vpn client not working puzzler

Unanswered Question
Sep 18th, 2008

I've got a Cisco Pix 501 and am trying to get the VPN client to work. When I do my debugs (debug crypto isakmp/ipsec) and try to login with the client it points me to the direction of not having the correct pool. Here is the config:

access-list 10 permit ip 192.168.1.0 255.255.255.0 host 172.16.7.33

access-list 10 permit ip 192.168.1.0 255.255.255.0 host 172.16.7.14

access-list Internet permit icmp any any echo-reply

access-list Internet permit icmp any any time-exceeded

access-list Internet permit icmp any any traceroute

access-list Internet permit udp any any eq isakmp

access-list Internet permit esp any any

access-list Internet permit tcp any host 10.1.1.1 eq smtp

access-list Internet permit tcp any host 10.1.1.1 eq https

access-list Internet permit tcp any host 10.1.1.1 eq www

access-list Internet permit tcp any host 10.1.1.1 eq 3389

access-list Internet permit tcp any host 10.1.1.6 eq ssh

access-list Internet permit tcp any host 10.1.1.1 eq 4125

access-list Internet permit tcp any host 10.1.1.1 eq www

access-list Internet deny ip any any log

access-list NO-NAT-VPN permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

logging on

logging console notifications

logging buffered informational

mtu outside 1492

mtu inside 1500

ip address outside 10.1.1.1 255.255.255.224

ip address inside 192.168.1.254 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action drop

ip local pool VPNPOOL 192.168.100.1-192.168.100.50

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 10

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside)10.1.1.1 192.168.1.10 netmask 255.255.255.255 0 0

access-group Internet in interface outside

route outside 0.0.0.0 0.0.0.0 98.172.55.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-md5-hmac

crypto dynamic-map dynmap 40 set transform-set strong

crypto map VPN 10 ipsec-isakmp

crypto map VPN 10 match address 10

crypto map VPN 10 set peer 10.1.1.1

crypto map VPN 10 set transform-set strong

crypto map VPN 65000 ipsec-isakmp dynamic dynmap

crypto map VPN interface outside

isakmp enable outside

isakmp key ******** address 10.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 3600

vpngroup VPN address-pool VPNPOOL

vpngroup VPN dns-server 192.168.1.104 192.168.2.5

vpngroup VPN default-domain

vpngroup VPN idle-time 1800

vpngroup VPN password

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

console timeout 0

username vpnclient password ****** encrypted privilege 2

terminal width 80

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
singhsaju Thu, 09/18/2008 - 18:04

Hello,

Do the following and check .

no nat (inside) 0 access-list 10

nat (inside) 0 access-list NO-NAT-VPN

Also post the debugs to help us troubleshoot the problem.

Noticed that the outside interface has 10.0.0.0 network ip address , can you explain how is this device connected to the internet?

HTH

Saju

Pls rate helpful posts

jasosan22 Fri, 09/19/2008 - 06:38

I changed the outside address to a non-routable (RFC 1918) address for security reaseons.

jasosan22 Fri, 09/19/2008 - 08:23

Saju,

Thanks for your help I had done what you suggested and tried it again.

Here is the debug from the router: ( have changed the outside address to 10.1.1.1 and the client address to 192.168.1.1 for security reasons.

1615Poydras-FW#

crypto_isakmp_process_block:src:192.168.1.1, dest:10.1.1.1 spt:1801 dpt:500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 40 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable.

crypto_isakmp_process_block:src:192.168.1.1, dest:10.1.1.1 spt:1801 dpt:500

ISAKMP: error, msg not encrypted

crypto_isakmp_process_block:src:192.168.1.1, dest:10.1.1.1 spt:1801 dpt:500

ISAKMP: error, msg not encrypted

singhsaju Fri, 09/19/2008 - 08:38

"ISAKMP (0): atts are not acceptable"

Can you add following policy and then check ?

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption 3des

isakmp policy 50 hash md5

isakmp policy 50 group 2

jasosan22 Fri, 09/19/2008 - 11:23

I had all of the crypto debugs on isakmp ipsec ca engine and vpnclient

Actions

This Discussion