Remote VPN with certificate authentication

Unanswered Question
Apr 11th, 2009
User Badges:

Hi,

I got a PIX in which I have successfully configured remote VPN with pre-shared key authentication. Now, due to security concerns, I need to implement the remote VPN with certificate authentication.


I installed a Windows 2003 CA server and configured the PIX accordingly. Even I got the certificate enrolled in my PIX. Now, I generated a certificate for a user and when I try to connect after importing the certicate to the vpn client, I see the following error:


ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt

:500

VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0


ISAKMP: larval sa found

crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt

:500

VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0


ISAKMP: larval sa found




Please guide me in this. I am not sure whether this is an error in my PIX configuration or in my Certificate server.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Mon, 04/13/2009 - 07:09
User Badges:
  • Cisco Employee,

Can you post your pix config along with the "show crypto ca cert" from it?

ribin.jones Tue, 04/14/2009 - 06:04
User Badges:

Here is my config:


PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NuLKvvWGg.x9HEKO encrypted

passwd NuLKvvWGg.x9HEKO encrypted

hostname pixfirewall

domain-name example.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside aa.bb.cc.210 255.255.255.224

ip address inside x.y.z..100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool testpool x.y.z.101-x.y.z.103

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 101

route outside 0.0.0.0 0.0.0.0 aa.bb.cc.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 8 set transform-set myset

crypto map mymap 8 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 8 authentication rsa-sig

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

vpngroup corpit address-pool testpool

vpngroup corpit dns-server x.y.z.5

vpngroup corpit split-tunnel 101

vpngroup corpit idle-time 1800

ca identity corpit x.y.z..70:/certsrv/mscep/mscep.dll

ca configure corpit ra 1 20 crloptional

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:fb499613d4493e07e34d4b6a63818c45

: end



Here is my sh cry ca cert output:


pixfirewall(config)# sh cry ca cert

RA KeyEncipher Certificate

Status: Available

Certificate Serial Number: 61319878000000000005

Key Usage: Encryption

EA = [email protected]

CN = IT

OU = MIS

O = RM

L = TVM

ST = KL

C = IN

Validity Date:

start date: 18:48:30 UTC Apr 10 2009

end date: 18:48:30 UTC Apr 10 2011


CA Certificate

Status: Available

Certificate Serial Number: 3187a8df8a126e924f648a37f9be703f

Key Usage: Signature

CN = corpit

DC = revenuemed

DC = net

Validity Date:

start date: 17:49:06 UTC Apr 10 2009


RA Signature Certificate

Status: Available

Certificate Serial Number: 61319607000000000004

Key Usage: Signature

EA = [email protected]

CN = IT

OU = MIS

O = Revenuemed

L = Trivandrum

ST = Kerala

C = IN

Validity Date:

start date: 18:48:30 UTC Apr 10 2009

end date: 18:48:30 UTC Apr 10 2011


Certificate

Status: Available

Certificate Serial Number: 6132fc9c000000000006

Key Usage: General Purpose

Subject Name:

CN = pixfirewall.example.com

UNSTRUCTURED NAME = pixfirewall.example.com

Validity Date:

start date: 18:50:02 UTC Apr 10 2009

end date: 18:50:02 UTC Apr 10 2011




Please note that I am able to get the VPN connected using preshared key method with this config adding the below lines:


isakmp policy 8 authentication pre-share

vpngroup corpit password ********


Thanks

ribin.jones Tue, 04/14/2009 - 06:05
User Badges:

Infact this is my sh cry ca cert output:


pixfirewall(config)# sh cry ca cert

RA KeyEncipher Certificate

Status: Available

Certificate Serial Number: 61319878000000000005

Key Usage: Encryption

EA = [email protected]

CN = IT

OU = MIS

O = RM

L = TVM

ST = KL

C = IN

Validity Date:

start date: 18:48:30 UTC Apr 10 2009

end date: 18:48:30 UTC Apr 10 2011


CA Certificate

Status: Available

Certificate Serial Number: 3187a8df8a126e924f648a37f9be703f

Key Usage: Signature

CN = corpit

DC = revenuemed

DC = net

Validity Date:

start date: 17:49:06 UTC Apr 10 2009


RA Signature Certificate

Status: Available

Certificate Serial Number: 61319607000000000004

Key Usage: Signature

EA = [email protected]

CN = IT

OU = MIS

O = RM

L = TVM

ST = KL

C = IN

Validity Date:

start date: 18:48:30 UTC Apr 10 2009

end date: 18:48:30 UTC Apr 10 2011


Certificate

Status: Available

Certificate Serial Number: 6132fc9c000000000006

Key Usage: General Purpose

Subject Name:

CN = pixfirewall.example.com

UNSTRUCTURED NAME = pixfirewall.example.com

Validity Date:

start date: 18:50:02 UTC Apr 10 2009

end date: 18:50:02 UTC Apr 10 2011


Ivan Martinon Tue, 04/14/2009 - 06:30
User Badges:
  • Cisco Employee,

Well it looks good, on the IKE debugs it seem to find no IKE policy that matches so it never goes to the cert authentication, I wonder if you have to a higher level of encryption? Do you know if your PIX has 3des enabled? Can you add another isakmp policy with 3des md5 and rsa-sig? If not then let's go ahead and enable isakmp and crypto ca debugging.

ribin.jones Tue, 04/14/2009 - 07:24
User Badges:

Hi Martino,


Thanks for the response.


I will add another isakmp policy with 3des md5 and rsa-sig.

Infact, my testing scenario has been dismantled due to some rearrangements at my office...Will get back once I am done with the testing scenario again.

ribin.jones Tue, 04/14/2009 - 09:33
User Badges:

Hi,

I will split my post into 3 and send.


Here is my PIX config:


sh run

: Saved

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NuLKvvWGg.x9HEKO encrypted

passwd NuLKvvWGg.x9HEKO encrypted

hostname pixfirewall

domain-name example.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.yy.zz210 255.255.255.224

ip address inside 192.168.26.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool testpool 192.168.26.101-192.168.26.103

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 101

route outside 0.0.0.0 0.0.0.0 xx.yy.zz193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 :00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

isakmp enable outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup corpit address-pool testpool

vpngroup corpit dns-server 192.168.25.5

vpngroup corpit split-tunnel 101

vpngroup corpit idle-time 1800


ca identity corpit 192.168.26.70:/certsrv/mscep/mscep.dll

ca configure corpit ra 1 20 crloptional

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:8af7fc6de4add41af1277fec264db3ea

: end


ribin.jones Tue, 04/14/2009 - 09:35
User Badges:

Below is the debugs I receive in PIX when I try to connect:


crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0


ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500

ISAKMP: Deleting peer node for xx.yy.zz196

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): cert approved with warning

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

ISAKMP (0): processing SIG payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with xx.yy.zz196


ISADB: reaper checking SA 0x93b934, conn_id = 0

ISAKMP (0): SA has been authenticated


ISAKMP: Created a peer struct for xx.yy.zz196, peer port 38919

ISAKMP (0): ID payload

next-payload : 6

type : 2

protocol : 17

port : 500

length : 27

ISAKMP (0): Total payload length: 31

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from xx.yy.zz196. message ID = 11219492

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

Unsupported Attr: 5

ISAKMP: attribute UNKNOWN (28672)

Unsupported Attr: 28672

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500

ISADB: reaper checking SA 0x93b934, conn_id = 0 DELETE IT!


VPN Peer:ISAKMP: Peer Info for xx.yy.zz196/1944 not found - peers:0

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with xx.yy.zz196




ribin.jones Tue, 04/14/2009 - 09:40
User Badges:

Here is the output from my VPN client when I try to connect:


Cisco Systems VPN Client Version 5.0.04.0300

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3


397 22:56:28.517 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.


398 22:56:28.517 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


399 22:56:28.533 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.


400 22:56:28.533 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


402 22:56:28.548 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


403 22:56:28.720 04/14/09 Sev=Info/4 CM/0x63100002

Begin connection process


404 22:56:28.705 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (e=[email protected],cn=Ribin,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.


405 22:56:28.736 04/14/09 Sev=Info/4 CM/0x63100004

Establish secure connection


406 22:56:28.736 04/14/09 Sev=Info/4 CM/0x63100024

Attempt connection with server "xx.yy.zz210"


407 22:56:28.736 04/14/09 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with xx.yy.zz210.


408 22:56:28.752 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.


409 22:56:28.752 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


410 22:56:28.923 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (e=[email protected],cn=Ribin,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.


411 22:56:28.923 04/14/09 Sev=Info/4 IKE/0x63000001

Starting IKE Phase 1 Negotiation


412 22:56:28.923 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.yy.zz210


413 22:56:28.955 04/14/09 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started


414 22:56:28.955 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


415 22:56:29.471 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210


416 22:56:29.471 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (SA) from xx.yy.zz210


417 22:56:29.471 04/14/09 Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful


418 22:56:29.471 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to xx.yy.zz210


419 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210


420 22:56:30.080 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from xx.yy.zz210


421 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH


422 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000001

Peer supports DPD


423 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer


424 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000082

Received IOS Vendor ID with unknown capabilities flag 0x00000025


425 22:56:30.283 04/14/09 Sev=Info/6 CERT/0x63600034

Attempting to sign the hash for Windows XP or higher.


426 22:56:31.002 04/14/09 Sev=Info/6 CERT/0x63600035

Done with the hash signing with signature length of 128.


427 22:56:31.002 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to xx.yy.zz210


428 22:56:31.440 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210


429 22:56:31.440 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from xx.yy.zz210


430 22:56:31.612 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (cn=pixfirewall.example.com,1.2.840.113549.1.9.2=#13177069786669726577616c6c2e6578616d706c652e636f6d) verification succeeded.

ribin.jones Tue, 04/14/2009 - 09:40
User Badges:

431 22:56:31.612 04/14/09 Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port = 0x0798, Remote Port = 0x01F4


432 22:56:31.612 04/14/09 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


434 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300005E

Client sending a firewall request to concentrator


435 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300005D

Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).


436 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.yy.zz210


437 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210


438 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.yy.zz210


439 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000


440 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE3000023

No private IP address was assigned by the peer


441 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE300009B

Failed to process ModeCfg Reply (NavigatorTM:175)


442 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=86A60C1D439D66CD R_Cookie=4D67FC9D1466F792) reason = DEL_REASON_IKE_NEG_FAILED


443 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xx.yy.zz210


444 22:56:34.910 04/14/09 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=86A60C1D439D66CD R_Cookie=4D67FC9D1466F792) reason = DEL_REASON_IKE_NEG_FAILED


445 22:56:34.910 04/14/09 Sev=Info/4 CM/0x6310000F

Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


446 22:56:34.910 04/14/09 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv


447 22:56:34.925 04/14/09 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.


448 22:56:34.925 04/14/09 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection


449 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


450 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


451 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


452 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped



I see "Negotiating Security Policies" and then it gets "Not Connected"

Ivan Martinon Tue, 04/14/2009 - 09:46
User Badges:
  • Cisco Employee,

Well we got some progress, the fact that you got that on your client means that phase 1 IKE and cert validation has passed (did this show after using 3des?), in our case, the problem lies when the pix is not assigning an ip address to the vpn client:


440 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE3000023

No private IP address was assigned by the peer


441 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE300009B

Failed to process ModeCfg Reply (NavigatorTM:175)


One more question for you, your vpn client cert has the ou equal to the pix vpngroup name right? Can you paste the screenshot of the cert details on your client? Can you please go ahead and re enter the line where the pool is defined on your pix?

ribin.jones Tue, 04/14/2009 - 10:21
User Badges:

Hi,

Yes we made this progress after using 3des. Thanks for that.


