05-11-2004 08:08 AM - edited 02-21-2020 01:09 PM
Trying to get a VPN client connected with a pix515e. Pix is running 6.3(3). Client is 4.0.4 We get the same errors from dial-up, cable-modems, etc.
The connection just drops during negotiation. We thought it could be an MTU thing, but have tried every MTU under the sun, and the error remains the same for all connections regardless of MTU.
I've attached the config from the pix, the log from the VPN client, and the debug messages from the pix.
Thanks for any help anyone can provide...
Solved! Go to Solution.
05-11-2004 07:04 PM
your IKE proposal on the PIX is as follows:
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 5
But this (http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757) shows that the VPN client doesn't support this proposal. Change your group to 2 and try again. DH group 5 is only supported when using digital certs, which you're not.
05-11-2004 07:04 PM
your IKE proposal on the PIX is as follows:
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 5
But this (http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757) shows that the VPN client doesn't support this proposal. Change your group to 2 and try again. DH group 5 is only supported when using digital certs, which you're not.
05-12-2004 06:06 AM
That solved the problem, thanks!
Interestingly, it was the VPN wizard via PDM on the pix that suggested that we use DH 5 for AES instead of 2. It made no mention that this would only work with digital certs. Serves me right for listening to a wizard! :-)
Thanks again!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: