i cannot setup one in the cisco client?

My config file:

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

access-list Internet_nat0_inbound extended permit ip any 192.168.0.0 255.255.255.0

access-list Internet_cryptomap_20 extended permit ip any 192.168.0.0 255.255.255.0

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 10.39.5.0 255.255.255.0

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 222 extended permit ip any 192.168.1.128 255.255.255.128

access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list vpnclient_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.128 255.255.255.128

access-list outside_access_in extended permit tcp any host 82.94.31.134 eq 4000

pager lines 24

logging trap emergencies

logging asdm informational

logging class auth trap emergencies

mtu outside 1500

mtu inside 1500

ip local pool VPNclientpool 192.168.1.175-192.168.1.225 mask 255.255.255.0

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm-501.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

global (inside) 2 192.168.1.50

nat (outside) 0 access-list Internet_nat0_inbound outside

nat (inside) 0 access-list 222

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.50 4000 netmask 255.255.255.255

static (inside,outside) tcp 82.94.31.134 4000 192.168.1.50 3389 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 82.94.31.129 1

acomiskey Thu, 06/07/2007 - 06:51

"Do you know why I have to enter a pre-shared key when i run the VPN wizzard (client access) from ASDM when i cannot setup one in the cisco client?"

-Sure you can, under group authentication, you need the group name and password (password = pre-shared key)

"I gave the commands as you told me but still i can not reach the terminal server on the other side"

no static (inside,outside) tcp interface 3389 192.168.1.50 4000 netmask 255.255.255.255

no static (inside,outside) tcp 82.94.31.134 4000 192.168.1.50 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255

sabrasystems Thu, 06/07/2007 - 07:12

1: Oeps, thats a dumb mistake. I keep getting the same error connecting though even after changing the VPNclient pool to 192.168.5.x

I have done a reset to factory defaults so i could not get errors after making previous mistakes. Still I cannot access the terminal server on port 4000 from another location.

My config file as for now:

asdm image flash:/asdm-501.bin

asdm history enable

: Saved

:

PIX Version 7.0(1)

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 82.94.x.x.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

enable password xxx

passwd xxx

hostname sabrapix

domain-name asp.local

ftp mode passive

access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0

access-list VPNclient_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.5.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 82.94.31.134 eq 4000

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool clientpool 192.168.5.10-192.168.5.200 mask 255.255.255.0

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm-501.bin

asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 82.94.31.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy VPNclient internal

group-policy VPNclient attributes

dns-server value 194.109.6.66 194.109.9.99

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPNclient_splitTunnelAcl

username sabra password 9zpQIMMxEQ2QXgFd encrypted privilege 15

username jeroen password Q.HHDJ8rYk7zK0/K encrypted privilege 0

http server enable

http 192.168.1.0 255.255.255.0 inside

snmp-server host outside 192.168.1.50 community public

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.50-192.168.1.250 inside

dhcpd dns 194.109.6.66 194.109.9.99

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

tunnel-group VPNclient type ipsec-ra

tunnel-group VPNclient general-attributes

address-pool clientpool

default-group-policy VPNclient

tunnel-group VPNclient ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

acomiskey Thu, 06/07/2007 - 07:19

"Still I cannot access the terminal server on port 4000 from another location."

-You acl is not applied.

access-group outside_access_in in interface outside

sabrasystems Thu, 06/07/2007 - 07:25

Great that solved my redirect problem! great!

VPN client software is still not responding though.

Client log is different:

16 17:23:17.952 06/07/07 Sev=Warning/2 IKE/0xE300009B

Invalid SPI size (PayloadNotify:116)

17 17:23:17.952 06/07/07 Sev=Info/4 IKE/0xE30000A6

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

18 17:23:17.952 06/07/07 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

19 17:23:23.017 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

20 17:23:23.017 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

21 17:23:23.043 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

22 17:23:23.043 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

23 17:23:23.046 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

24 17:23:23.046 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

25 17:23:28.018 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

26 17:23:28.018 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

27 17:23:28.043 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

28 17:23:28.043 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

29 17:23:28.046 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

30 17:23:28.046 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

31 17:23:33.024 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

32 17:23:33.024 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

33 17:23:33.072 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

34 17:23:33.072 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

35 17:23:33.075 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

36 17:23:33.075 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

37 17:23:38.038 06/07/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=D862884C20A335FF R_Cookie=55083D7233A62738) reason = DEL_REASON_PEER_NOT_RESPONDING

38 17:23:39.035 06/07/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=D862884C20A335FF R_Cookie=55083D7233A62738) reason = DEL_REASON_PEER_NOT_RESPONDING

39 17:23:39.035 06/07/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "82.94.31.134" because of "DEL_REASON_PEER_NOT_RESPONDING"

40 17:23:39.035 06/07/07 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

41 17:23:39.040 06/07/07 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

42 17:23:39.040 06/07/07 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

43 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

44 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

45 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

46 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

acomiskey Thu, 06/07/2007 - 07:28

Can you log on the pix? Are you getting prompted for username/password?

sabrasystems Thu, 06/07/2007 - 07:35

I dont have an ASA, I have a Pix 515E. I thought i did not need a asa to use the vpn client?