Further details:

CN = corpit

DC = revenuemed

DC = net


Earlier when I checked my Certificate, I see the OU as MIS (but the vpngroup I mentioned was corpit). So I changed the vpngroup to MIS in the PIX configuration.


Now I get the below logs in the vpn client when I try to connect.


Cisco Systems VPN Client Version 5.0.04.0300

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3


92 23:50:43.367 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.


93 23:50:43.383 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


94 23:50:43.383 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.


95 23:50:43.383 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


96 23:50:43.399 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.


97 23:50:43.399 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


98 23:50:43.571 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (e=[email protected],cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.


99 23:50:43.586 04/14/09 Sev=Info/4 CM/0x63100002

Begin connection process


100 23:50:43.602 04/14/09 Sev=Info/4 CM/0x63100004

Establish secure connection


101 23:50:43.602 04/14/09 Sev=Info/4 CM/0x63100024

Attempt connection with server "220.227.79.210"


102 23:50:43.602 04/14/09 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 220.227.79.210.


103 23:50:43.633 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.


104 23:50:43.633 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


105 23:50:43.821 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (e=[email protected],cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.


106 23:50:43.821 04/14/09 Sev=Info/4 IKE/0x63000001

Starting IKE Phase 1 Negotiation


107 23:50:43.821 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 220.227.79.210


108 23:50:43.836 04/14/09 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started


109 23:50:43.836 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


110 23:50:44.352 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210


111 23:50:44.352 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (SA) from 220.227.79.210


112 23:50:44.367 04/14/09 Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful


113 23:50:44.367 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to 220.227.79.210


114 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210


115 23:50:44.977 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from 220.227.79.210


116 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH



ribin.jones Tue, 04/14/2009 - 10:21
User Badges:

117 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000001

Peer supports DPD


118 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer


119 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000082

Received IOS Vendor ID with unknown capabilities flag 0x00000025


120 23:50:45.180 04/14/09 Sev=Info/6 CERT/0x63600034

Attempting to sign the hash for Windows XP or higher.


121 23:50:45.571 04/14/09 Sev=Info/6 CERT/0x63600035

Done with the hash signing with signature length of 128.


122 23:50:45.571 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 220.227.79.210


123 23:50:46.024 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210


124 23:50:46.024 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from 220.227.79.210


125 23:50:46.196 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (cn=pixfirewall.example.com,1.2.840.113549.1.9.2=#13177069786669726577616c6c2e6578616d706c652e636f6d) verification succeeded.


126 23:50:46.196 04/14/09 Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port = 0x0926, Remote Port = 0x01F4


127 23:50:46.196 04/14/09 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system


128 23:50:46.196 04/14/09 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system


129 23:50:46.211 04/14/09 Sev=Info/5 IKE/0x6300005E

Client sending a firewall request to concentrator


130 23:50:46.211 04/14/09 Sev=Info/5 IKE/0x6300005D

Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).


131 23:50:46.211 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 220.227.79.210


132 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210


133 23:50:46.243 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 220.227.79.210


134 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.26.101


135 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.25.5


136 23:50:46.243 04/14/09 Sev=Info/4 IKE/0xA3000015

MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no data


137 23:50:46.243 04/14/09 Sev=Info/4 IKE/0xA3000015

MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no data


138 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000


139 23:50:46.243 04/14/09 Sev=Info/4 CM/0x63100019

Mode Config data received


140 23:50:46.258 04/14/09 Sev=Info/4 IKE/0x63000056

Received a key request from Driver: Local IP = 192.168.26.101, GW IP = 220.227.79.210, Remote IP = 0.0.0.0


141 23:50:46.258 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 220.227.79.210


142 23:50:46.336 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210


143 23:50:46.336 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 220.227.79.210


ribin.jones Tue, 04/14/2009 - 10:22
User Badges:

144 23:50:46.336 04/14/09 Sev=Warning/3 IKE/0xA300004B

Received a NOTIFY message with an invalid protocol id (0)


145 23:50:46.383 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210


146 23:50:46.383 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 220.227.79.210


147 23:50:46.383 04/14/09 Sev=Info/5 IKE/0x63000045

RESPONDER-LIFETIME notify has value of 86400 seconds


148 23:50:46.383 04/14/09 Sev=Info/5 IKE/0x63000047

This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now


149 23:50:46.790 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


150 23:50:51.290 04/14/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!


151 23:50:51.290 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to 220.227.79.210


152 23:50:56.291 04/14/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!


153 23:50:56.291 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to 220.227.79.210


154 23:51:01.291 04/14/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!


155 23:51:01.291 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to 220.227.79.210


156 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x6300002D

Phase-2 retransmission count exceeded: MsgID=ED9273A7


157 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 220.227.79.210


158 23:51:06.292 04/14/09 Sev=Info/6 IKE/0x6300003D

Sending DPD request to 220.227.79.210, our seq# = 1330055753


159 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 220.227.79.210


160 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x63000049

Discarding IPsec SA negotiation, MsgID=ED9273A7


161 23:51:06.354 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210


162 23:51:06.354 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 220.227.79.210


163 23:51:06.354 04/14/09 Sev=Info/5 IKE/0x63000040

Received DPD ACK from 220.227.79.210, seq# received = 1330055753, seq# expected = 1330055753


164 23:51:15.089 04/14/09 Sev=Info/6 GUI/0x63B0000D

Disconnecting VPN connection.


165 23:51:15.089 04/14/09 Sev=Info/4 CM/0x63100009

Abort connection attempt before first Phase 2 SA is up


166 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection


167 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=17E2D19E9DFAE5D4 R_Cookie=4D67FC9DEA61BF05) reason = DEL_REASON_RESET_SADB


168 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 220.227.79.210


169 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=17E2D19E9DFAE5D4 R_Cookie=4D67FC9DEA61BF05) reason = DEL_REASON_RESET_SADB


170 23:51:15.089 04/14/09 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv


171 23:51:15.121 04/14/09 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.


172 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


173 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


174 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


175 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped


I see QM_IDLE in the pix for some time when I try to connect, but after some seconds, I get "Not connected" message in the client and there is no VPN also.


Ivan Martinon Tue, 04/14/2009 - 10:26
User Badges:
  • Cisco Employee,

Try setting the transform set to 3des too see if that changes something, also go ahead and enable debug crypto ipsec on the pix.

ribin.jones Tue, 04/14/2009 - 10:35
User Badges:

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0


ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

OAK_MM exchange

ribin.jones Tue, 04/14/2009 - 10:35
User Badges:

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): cert approved with warning

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

ISAKMP (0): processing SIG payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with xx.yy.zz196


ISADB: reaper checking SA 0x93b934, conn_id = 0

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from xx.yy.zz196. message ID = 11219492

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:xx.yy.zz196/2400 Total VPN Peers:1

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x8c1582b1

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet



pixfirewall(config)#

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response



pixfirewall(config)#

sh cry isak sa


Total : 1


Embryonic : 0


dst src state pending created


xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0



pixfirewall(config)#

ISAKMP: Deleting peer node for xx.yy.zz196

ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x8c1582b1

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 2150370680

ISAMKP (0): received DPD_R_U_THERE from peer xx.yy.zz196

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 1102687326, spi size = 4IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP


return status is IKMP_NO_ERR_NO_TRANS



pixfirewall(config)# sh cry isak sa


Total : 1


Embryonic : 0


dst src state pending created


xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0



pixfirewall(config)#

ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x8c1582b1



pixfirewall(config)#



pixfirewall(config)# sh cry isak sa


Total : 1


Embryonic : 0


dst src state pending created


xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0



pixfirewall(config)# sh cry isak sa


Total : 1


Embryonic : 0


dst src state pending created


xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0



pixfirewall(config)#

ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x8c1582b1

ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x8c1582b1



These are the debug outputs. I did change the transform set to 3des.

ribin.jones Tue, 04/14/2009 - 10:38
User Badges:

QM_IDLE will be there during the time vpn client tries to connect. But when the vpn client stops connecting, the status also vanishes.

Ivan Martinon Tue, 04/14/2009 - 10:40
User Badges:
  • Cisco Employee,

OK, go ahead and set this isakmp identity hostname and try again the connection and get the client and pix debugs, it is odd are you getting an ip address now, on the vpn client?

ribin.jones Tue, 04/14/2009 - 10:55
User Badges:

Tried that too...Still the same :( ..


Cisco Systems VPN Client Version 5.0.04.0300

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3


594 00:28:01.182 04/15/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.


595 00:28:01.182 04/15/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


596 00:28:01.197 04/15/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.


597 00:28:01.197 04/15/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


598 00:28:01.213 04/15/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.


599 00:28:01.213 04/15/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


600 00:28:01.385 04/15/09 Sev=Info/4 CM/0x63100002

Begin connection process


601 00:28:01.369 04/15/09 Sev=Info/4 CERT/0x63600015

Cert (e=[email protected],cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.


602 00:28:01.401 04/15/09 Sev=Info/4 CM/0x63100004

Establish secure connection


603 00:28:01.401 04/15/09 Sev=Info/4 CM/0x63100024

Attempt connection with server "xx.yy.zz210"


604 00:28:01.401 04/15/09 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with xx.yy.zz210.


605 00:28:01.416 04/15/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.


606 00:28:01.416 04/15/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.


607 00:28:01.604 04/15/09 Sev=Info/4 CERT/0x63600015

Cert (e=[email protected],cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.


608 00:28:01.604 04/15/09 Sev=Info/4 IKE/0x63000001

Starting IKE Phase 1 Negotiation


609 00:28:01.604 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.yy.zz210


610 00:28:01.635 04/15/09 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started


611 00:28:01.635 04/15/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


612 00:28:02.151 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210


613 00:28:02.151 04/15/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (SA) from xx.yy.zz210


614 00:28:02.151 04/15/09 Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful


615 00:28:02.151 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to xx.yy.zz210


616 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210


617 00:28:02.760 04/15/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from xx.yy.zz210


618 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH


619 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000001

Peer supports DPD


620 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer


621 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000082

Received IOS Vendor ID with unknown capabilities flag 0x00000025


622 00:28:02.963 04/15/09 Sev=Info/6 CERT/0x63600034

Attempting to sign the hash for Windows XP or higher.






ribin.jones Tue, 04/14/2009 - 10:57
User Badges:

623 00:28:03.323 04/15/09 Sev=Info/6 CERT/0x63600035

Done with the hash signing with signature length of 128.


624 00:28:03.323 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to xx.yy.zz210


625 00:28:03.760 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210


642 00:28:03.979 04/15/09 Sev=Info/4 IKE/0x63000056

Received a key request from Driver: Local IP = 192.168.26.101, GW IP = xx.yy.zz210, Remote IP = 0.0.0.0


643 00:28:03.995 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xx.yy.zz210


644 00:28:04.010 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210


645 00:28:04.010 04/15/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from xx.yy.zz210


646 00:28:04.010 04/15/09 Sev=Warning/3 IKE/0xA300004B

Received a NOTIFY message with an invalid protocol id (0)


647 00:28:04.135 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210


648 00:28:04.135 04/15/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xx.yy.zz210


649 00:28:04.135 04/15/09 Sev=Info/5 IKE/0x63000045

RESPONDER-LIFETIME notify has value of 86400 seconds


650 00:28:04.135 04/15/09 Sev=Info/5 IKE/0x63000047

This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now


651 00:28:04.729 04/15/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys


652 00:28:09.229 04/15/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!


