VPN Safenet Softremote Client IPSEC Phase II Fail

Unanswered Question
Jan 21st, 2010
User Badges:

Dear All,


I have configured my pix 515E version 6.3(5) to setup a vpn tunnel with a Safenet Softremote client10.8.7(Build6).

The Phase I is ok, the vpn client recieve the ip address and create the virtual adapter but then the phase II fail.


Do you have any ideas ? Above the debug isakmp and debug ipesec. I am working in a test enviroment all the ip are private.


The 172.20.87.251 is the pix, 172.20.87.220 is a XP box where is istalled the Safenet vpnclient.The 172.26.0.0/22 is the destination network where the vpn client must arrive.


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabella normale"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

crypto_isakmp_process_block:src:172.20.87.220, dest:172.20.87.251 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP:      encryption 3DES-CBC

ISAKMP:      hash SHA

ISAKMP:      default group 1

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x1 0x43 0x70

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0:0): Detected port floating

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:172.20.87.220, dest:172.20.87.251 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT match MINE hash

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT match HIS hash

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0:0): constructed HIS NAT-D

ISAKMP (0:0): constructed MINE NAT-D

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:172.20.87.220, dest:172.20.87.251 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24577 protocol 1

        spi 0, message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

        spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with   172.20.87.220

ISADB: reaper checking SA 0x3ff0a14, conn_id = 0

ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer struct for 172.20.87.220, peer port 62465

ISAKMP (0): ID payload

        next-payload : 8

        type         : 1

        protocol     : 17

        port         : 500

        length       : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

VPN Peer: ISAKMP: Added new peer: ip:172.20.87.220/500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:172.20.87.220/500 Ref cnt incremented to:1 Total VPN Peers:1

crypto_isakmp_process_block:src:172.20.87.220, dest:172.20.87.251 spt:500 dpt:500

OAK_QM exchange

ISAKMP (0:0): Need config/address

ISAKMP (0:0): initiating peer config to 172.20.87.220. ID = 1691322853 (0x64cf89e5)

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:172.20.87.220, dest:172.20.87.251 spt:500 dpt:500

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 172.20.87.220. message ID = 61538972

ISAKMP: Config payload CFG_ACK

ISAKMP (0:0):        Unknown Attr: 2

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block:src:172.20.87.220, dest:172.20.87.251 spt:500 dpt:500

OAK_QM exchange

ISAKMP (0:0): Need config/address

ISAKMP (0:0): initiating peer config to 172.20.87.220. ID = 2347200995 (0x8be771e3)

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:172.20.87.220, dest:172.20.87.251 spt:500 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

crypto_isakmp_process_block:src:172.20.87.220, dest:172.20.87.251 spt:500 dpt:500

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 172.20.87.220. message ID = 61538972

ISAKMP: Config payload CFG_ACK

ISAKMP (0:0):        Unknown Attr: 2

return status is IKMP_ERR_NO_RETRANS

ISAKMP (0): retransmitting Config Mode Request...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion