Pix 506 VPN Error

Unanswered Question
Mar 15th, 2010
User Badges:

Hi;


Yes this an old 506 vpn question.


My old 506e running version 6.2(1) failed and was able to find another one.  I had the config file so I just dropped it into the other 506e and was up and running in no time.


However I cannot connect via a VPN connection to the firewall, keep getting the Windows error:


"Unable to establish a connection with the VPN server.  Unreachable or security parameters are incorrect."


The config is identical except the new one has 3 more aaa-server TACACS+ statements.

AND

the vpdn group inet1 command:


vpdn group inte1 ppp authentication chapnam HAD TO BE changed to vpdn group inte1 ppp authentication chap.....as we use clear unencrypted PAP.


Any ideas, thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 03/16/2010 - 08:07
User Badges:
  • Green, 3000 points or more

Hi,


If you cannot connect via VPN client to this PIX we need to check the config. Can you post it?


You can also check the output of the following two commands when attempting the VPN connection:


sh cry isa sa

sh cry ips sa


This should give us a light on why the VPN connection is failing.

The client also has its logs.


Federico.

schroed Wed, 03/17/2010 - 13:13
User Badges:

Thanks for the reply Federico:


Here is my config minus some private info.



PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100


aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 192.168.100.7 test1234 timeout 30
aaa-server LOCAL protocol local


crypto ipsec transform-set myset esp-des
crypto ipsec transform-set strong esp-des esp-sha-hmac
crypto ipsec transform-set router-set esp-des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set router-set
crypto map VPNCONNECTION 10 ipsec-isakmp
crypto map VPNCONNECTION 10 match address PROTECT
crypto map VPNCONNECTION 10 set pfs group2
crypto map VPNCONNECTION 10 set peer
crypto map VPNCONNECTION 10 set peer
crypto map VPNCONNECTION 10 set transform-set strong
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
isakmp enable outside


isakmp key ******** address netmask 255.255.255.255
isakmp key ******** address netmask 255.255.255.255
isakmp key ******** address netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 10 lifetime 28800
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400

vpdn group inet1 accept dialin pptp
vpdn group inet1 ppp authentication pap
vpdn group inet1 ppp authentication chap
vpdn group inet1 client configuration dns 192.168.100.9 192.168.100.10
vpdn group inet1 client configuration wins 192.168.100.1
vpdn group inet1 client authentication aaa RADIUS
vpdn group inet1 pptp echo 60
vpdn enable outside
terminal width 80



LEFT OUT OF NEW CONFIG:


These lines below were left out of the new config as they could/would not be entered correctly.


crypto map sprint-map 20 ipsec-isakmp
crypto map sprint-map 20 set peer sprint_fw
crypto map sprint-map 20 set transform-set myset


vpdn group inet1 ppp authentication chapnam

Federico Coto F... Wed, 03/17/2010 - 15:07
User Badges:
  • Green, 3000 points or more

Several things...


You currently have configured Site-to-Site VPN using IPsec which is not going to work because the crypto map is no applied to the interface.


You also have configured remote-access VPN using IPsec which is not going to work with the hash SHA in combination with encryption DES.

You should use at least 3DES with SHA.


You also have PPTP VPN connections for clients.


Which are you having troubles with?


Federico.

schroed Wed, 03/17/2010 - 16:00
User Badges:

Thanks for replying.  Yea I assume the Site-to-Site wasn't working before on the old PIX.


If you can:


What is the cypto command for applying it to the outside interface?

Also the command for the the triple DES with SHA?


For VPN we just use PPTP for client and they just use the Windows VPN created connection.


Thanks, Steve

bobby.armstrong Wed, 03/17/2010 - 19:50
User Badges:

If the line in red doesn't work, then the PIX-506 probably isn't capable of accepting the esp-sha-hmac, in which case you can use esp-md5-hmac. A quick way to check is to type: "crypto ipsec transform-set myset ?" The syntax helper will show you what the statement should have.


crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
schroed Sun, 03/21/2010 - 19:18
User Badges:

Ok got it, here are the commands for VPN CHAP access.  The CLI did in fact change from ver 6.2 to 6.3.  Just wanted to share this so others in the same situation can get it going.  Thanks all again.


vpdn group inet1 client configuration address local vpnpool


vpdn group inet1 ppp authentication mschap

Actions

This Discussion