I dont get a message prompting me for a username and password. Just get the message: Reason 412: the remote peer is no longer responding.

(edit: you changed it already...i was getting worried there :))

acomiskey Thu, 06/07/2007 - 07:54

Are you on console or telnet/ssh? Try this then try the client, you should receive isakmp debugging info.

logging monitor debugging

or

logging console debugging

sabrasystems Thu, 06/07/2007 - 08:05

Thanks for you patience.

I entered the commands succesfully, but de debugging command still gives no output.

Not in hyperterm and not trough telnet.

Does this mean there is no communication going from here to the pix? I'll try again at home in a couple of minutes.

Thanks again.

acomiskey Thu, 06/07/2007 - 08:07

"Does this mean there is no communication going from here to the pix?"

That's what it sounds like. You are coming from the outside of pix right?

sabrasystems Thu, 06/07/2007 - 09:04

Yes i'm connecting from another place, and using the same ip adress to connect to. Now i tried it from another connection with different hardware but still i get no debuging information.

I should mension that i am using Vista to connect, but I am using version 5 to connect witch should be compatible. Also i disabled the firewall. Everything else seems to be working just fine.

When i tried again it gave me this:

sabrapix(config)# Jun 07 17:04:48 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191

, Can't find a valid tunnel group, aborting...!

Jun 07 17:04:54 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

Jun 07 17:04:59 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

Jun 07 17:05:04 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

sabrasystems Thu, 06/07/2007 - 09:19

I noticed, i recreated the profile to check if that had any effect. It only gives me that output when I typed in a wrong group name. When i use the correct group name there is just no output.

At least the software is comunicating with the pix :) but still nothing.

sabrasystems Thu, 06/07/2007 - 09:30

That gives me some information:

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing SA payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing ke payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing ISA_KE

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing nonce payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Processing ID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received xauth V6 VID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received DPD VID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received Fragmentation VID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, IKE Peer included IKE fragmenta

tion capability flags: Main Mode: True Aggressive Mode: False

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received NAT-Traversal ver 02 V

ID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received Cisco Unity client VID

Jun 07 17:28:55 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

Jun 07 17:28:55 [IKEv1 DEBUG]: Group = 86.82.7.191, IP = 86.82.7.191, IKE AM Res

ponder FSM error history (struct &0x1bd62b8) , : AM_DONE, EV_ERR

OR-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, E

V_CREATE_TMR

Jun 07 17:28:55 [IKEv1 DEBUG]: Group = 86.82.7.191, IP = 86.82.7.191, IKE SA AM:

7c720620 terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Jun 07 17:28:55 [IKEv1 DEBUG]: sending delete/delete with reason message

acomiskey Thu, 06/07/2007 - 09:39

Your client is set up with the correct group name? Add this to the pix...

isakmp nat-traversal

sabrasystems Thu, 06/07/2007 - 09:45

I think where getting somewhere. Now i get another responce:

Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, Connection landed on tunnel_group VPN

client

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, processing I

KE SA

Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, IKE DECODE SENDING Message (msgid=0)

with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, All SA propo

sals found unacceptable

Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, All IKE SA proposals found unacceptab

le!

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, IKE AM Respo

nder FSM error history (struct &0x183af38) , : AM_DONE, EV_ERROR

-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_P

ROCESS_MSG

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, IKE SA AM:b3

981b4d terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Jun 07 17:43:35 [IKEv1 DEBUG]: sending delete/delete with reason message

Something in the security proposal

acomiskey Thu, 06/07/2007 - 10:01

Mine looks like this...

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

isakmp policy 10

isakmp authentication pre-share

isakmp encryption 3des

isakmp hash md5

isakmp group 2

isakmp lifetime 86400

isakmp policy 30

isakmp authentication pre-share

isakmp encryption 3des

isakmp hash sha

isakmp group 2

isakmp lifetime 86400

sabrasystems Thu, 06/07/2007 - 10:30

But i dont have the 3DES license, it will only do DES encryption. Could i just replace 3DES with DES ?

Correct Answer
acomiskey Thu, 06/07/2007 - 10:45

Does this do the trick?

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

sabrasystems Thu, 06/07/2007 - 23:17

It did, thanks! But only after updating my license to 3des/eas.

after inserting:

isakmp policy 65535 encryption 3des

The cpn client prompted me for a username and password and connected. Now the only thing is i'm not recieving anything. I cannot ping a local address on the other side of the pix? Do I have to add something to permit the traffic to the local lan?

After this thing im enrolling myself for some kind of cisco training :)

Thanks again for your help.

sabrasystems Fri, 06/08/2007 - 01:03

I could not eddit my previous post, but i found the answer in another discussion you had about some vpn troubles (acl).

Everything is working like a charm now! thanks so much for taking the time to help me out here.

Jeroen

Actions

This Discussion