653 00:28:09.229 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to xx.yy.zz210


654 00:28:14.230 04/15/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!


655 00:28:14.230 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to xx.yy.zz210


656 00:28:19.230 04/15/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!


657 00:28:19.230 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to xx.yy.zz210


658 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x6300002D

Phase-2 retransmission count exceeded: MsgID=5351C90A


659 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.yy.zz210


660 00:28:24.230 04/15/09 Sev=Info/6 IKE/0x6300003D

Sending DPD request to xx.yy.zz210, our seq# = 3357021916


661 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xx.yy.zz210


662 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000049

Discarding IPsec SA negotiation, MsgID=5351C90A


663 00:28:24.230 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210


664 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from xx.yy.zz210


665 00:28:24.230 04/15/09 Sev=Info/5 IKE/0x63000040

Received DPD ACK from xx.yy.zz210, seq# received = 3357021916, seq# expected = 3357021916




ribin.jones Tue, 04/14/2009 - 10:59
User Badges:

Here's the PIX debug:


ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:xx.yy.zz.196/2424 Total VPN Peers:1

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 279173772

ISAMKP (0): received DPD_R_U_THERE from peer xx.yy.zz.196

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x5351c90a

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 3360745975, spi size = 4IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP


return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x5351c90a

ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x5351c90a

ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x5351c90a

Ivan Martinon Tue, 04/14/2009 - 11:01
User Badges:
  • Cisco Employee,

OK retransmitting phase 2 at some point we have a problem with that, can you post the updated config?

ribin.jones Tue, 04/14/2009 - 11:04
User Badges:

Here it is:


PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password muey1LSLfnm8Zvwy encrypted

passwd NuLKvvWGg.x9HEKO encrypted

hostname pixfirewall

domain-name example.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.yy.zz.210 255.255.255.224

ip address inside 192.168.26.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool testpool 192.168.26.101-192.168.26.103

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 101

route outside 0.0.0.0 0.0.0.0 xx.yy.zz.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 :00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

isakmp enable outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup MIS address-pool testpool


vpngroup MIS dns-server 192.168.25.5

vpngroup MIS split-tunnel 101

vpngroup MIS idle-time 1800

ca identity corpit 192.168.26.70:/certsrv/mscep/mscep.dll

ca configure corpit ra 1 20 crloptional

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:21774c7ce193983f02afee4a827674da

: end



Ivan Martinon Tue, 04/14/2009 - 11:06
User Badges:
  • Cisco Employee,

Lol, we are missing the crypto to the interface:


crypto map mymap interface outside


add it and try again.

ribin.jones Tue, 04/14/2009 - 11:13
User Badges:

Martino,


When I am connected to this VPN, though we have given split tunneling, my internet is not working. Any thoughts?

ribin.jones Thu, 04/16/2009 - 07:25
User Badges:

Hi Ivan,


I applied split tunnelling again, and I get internet access now. But though my VPN client is connected, I can't ping or access any internal network.


In "Route details" of vpn client tab, I see 192.168.0.0 under "secured routes" tab.

ribin.jones Thu, 04/16/2009 - 07:59
User Badges:

Hi,


I was missing the nat inside. Its fine now.


Thanks,

Ribin

ribin.jones Fri, 04/17/2009 - 04:39
User Badges:

I was wondering whether we can have remote vpn with both pre-shared key and certificate authentication at once in PIX so athat some users can use preshared key and others use certificate for getting connected?


Thanks,

Ribin

Ivan Martinon Fri, 04/17/2009 - 06:31
User Badges:
  • Cisco Employee,

Yes, as long as you add a second vpngroup with a preshared key and a second isakmp policy with pre-share authentication.

Actions

This Discussion