VPN client issue

Unanswered Question
Jan 12th, 2009
User Badges:


I am using PIX 7.0 and i have created a IPSEC Vpn and trying to connect the same from my VPN client 4.0

The group authentication is working fine but after for the user authorization is asking for username and password

Since we are not using any TACCAS or RADIUS is it possible to give user authorization as PIX local usrname and password



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vinoth.kumar Mon, 01/12/2009 - 23:25
User Badges:


Thanks for your reply

I try to issue the command on my firewall but i dont have that command listed

(config)# vpngroup vpn3000 authe

(config)# vpngroup vpn3000 authentication-server ?

configure mode commands/options:

WORD The name of the IUA AAA server on the firewall headend

(config)# vpngroup vpn3000 authentication-server

Please guide me

vinoth.kumar Tue, 01/13/2009 - 01:44
User Badges:


As requested i am sending the my config

PIX Version 7.0(1)



interface Ethernet0

description WAN_connectivity

nameif outside

security-level 0

ip address xxx.xx.2.3


interface Ethernet1

description Lan-connectivity

nameif inside

security-level 100

ip address


interface Ethernet2

description WEB_NATACCESS

nameif DMZ

security-level 80

ip address

access-list 101 extended permit ip


ip local pool RemoteVPNpool

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1

static (inside,outside) xx.xxx.2.8 netmask

route outside xx.xx.2.1 1

route inside 1

route DMZ 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy vpn3000 internal

group-policy vpn3000 attributes

user-authentication enable

username admin password eY/fQXw7Ure8Qrz7 encrypted

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set TCVPN-OLY esp-3des esp-none

crypto ipsec transform-set test-vpn esp-3des esp-none

crypto ipsec transform-set RVPN esp-3des esp-md5-hmac

crypto map mymap 10 set transform-set RVPN

crypto map mymap interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption 3des

isakmp policy 11 hash md5

isakmp policy 11 group 2

isakmp policy 11 lifetime 86400

telnet DMZ

telnet DMZ

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns

dhcpd lease 3000

dhcpd ping_timeout 50

dhcpd enable inside

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool RemoteVPNpool

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes



class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp



vinoth.kumar Tue, 01/13/2009 - 04:02
User Badges:

Thanks for your reply i entred the command after that i

debug crypto isakmp its shows some error

TCNEW-FW# Jan 13 04:41:02 [IKEv1]: QM IsRekeyed old sa not found by addr

Jan 13 04:41:02 [IKEv1]: QM FSM error (P2 struct &0x20c59a0, mess id 0x2dea489f)


Jan 13 04:41:02 [IKEv1]: Group = vpn3000, Username = admin, IP = xx.xx.37.82,

Removing peer from correlator table failed, no match!


vinoth.kumar Thu, 01/15/2009 - 03:53
User Badges:

Thanks for your information

now the iam able to login tthrough the VPN Client

I had a small question is it possible to recover VPN pre-share keys in PIX 6.3 (3) since we planned to put new firewall instead of existing one



This Discussion