cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1885
Views
9
Helpful
26
Replies

Pix 515E cannot get the VPN client to work

sabrasystems
Level 1
Level 1

Hi there,

I am having some difficulties configuring two things:

1. After a couple of hours struggling to create a tunnel (lan to lan) I finally got it to work. When I try to do the same for remote users using the Cisco vpn client I only get an error 412: the remote peer is no longer responding.

Client log:

Cisco Systems VPN Client Version 5.0.00.0340

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.0.6000

Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 15:30:11.745 06/07/07 Sev=Info/6 GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.

2 15:30:14.116 06/07/07 Sev=Info/4 CM/0x63100002

Begin connection process

3 15:30:14.120 06/07/07 Sev=Info/4 CM/0x63100004

Establish secure connection

4 15:30:14.122 06/07/07 Sev=Info/4 CM/0x63100024

Attempt connection with server "82.94.31.134"

5 15:30:14.128 06/07/07 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 82.94.31.134.

6 15:30:14.144 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 82.94.31.134

7 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

8 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

9 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

10 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

11 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

12 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

13 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

14 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

15 15:30:34.565 06/07/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16 15:30:35.077 06/07/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17 15:30:35.078 06/07/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "82.94.31.134" because of "DEL_REASON_PEER_NOT_RESPONDING"

18 15:30:35.078 06/07/07 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

19 15:30:35.120 06/07/07 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

20 15:30:35.121 06/07/07 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

21 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

22 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

23 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

24 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Attachted is the config file from the Pix 515e

2. I need to access RDP with port redirection. So when i access 82.x.x.x:4000 it would translate to 192.168.1.50:3389. So far I'm not able to get this to work.

Any help would be greatly appreciated.

Regards,

Jeroen

1 Accepted Solution

Accepted Solutions

Does this do the trick?

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

View solution in original post

26 Replies 26

acomiskey
Level 10
Level 10

#1. Start by changing your vpn client pool to a different subnet, it should not be the same as your inside subnet.

ip local pool vpnclient 192.168.5.150-192.168.5.200

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

#2. If 82.x.x.x is your outside interface address then...

static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 82.x.x.x eq 4000

If it is another address then...

static (inside,outside) tcp 82.x.x.x 4000 192.168.1.50 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 82.x.x.x eq 4000

Thank you for the reply, I gave the commands as you told me but still i can not reach the terminal server on the other side. I know the terminal server is responding cause I can access it accross the working vpn tunnel.

Do you know why I have to enter a pre-shared key when i run the VPN wizzard (client access) from ASDM when i cannot setup one in the cisco client?

My config file:

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

access-list Internet_nat0_inbound extended permit ip any 192.168.0.0 255.255.255.0

access-list Internet_cryptomap_20 extended permit ip any 192.168.0.0 255.255.255.0

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 10.39.5.0 255.255.255.0

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 222 extended permit ip any 192.168.1.128 255.255.255.128

access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list vpnclient_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.128 255.255.255.128

access-list outside_access_in extended permit tcp any host 82.94.31.134 eq 4000

pager lines 24

logging trap emergencies

logging asdm informational

logging class auth trap emergencies

mtu outside 1500

mtu inside 1500

ip local pool VPNclientpool 192.168.1.175-192.168.1.225 mask 255.255.255.0

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm-501.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

global (inside) 2 192.168.1.50

nat (outside) 0 access-list Internet_nat0_inbound outside

nat (inside) 0 access-list 222

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.50 4000 netmask 255.255.255.255

static (inside,outside) tcp 82.94.31.134 4000 192.168.1.50 3389 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 82.94.31.129 1

"Do you know why I have to enter a pre-shared key when i run the VPN wizzard (client access) from ASDM when i cannot setup one in the cisco client?"

-Sure you can, under group authentication, you need the group name and password (password = pre-shared key)

"I gave the commands as you told me but still i can not reach the terminal server on the other side"

no static (inside,outside) tcp interface 3389 192.168.1.50 4000 netmask 255.255.255.255

no static (inside,outside) tcp 82.94.31.134 4000 192.168.1.50 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255

1: Oeps, thats a dumb mistake. I keep getting the same error connecting though even after changing the VPNclient pool to 192.168.5.x

I have done a reset to factory defaults so i could not get errors after making previous mistakes. Still I cannot access the terminal server on port 4000 from another location.

