PIX Remote Access VPN

Unanswered Question
Jul 18th, 2008

Hi,


I have setup a PIX 515 running v803 for remote access from a VPN client. I cyrrently have site-to-site VPN's which have been setup and work fine. Currently, when i connect using the VPN client (v5), although Phase 1 completes Phase 2 does not, I just get IKE negotiation failed.


crypto dynamic-map vpnmap_dynmap 5 set transform-set TRANS_ESP_3DES_MD5

crypto dynamic-map vpnmap_dynmap 15 set transform-set ESP-3DES-SHA

crypto dynamic-map vpnmap_dynmap 30 set transform-set ESP-DES-MD5

crypto dynamic-map vpnmap_dynmap 40 set transform-set ESP-DES-SHA

crypto dynamic-map vpnmap_dynmap 50 set pfs

crypto dynamic-map vpnmap_dynmap 50 set transform-set ESP-3DES-SHA

crypto map vpnmap 65535 ipsec-isakmp dynamic vpnmap_dynmap


crypto isakmp enable outside

crypto map vpnmap interface outside


group-policy client_vpn_access internal

group-policy client_vpn_access attributes

vpn-tunnel-protocol IPSec

dns-server value 10.1.1.1


tunnel-group client_vpn_access type remote-access


tunnel-group client_vpn_access general-attributes

default-group-policy client_vpn_access

address-pool client_vpn_access


tunnel-group client_vpn_access ipsec-attributes

pre-shared-key presharedkey



#### Log from Cisco VPN Client v5 ####


445 21:12:12.686 07/18/08 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system


467 21:12:12.766 07/18/08 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from x.x.x.x


470 21:12:12.766 07/18/08 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=29790EF2FE6728A8 R_Cookie=D4C90BEBCF7838BE) reason = DEL_REASON_IKE_NEG_FAILED


545 21:46:40.379 07/18/08 Sev=Info/4 CM/0x63100012

Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


Please can you help.


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
srue Fri, 07/18/2008 - 19:02

please post your isakmp policies


sh run all isakmp

bjssccouser Sat, 07/19/2008 - 02:02

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 40

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 80

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400


a.alekseev Sat, 07/19/2008 - 06:39

no crypto dynamic-map vpnmap_dynmap 5 set transform-set TRANS_ESP_3DES_MD5

no crypto dynamic-map vpnmap_dynmap 15 set transform-set ESP-3DES-SHA

no crypto dynamic-map vpnmap_dynmap 30 set transform-set ESP-DES-MD5

no crypto dynamic-map vpnmap_dynmap 40 set transform-set ESP-DES-SHA

crypto dynamic-map vpnmap_dynmap 50 set pfs

crypto dynamic-map vpnmap_dynmap 50 set transform-set ESP-3DES-SHA


and show me your transform-set ESP-3DES-SHA


bjssccouser Sat, 07/19/2008 - 11:28

Hi,


I have removed the dynamic crypto maps as above, which has resulted in the Cisco VPN client now connecting.


However, I had to also remove pfs as I am also using the PIX for L2TP/IPSEC VPN from a Windows client.


Could you explain why this wasn't working before? Shouldn't the VPN client have been presented with all the SA options and picked the one that suited it?


Thanks

Actions

This Discussion