VPN client issue

vinoth.kumar · ‎01-12-2009

Hi,

I am using PIX 7.0 and i have created a IPSEC Vpn and trying to connect the same from my VPN client 4.0

The group authentication is working fine but after for the user authorization is asking for username and password

Since we are not using any TACCAS or RADIUS is it possible to give user authorization as PIX local usrname and password

Regards,

Vinoth

andrew.prince · ‎01-12-2009

yes it is possible - create a local username and password in the PIX, then in the VPN tunnel group add:-

authentication-server-group local.

HTH>

vinoth.kumar · ‎01-12-2009

Hi,

Thanks for your reply

I try to issue the command on my firewall but i dont have that command listed

(config)# vpngroup vpn3000 authe

(config)# vpngroup vpn3000 authentication-server ?

configure mode commands/options:

WORD The name of the IUA AAA server on the firewall headend

(config)# vpngroup vpn3000 authentication-server

Please guide me

andrew.prince · ‎01-13-2009

Are you sure you are running code ver 7.x - as the config you posted looks to be in the wrong format for ver 7.x

Post the entire remote VPN config please.

vinoth.kumar · ‎01-13-2009

Hi,

As requested i am sending the my config

PIX Version 7.0(1)

names

!

interface Ethernet0

description WAN_connectivity

nameif outside

security-level 0

ip address xxx.xx.2.3 255.255.255.224

!

interface Ethernet1

description Lan-connectivity

nameif inside

security-level 100

ip address 192.168.193.1 255.255.255.0

!

interface Ethernet2

description WEB_NATACCESS

nameif DMZ

security-level 80

ip address 10.108.1.3 255.255.255.0

access-list 101 extended permit ip 10.0.0.0 255.0.0.0 10.108.1.252 255.255.255.2

52

ip local pool RemoteVPNpool 10.108.1.253-10.108.1.254

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) xx.xxx.2.8 192.168.193.5 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 xx.xx.2.1 1

route inside 10.0.0.0 255.0.0.0 10.108.1.1 1

route DMZ 10.108.1.23 255.255.255.255 10.108.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy vpn3000 internal

group-policy vpn3000 attributes

user-authentication enable

username admin password eY/fQXw7Ure8Qrz7 encrypted

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set TCVPN-OLY esp-3des esp-none

crypto ipsec transform-set test-vpn esp-3des esp-none

crypto ipsec transform-set RVPN esp-3des esp-md5-hmac

crypto map mymap 10 set transform-set RVPN

crypto map mymap interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption 3des

isakmp policy 11 hash md5

isakmp policy 11 group 2

isakmp policy 11 lifetime 86400

telnet 10.0.0.0 255.0.0.0 DMZ

telnet 192.168.151.0 255.255.255.0 DMZ

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.193.5-192.168.193.200 inside

dhcpd dns 212.115.32.3 80.253.148.33

dhcpd lease 3000

dhcpd ping_timeout 50

dhcpd enable inside

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool RemoteVPNpool

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes

pre-shared-key

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

Regards,

Vinu

andrew.prince · ‎01-13-2009

Add the below

tunnel-group vpn3000 ipsec-attributes

authentication-server-group LOCAL

HTH>

vinoth.kumar · ‎01-13-2009

Thanks for your reply i entred the command after that i

debug crypto isakmp its shows some error

TCNEW-FW# Jan 13 04:41:02 [IKEv1]: QM IsRekeyed old sa not found by addr

Jan 13 04:41:02 [IKEv1]: QM FSM error (P2 struct &0x20c59a0, mess id 0x2dea489f)

!

Jan 13 04:41:02 [IKEv1]: Group = vpn3000, Username = admin, IP = xx.xx.37.82,

Removing peer from correlator table failed, no match!

Regards,

andrew.prince · ‎01-13-2009

OK - that is a completly different error for a differnet reason. Checking more of your VPN config, you are missing the below:-

crypto dynamic-map remote_vpn 10 set transform-set RVPN

crypto map mymap 65535 ipsec-isakmp dynamic remote_vpn

add the above and test again.

vinoth.kumar · ‎01-15-2009

Thanks for your information

now the iam able to login tthrough the VPN Client

I had a small question is it possible to recover VPN pre-share keys in PIX 6.3 (3) since we planned to put new firewall instead of existing one

Thanks

andrew.prince · ‎01-15-2009

Copy the config from the pix to a tftp server:-

write net <>:<>.txt

HTH>