Solved: VPN client gets Invalid SPI size from Pix

admin_2 · ‎05-11-2004

Trying to get a VPN client connected with a pix515e. Pix is running 6.3(3). Client is 4.0.4 We get the same errors from dial-up, cable-modems, etc.

The connection just drops during negotiation. We thought it could be an MTU thing, but have tried every MTU under the sun, and the error remains the same for all connections regardless of MTU.

I've attached the config from the pix, the log from the VPN client, and the debug messages from the pix.

Thanks for any help anyone can provide...

gfullage · ‎05-11-2004

your IKE proposal on the PIX is as follows:

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 5

But this (http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757) shows that the VPN client doesn't support this proposal. Change your group to 2 and try again. DH group 5 is only supported when using digital certs, which you're not.

View solution in original post

gfullage · ‎05-11-2004

your IKE proposal on the PIX is as follows:

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 5

But this (http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757) shows that the VPN client doesn't support this proposal. Change your group to 2 and try again. DH group 5 is only supported when using digital certs, which you're not.

Report Inappropriate Content · ‎05-12-2004

That solved the problem, thanks!

Interestingly, it was the VPN wizard via PDM on the pix that suggested that we use DH 5 for AES instead of 2. It made no mention that this would only work with digital certs. Serves me right for listening to a wizard! :-)

Thanks again!