VPN client issue

Unanswered Question
Jan 12th, 2009

Hi,

I am using PIX 7.0 and i have created a IPSEC Vpn and trying to connect the same from my VPN client 4.0

The group authentication is working fine but after for the user authorization is asking for username and password

Since we are not using any TACCAS or RADIUS is it possible to give user authorization as PIX local usrname and password

Regards,

Vinoth

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vinoth.kumar Mon, 01/12/2009 - 23:25

Hi,

Thanks for your reply

I try to issue the command on my firewall but i dont have that command listed

(config)# vpngroup vpn3000 authe

(config)# vpngroup vpn3000 authentication-server ?

configure mode commands/options:

WORD The name of the IUA AAA server on the firewall headend

(config)# vpngroup vpn3000 authentication-server

Please guide me

vinoth.kumar Tue, 01/13/2009 - 01:44

Hi,

As requested i am sending the my config

PIX Version 7.0(1)

names

!

interface Ethernet0

description WAN_connectivity

nameif outside

security-level 0

ip address xxx.xx.2.3 255.255.255.224

!

interface Ethernet1

description Lan-connectivity

nameif inside

security-level 100

ip address 192.168.193.1 255.255.255.0

!

interface Ethernet2

description WEB_NATACCESS

nameif DMZ

security-level 80

ip address 10.108.1.3 255.255.255.0

access-list 101 extended permit ip 10.0.0.0 255.0.0.0 10.108.1.252 255.255.255.2

52

ip local pool RemoteVPNpool 10.108.1.253-10.108.1.254

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) xx.xxx.2.8 192.168.193.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 xx.xx.2.1 1

route inside 10.0.0.0 255.0.0.0 10.108.1.1 1

route DMZ 10.108.1.23 255.255.255.255 10.108.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy vpn3000 internal

group-policy vpn3000 attributes

user-authentication enable

username admin password eY/fQXw7Ure8Qrz7 encrypted

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set TCVPN-OLY esp-3des esp-none

crypto ipsec transform-set test-vpn esp-3des esp-none

crypto ipsec transform-set RVPN esp-3des esp-md5-hmac

crypto map mymap 10 set transform-set RVPN

crypto map mymap interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption 3des

isakmp policy 11 hash md5

isakmp policy 11 group 2

isakmp policy 11 lifetime 86400

telnet 10.0.0.0 255.0.0.0 DMZ

telnet 192.168.151.0 255.255.255.0 DMZ

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.193.5-192.168.193.200 inside

dhcpd dns 212.115.32.3 80.253.148.33

dhcpd lease 3000

dhcpd ping_timeout 50

dhcpd enable inside

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool RemoteVPNpool

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes

pre-shared-key

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

Regards,

Vinu

vinoth.kumar Tue, 01/13/2009 - 04:02

Thanks for your reply i entred the command after that i

debug crypto isakmp its shows some error

TCNEW-FW# Jan 13 04:41:02 [IKEv1]: QM IsRekeyed old sa not found by addr

Jan 13 04:41:02 [IKEv1]: QM FSM error (P2 struct &0x20c59a0, mess id 0x2dea489f)

!

Jan 13 04:41:02 [IKEv1]: Group = vpn3000, Username = admin, IP = xx.xx.37.82,

Removing peer from correlator table failed, no match!

Regards,

vinoth.kumar Thu, 01/15/2009 - 03:53

Thanks for your information

now the iam able to login tthrough the VPN Client

I had a small question is it possible to recover VPN pre-share keys in PIX 6.3 (3) since we planned to put new firewall instead of existing one

Thanks

Actions

This Discussion