My config file as for now:

asdm image flash:/asdm-501.bin

asdm history enable

: Saved

:

PIX Version 7.0(1)

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 82.94.x.x.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

enable password xxx

passwd xxx

hostname sabrapix

domain-name asp.local

ftp mode passive

access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0

access-list VPNclient_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.5.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 82.94.31.134 eq 4000

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool clientpool 192.168.5.10-192.168.5.200 mask 255.255.255.0

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm-501.bin

asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 82.94.31.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy VPNclient internal

group-policy VPNclient attributes

dns-server value 194.109.6.66 194.109.9.99

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPNclient_splitTunnelAcl

username sabra password 9zpQIMMxEQ2QXgFd encrypted privilege 15

username jeroen password Q.HHDJ8rYk7zK0/K encrypted privilege 0

http server enable

http 192.168.1.0 255.255.255.0 inside

snmp-server host outside 192.168.1.50 community public

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.50-192.168.1.250 inside

dhcpd dns 194.109.6.66 194.109.9.99

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

tunnel-group VPNclient type ipsec-ra

tunnel-group VPNclient general-attributes

address-pool clientpool

default-group-policy VPNclient

tunnel-group VPNclient ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

"Still I cannot access the terminal server on port 4000 from another location."

-You acl is not applied.

access-group outside_access_in in interface outside

Great that solved my redirect problem! great!

VPN client software is still not responding though.

Client log is different:

16 17:23:17.952 06/07/07 Sev=Warning/2 IKE/0xE300009B

Invalid SPI size (PayloadNotify:116)

17 17:23:17.952 06/07/07 Sev=Info/4 IKE/0xE30000A6

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

18 17:23:17.952 06/07/07 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

19 17:23:23.017 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

20 17:23:23.017 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

21 17:23:23.043 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

22 17:23:23.043 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

23 17:23:23.046 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

24 17:23:23.046 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

25 17:23:28.018 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

26 17:23:28.018 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

27 17:23:28.043 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

28 17:23:28.043 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

29 17:23:28.046 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

30 17:23:28.046 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

31 17:23:33.024 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

32 17:23:33.024 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

33 17:23:33.072 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

34 17:23:33.072 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

35 17:23:33.075 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

36 17:23:33.075 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

37 17:23:38.038 06/07/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=D862884C20A335FF R_Cookie=55083D7233A62738) reason = DEL_REASON_PEER_NOT_RESPONDING

38 17:23:39.035 06/07/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=D862884C20A335FF R_Cookie=55083D7233A62738) reason = DEL_REASON_PEER_NOT_RESPONDING

39 17:23:39.035 06/07/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "82.94.31.134" because of "DEL_REASON_PEER_NOT_RESPONDING"

40 17:23:39.035 06/07/07 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

41 17:23:39.040 06/07/07 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

42 17:23:39.040 06/07/07 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

43 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

44 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

45 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

46 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Can you log on the pix? Are you getting prompted for username/password?

I dont have an ASA, I have a Pix 515E. I thought i did not need a asa to use the vpn client?

I dont get a message prompting me for a username and password. Just get the message: Reason 412: the remote peer is no longer responding.

(edit: you changed it already...i was getting worried there :))

Ya, my mistake. So can you log on pix?

debug crypto isakmp

I can exec the command but it gave no output, just the promt again.

Are you on console or telnet/ssh? Try this then try the client, you should receive isakmp debugging info.

logging monitor debugging

or

logging console debugging

Thanks for you patience.

I entered the commands succesfully, but de debugging command still gives no output.

Not in hyperterm and not trough telnet.

Does this mean there is no communication going from here to the pix? I'll try again at home in a couple of minutes.

Thanks again.

"Does this mean there is no communication going from here to the pix?"

That's what it sounds like. You are coming from the outside of pix right?

Yes i'm connecting from another place, and using the same ip adress to connect to. Now i tried it from another connection with different hardware but still i get no debuging information.

I should mension that i am using Vista to connect, but I am using version 5 to connect witch should be compatible. Also i disabled the firewall. Everything else seems to be working just fine.

When i tried again it gave me this:

sabrapix(config)# Jun 07 17:04:48 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191

, Can't find a valid tunnel group, aborting...!

Jun 07 17:04:54 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

Jun 07 17:04:59 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

Jun 07 17:05:04 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: