cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1668
Views
0
Helpful
31
Replies

Remote VPN with certificate authentication

ribin.jones
Level 1
Level 1

Hi,

I got a PIX in which I have successfully configured remote VPN with pre-shared key authentication. Now, due to security concerns, I need to implement the remote VPN with certificate authentication.

I installed a Windows 2003 CA server and configured the PIX accordingly. Even I got the certificate enrolled in my PIX. Now, I generated a certificate for a user and when I try to connect after importing the certicate to the vpn client, I see the following error:

ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt

:500

VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0

ISAKMP: larval sa found

crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt

:500

VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0

ISAKMP: larval sa found

Please guide me in this. I am not sure whether this is an error in my PIX configuration or in my Certificate server.

31 Replies 31

Ivan Martinon
Level 7
Level 7

Can you post your pix config along with the "show crypto ca cert" from it?

Here is my config:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NuLKvvWGg.x9HEKO encrypted

passwd NuLKvvWGg.x9HEKO encrypted

hostname pixfirewall

domain-name example.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside aa.bb.cc.210 255.255.255.224

ip address inside x.y.z..100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool testpool x.y.z.101-x.y.z.103

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 101

route outside 0.0.0.0 0.0.0.0 aa.bb.cc.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 8 set transform-set myset

crypto map mymap 8 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 8 authentication rsa-sig

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

vpngroup corpit address-pool testpool

vpngroup corpit dns-server x.y.z.5

vpngroup corpit split-tunnel 101

vpngroup corpit idle-time 1800

ca identity corpit x.y.z..70:/certsrv/mscep/mscep.dll

ca configure corpit ra 1 20 crloptional

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:fb499613d4493e07e34d4b6a63818c45

: end

Here is my sh cry ca cert output:

pixfirewall(config)# sh cry ca cert

RA KeyEncipher Certificate

Status: Available

Certificate Serial Number: 61319878000000000005

Key Usage: Encryption

EA = ribin.jones@rm.oom

CN = IT

OU = MIS

O = RM

L = TVM

ST = KL

C = IN

Validity Date:

start date: 18:48:30 UTC Apr 10 2009

end date: 18:48:30 UTC Apr 10 2011

CA Certificate

Status: Available

Certificate Serial Number: 3187a8df8a126e924f648a37f9be703f

Key Usage: Signature

CN = corpit

DC = revenuemed

DC = net

Validity Date:

start date: 17:49:06 UTC Apr 10 2009

RA Signature Certificate

Status: Available

Certificate Serial Number: 61319607000000000004

Key Usage: Signature

EA = ribin.jones@rm.com

CN = IT

OU = MIS

O = Revenuemed

L = Trivandrum

ST = Kerala

C = IN

Validity Date:

start date: 18:48:30 UTC Apr 10 2009

end date: 18:48:30 UTC Apr 10 2011

Certificate

Status: Available

Certificate Serial Number: 6132fc9c000000000006

Key Usage: General Purpose

Subject Name:

CN = pixfirewall.example.com

UNSTRUCTURED NAME = pixfirewall.example.com

Validity Date:

start date: 18:50:02 UTC Apr 10 2009

end date: 18:50:02 UTC Apr 10 2011

Please note that I am able to get the VPN connected using preshared key method with this config adding the below lines:

isakmp policy 8 authentication pre-share

vpngroup corpit password ********

Thanks

Infact this is my sh cry ca cert output:

pixfirewall(config)# sh cry ca cert

RA KeyEncipher Certificate

Status: Available

Certificate Serial Number: 61319878000000000005

Key Usage: Encryption

EA = ribin.jones@rm.oom

CN = IT

OU = MIS

O = RM

L = TVM

ST = KL

C = IN

Validity Date:

start date: 18:48:30 UTC Apr 10 2009

end date: 18:48:30 UTC Apr 10 2011

CA Certificate

Status: Available

Certificate Serial Number: 3187a8df8a126e924f648a37f9be703f

Key Usage: Signature

CN = corpit

DC = revenuemed

DC = net

Validity Date:

start date: 17:49:06 UTC Apr 10 2009

RA Signature Certificate

Status: Available

Certificate Serial Number: 61319607000000000004

Key Usage: Signature

EA = ribin.jones@rm.com

CN = IT

OU = MIS

O = RM

L = TVM

ST = KL

C = IN

Validity Date:

start date: 18:48:30 UTC Apr 10 2009

end date: 18:48:30 UTC Apr 10 2011

Certificate

Status: Available

Certificate Serial Number: 6132fc9c000000000006

Key Usage: General Purpose

Subject Name:

CN = pixfirewall.example.com

UNSTRUCTURED NAME = pixfirewall.example.com

Validity Date:

start date: 18:50:02 UTC Apr 10 2009

end date: 18:50:02 UTC Apr 10 2011

Well it looks good, on the IKE debugs it seem to find no IKE policy that matches so it never goes to the cert authentication, I wonder if you have to a higher level of encryption? Do you know if your PIX has 3des enabled? Can you add another isakmp policy with 3des md5 and rsa-sig? If not then let's go ahead and enable isakmp and crypto ca debugging.

Hi Martino,

Thanks for the response.

I will add another isakmp policy with 3des md5 and rsa-sig.

Infact, my testing scenario has been dismantled due to some rearrangements at my office...Will get back once I am done with the testing scenario again.

Hi,

I will split my post into 3 and send.

Here is my PIX config:

sh run

: Saved

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password NuLKvvWGg.x9HEKO encrypted

passwd NuLKvvWGg.x9HEKO encrypted

hostname pixfirewall

domain-name example.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.yy.zz210 255.255.255.224

ip address inside 192.168.26.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool testpool 192.168.26.101-192.168.26.103

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 101

route outside 0.0.0.0 0.0.0.0 xx.yy.zz193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 :00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

isakmp enable outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup corpit address-pool testpool

vpngroup corpit dns-server 192.168.25.5

vpngroup corpit split-tunnel 101

vpngroup corpit idle-time 1800

ca identity corpit 192.168.26.70:/certsrv/mscep/mscep.dll

ca configure corpit ra 1 20 crloptional

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:8af7fc6de4add41af1277fec264db3ea

: end

Below is the debugs I receive in PIX when I try to connect:

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500

ISAKMP: Deleting peer node for xx.yy.zz196

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): cert approved with warning

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

ISAKMP (0): processing SIG payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with xx.yy.zz196

ISADB: reaper checking SA 0x93b934, conn_id = 0

ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer struct for xx.yy.zz196, peer port 38919

ISAKMP (0): ID payload

next-payload : 6

type : 2

protocol : 17

port : 500

length : 27

ISAKMP (0): Total payload length: 31

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from xx.yy.zz196. message ID = 11219492

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

Unsupported Attr: 5

ISAKMP: attribute UNKNOWN (28672)

Unsupported Attr: 28672

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500

ISADB: reaper checking SA 0x93b934, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for xx.yy.zz196/1944 not found - peers:0

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with xx.yy.zz196

Here is the output from my VPN client when I try to connect:

Cisco Systems VPN Client Version 5.0.04.0300

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3

397 22:56:28.517 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

398 22:56:28.517 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

399 22:56:28.533 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

400 22:56:28.533 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

402 22:56:28.548 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

403 22:56:28.720 04/14/09 Sev=Info/4 CM/0x63100002

Begin connection process

404 22:56:28.705 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (e=ribin.jones@revenuemed.com,cn=Ribin,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.

405 22:56:28.736 04/14/09 Sev=Info/4 CM/0x63100004

Establish secure connection

406 22:56:28.736 04/14/09 Sev=Info/4 CM/0x63100024

Attempt connection with server "xx.yy.zz210"

407 22:56:28.736 04/14/09 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with xx.yy.zz210.

408 22:56:28.752 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

409 22:56:28.752 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

410 22:56:28.923 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (e=ribin.jones@revenuemed.com,cn=Ribin,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.

411 22:56:28.923 04/14/09 Sev=Info/4 IKE/0x63000001

Starting IKE Phase 1 Negotiation

412 22:56:28.923 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.yy.zz210

413 22:56:28.955 04/14/09 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

414 22:56:28.955 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

415 22:56:29.471 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210

416 22:56:29.471 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (SA) from xx.yy.zz210

417 22:56:29.471 04/14/09 Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful

418 22:56:29.471 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to xx.yy.zz210

419 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210

420 22:56:30.080 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from xx.yy.zz210

421 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

422 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000001

Peer supports DPD

423 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

424 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000082

Received IOS Vendor ID with unknown capabilities flag 0x00000025

425 22:56:30.283 04/14/09 Sev=Info/6 CERT/0x63600034

Attempting to sign the hash for Windows XP or higher.

426 22:56:31.002 04/14/09 Sev=Info/6 CERT/0x63600035

Done with the hash signing with signature length of 128.

427 22:56:31.002 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to xx.yy.zz210

428 22:56:31.440 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210

429 22:56:31.440 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from xx.yy.zz210

430 22:56:31.612 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (cn=pixfirewall.example.com,1.2.840.113549.1.9.2=#13177069786669726577616c6c2e6578616d706c652e636f6d) verification succeeded.

431 22:56:31.612 04/14/09 Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port = 0x0798, Remote Port = 0x01F4

432 22:56:31.612 04/14/09 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

434 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300005E

Client sending a firewall request to concentrator

435 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300005D

Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

436 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.yy.zz210

437 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210

438 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.yy.zz210

439 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

440 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE3000023

No private IP address was assigned by the peer

441 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE300009B

Failed to process ModeCfg Reply (NavigatorTM:175)

442 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=86A60C1D439D66CD R_Cookie=4D67FC9D1466F792) reason = DEL_REASON_IKE_NEG_FAILED

443 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xx.yy.zz210

444 22:56:34.910 04/14/09 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=86A60C1D439D66CD R_Cookie=4D67FC9D1466F792) reason = DEL_REASON_IKE_NEG_FAILED

445 22:56:34.910 04/14/09 Sev=Info/4 CM/0x6310000F

Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

446 22:56:34.910 04/14/09 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

447 22:56:34.925 04/14/09 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

448 22:56:34.925 04/14/09 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

449 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

450 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

451 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

452 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

I see "Negotiating Security Policies" and then it gets "Not Connected"

Well we got some progress, the fact that you got that on your client means that phase 1 IKE and cert validation has passed (did this show after using 3des?), in our case, the problem lies when the pix is not assigning an ip address to the vpn client:

440 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE3000023

No private IP address was assigned by the peer

441 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE300009B

Failed to process ModeCfg Reply (NavigatorTM:175)

One more question for you, your vpn client cert has the ou equal to the pix vpngroup name right? Can you paste the screenshot of the cert details on your client? Can you please go ahead and re enter the line where the pool is defined on your pix?

Hi,

Yes we made this progress after using 3des. Thanks for that.

Further details:

CN = corpit

DC = revenuemed

DC = net

Earlier when I checked my Certificate, I see the OU as MIS (but the vpngroup I mentioned was corpit). So I changed the vpngroup to MIS in the PIX configuration.

Now I get the below logs in the vpn client when I try to connect.

Cisco Systems VPN Client Version 5.0.04.0300

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3

92 23:50:43.367 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

93 23:50:43.383 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

94 23:50:43.383 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

95 23:50:43.383 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

96 23:50:43.399 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

97 23:50:43.399 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

98 23:50:43.571 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (e=ribin.jones@revenuemed.com,cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.

99 23:50:43.586 04/14/09 Sev=Info/4 CM/0x63100002

Begin connection process

100 23:50:43.602 04/14/09 Sev=Info/4 CM/0x63100004

Establish secure connection

101 23:50:43.602 04/14/09 Sev=Info/4 CM/0x63100024

Attempt connection with server "220.227.79.210"

102 23:50:43.602 04/14/09 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 220.227.79.210.

103 23:50:43.633 04/14/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

104 23:50:43.633 04/14/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

105 23:50:43.821 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (e=ribin.jones@revenuemed.com,cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.

106 23:50:43.821 04/14/09 Sev=Info/4 IKE/0x63000001

Starting IKE Phase 1 Negotiation

107 23:50:43.821 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 220.227.79.210

108 23:50:43.836 04/14/09 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

109 23:50:43.836 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

110 23:50:44.352 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210

111 23:50:44.352 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (SA) from 220.227.79.210

112 23:50:44.367 04/14/09 Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful

113 23:50:44.367 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to 220.227.79.210

114 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210

115 23:50:44.977 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from 220.227.79.210

116 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

117 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000001

Peer supports DPD

118 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

119 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000082

Received IOS Vendor ID with unknown capabilities flag 0x00000025

120 23:50:45.180 04/14/09 Sev=Info/6 CERT/0x63600034

Attempting to sign the hash for Windows XP or higher.

121 23:50:45.571 04/14/09 Sev=Info/6 CERT/0x63600035

Done with the hash signing with signature length of 128.

122 23:50:45.571 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 220.227.79.210

123 23:50:46.024 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210

124 23:50:46.024 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from 220.227.79.210

125 23:50:46.196 04/14/09 Sev=Info/4 CERT/0x63600015

Cert (cn=pixfirewall.example.com,1.2.840.113549.1.9.2=#13177069786669726577616c6c2e6578616d706c652e636f6d) verification succeeded.

126 23:50:46.196 04/14/09 Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port = 0x0926, Remote Port = 0x01F4

127 23:50:46.196 04/14/09 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

128 23:50:46.196 04/14/09 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

129 23:50:46.211 04/14/09 Sev=Info/5 IKE/0x6300005E

Client sending a firewall request to concentrator

130 23:50:46.211 04/14/09 Sev=Info/5 IKE/0x6300005D

Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

131 23:50:46.211 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 220.227.79.210

132 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210

133 23:50:46.243 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 220.227.79.210

134 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.26.101

135 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x63000010

MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.25.5

136 23:50:46.243 04/14/09 Sev=Info/4 IKE/0xA3000015

MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no data

137 23:50:46.243 04/14/09 Sev=Info/4 IKE/0xA3000015

MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no data

138 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x6300000D

MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

139 23:50:46.243 04/14/09 Sev=Info/4 CM/0x63100019

Mode Config data received

140 23:50:46.258 04/14/09 Sev=Info/4 IKE/0x63000056

Received a key request from Driver: Local IP = 192.168.26.101, GW IP = 220.227.79.210, Remote IP = 0.0.0.0

141 23:50:46.258 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 220.227.79.210

142 23:50:46.336 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210

143 23:50:46.336 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 220.227.79.210

144 23:50:46.336 04/14/09 Sev=Warning/3 IKE/0xA300004B

Received a NOTIFY message with an invalid protocol id (0)

145 23:50:46.383 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210

146 23:50:46.383 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 220.227.79.210

147 23:50:46.383 04/14/09 Sev=Info/5 IKE/0x63000045

RESPONDER-LIFETIME notify has value of 86400 seconds

148 23:50:46.383 04/14/09 Sev=Info/5 IKE/0x63000047

This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now

149 23:50:46.790 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

150 23:50:51.290 04/14/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

151 23:50:51.290 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to 220.227.79.210

152 23:50:56.291 04/14/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

153 23:50:56.291 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to 220.227.79.210

154 23:51:01.291 04/14/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

155 23:51:01.291 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to 220.227.79.210

156 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x6300002D

Phase-2 retransmission count exceeded: MsgID=ED9273A7

157 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 220.227.79.210

158 23:51:06.292 04/14/09 Sev=Info/6 IKE/0x6300003D

Sending DPD request to 220.227.79.210, our seq# = 1330055753

159 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 220.227.79.210

160 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x63000049

Discarding IPsec SA negotiation, MsgID=ED9273A7

161 23:51:06.354 04/14/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 220.227.79.210

162 23:51:06.354 04/14/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 220.227.79.210

163 23:51:06.354 04/14/09 Sev=Info/5 IKE/0x63000040

Received DPD ACK from 220.227.79.210, seq# received = 1330055753, seq# expected = 1330055753

164 23:51:15.089 04/14/09 Sev=Info/6 GUI/0x63B0000D

Disconnecting VPN connection.

165 23:51:15.089 04/14/09 Sev=Info/4 CM/0x63100009

Abort connection attempt before first Phase 2 SA is up

166 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

167 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=17E2D19E9DFAE5D4 R_Cookie=4D67FC9DEA61BF05) reason = DEL_REASON_RESET_SADB

168 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 220.227.79.210

169 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=17E2D19E9DFAE5D4 R_Cookie=4D67FC9DEA61BF05) reason = DEL_REASON_RESET_SADB

170 23:51:15.089 04/14/09 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

171 23:51:15.121 04/14/09 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

172 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

173 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

174 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

175 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

I see QM_IDLE in the pix for some time when I try to connect, but after some seconds, I get "Not connected" message in the client and there is no VPN also.

Try setting the transform set to 3des too see if that changes something, also go ahead and enable debug crypto ipsec on the pix.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: