09-18-2008 12:23 PM - edited 02-21-2020 03:57 PM
I've got a Cisco Pix 501 and am trying to get the VPN client to work. When I do my debugs (debug crypto isakmp/ipsec) and try to login with the client it points me to the direction of not having the correct pool. Here is the config:
access-list 10 permit ip 192.168.1.0 255.255.255.0 host 172.16.7.33
access-list 10 permit ip 192.168.1.0 255.255.255.0 host 172.16.7.14
access-list Internet permit icmp any any echo-reply
access-list Internet permit icmp any any time-exceeded
access-list Internet permit icmp any any traceroute
access-list Internet permit udp any any eq isakmp
access-list Internet permit esp any any
access-list Internet permit tcp any host 10.1.1.1 eq smtp
access-list Internet permit tcp any host 10.1.1.1 eq https
access-list Internet permit tcp any host 10.1.1.1 eq www
access-list Internet permit tcp any host 10.1.1.1 eq 3389
access-list Internet permit tcp any host 10.1.1.6 eq ssh
access-list Internet permit tcp any host 10.1.1.1 eq 4125
access-list Internet permit tcp any host 10.1.1.1 eq www
access-list Internet deny ip any any log
access-list NO-NAT-VPN permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging on
logging console notifications
logging buffered informational
mtu outside 1492
mtu inside 1500
ip address outside 10.1.1.1 255.255.255.224
ip address inside 192.168.1.254 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action drop
ip local pool VPNPOOL 192.168.100.1-192.168.100.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 10
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside)10.1.1.1 192.168.1.10 netmask 255.255.255.255 0 0
access-group Internet in interface outside
route outside 0.0.0.0 0.0.0.0 98.172.55.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto dynamic-map dynmap 40 set transform-set strong
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address 10
crypto map VPN 10 set peer 10.1.1.1
crypto map VPN 10 set transform-set strong
crypto map VPN 65000 ipsec-isakmp dynamic dynmap
crypto map VPN interface outside
isakmp enable outside
isakmp key ******** address 10.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 3600
vpngroup VPN address-pool VPNPOOL
vpngroup VPN dns-server 192.168.1.104 192.168.2.5
vpngroup VPN default-domain
vpngroup VPN idle-time 1800
vpngroup VPN password
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
console timeout 0
username vpnclient password ****** encrypted privilege 2
terminal width 80
09-18-2008 06:04 PM
Hello,
Do the following and check .
no nat (inside) 0 access-list 10
nat (inside) 0 access-list NO-NAT-VPN
Also post the debugs to help us troubleshoot the problem.
Noticed that the outside interface has 10.0.0.0 network ip address , can you explain how is this device connected to the internet?
HTH
Saju
Pls rate helpful posts
09-19-2008 06:38 AM
I changed the outside address to a non-routable (RFC 1918) address for security reaseons.
09-19-2008 08:23 AM
Saju,
Thanks for your help I had done what you suggested and tried it again.
Here is the debug from the router: ( have changed the outside address to 10.1.1.1 and the client address to 192.168.1.1 for security reasons.
1615Poydras-FW#
crypto_isakmp_process_block:src:192.168.1.1, dest:10.1.1.1 spt:1801 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 40 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 40 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 40 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 40 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 40 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 40 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 40 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 40 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 40 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_block:src:192.168.1.1, dest:10.1.1.1 spt:1801 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:192.168.1.1, dest:10.1.1.1 spt:1801 dpt:500
ISAKMP: error, msg not encrypted
09-19-2008 08:38 AM
"ISAKMP (0): atts are not acceptable"
Can you add following policy and then check ?
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 2
09-19-2008 09:05 AM
Gave it a try but still isn't working.
09-19-2008 09:11 AM
what are the debugs now?
09-19-2008 09:28 AM
Also what's the version of vpn client?
09-19-2008 11:22 AM
5.0.00.0340. I have about 8 other clients working on it.
09-19-2008 11:23 AM
I had all of the crypto debugs on isakmp ipsec ca engine and vpnclient
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide