×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Easy VPN Server on 2600 to PIX client

Unanswered Question
Jan 2nd, 2006
User Badges:

I am trying to set up an easy vpn session between a PIX 501 client (6.3(5)) and a 2611 server (12.3(17a)), but cannot establish IKE session. Running debug on the 2611, I get (only showing relevant failure):


01:15:56: ISAKMP (0:3): Checking ISAKMP transform 14 against priority 10 policy

01:15:56: ISAKMP: encryption AES-CBC

01:15:56: ISAKMP: keylength of 128

01:15:56: ISAKMP: hash SHA

01:15:56: ISAKMP: default group 2

01:15:56: ISAKMP: auth pre-share

01:15:56: ISAKMP: life type in seconds

01:15:56: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

01:15:56: ISAKMP (0:3): Preshared authentication offered but does not match policy!

01:15:56: ISAKMP (0:3): atts are not acceptable. Next payload is 3 0


However, show crypto isak policy demonstrates that they should have matched:


Global IKE policy

Protection suite of priority 10

encryption algorithm: AES - Advanced Encryption Standard (128 bit keys

).

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit


On the pix, I have configured vpnclient for preshared auth with the group defined in the 2611. It will not allow me to define ike authentication, since it is a easy vpn client. Any thoughts as to how to fix this or what is failing? TIA!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
d.calton Tue, 01/03/2006 - 07:27
User Badges:

Thanks - I am close to the config, although there are a few differences.

First, I am interfacing with a PIX client, not a VPN software client.

Second, I am using Network Extension Mode, not client. This eliminates the need for a local IP pool.

Third, I have different IKE policy.

Also, I noticed earlier that older IOS versions showed the authentication Pre-Share, while my version does not show that in the config, even though it is NOT the default, but does show up on the policy. Curious.


I will print out the configs when I get back to the units and post. Thanks!

d.calton Wed, 01/04/2006 - 10:57
User Badges:

Thanks - the only two things I see are that the IOS sample configs an address pool and that it is running 12.3(3). My 2611 is at 12.3(17a), I think. I don't think that the address pool is used for NEM, but that goes back and forth in the documentation. When I config'd an NEM with an ASA as the server, I would swear that no pool addresses were allocated, but I will test it out. If possible, I may also try to downgrade the IOS version - it REALLY bugs me that it doesn't show the IKE authentication as pre-share, even though I enter that, and even though a show crypto isakmp policy shows that config. Thanks again!

Actions

This Discussion