Easy VPN Server on 2600 to PIX client

d.calton · ‎01-02-2006

I am trying to set up an easy vpn session between a PIX 501 client (6.3(5)) and a 2611 server (12.3(17a)), but cannot establish IKE session. Running debug on the 2611, I get (only showing relevant failure):

01:15:56: ISAKMP (0:3): Checking ISAKMP transform 14 against priority 10 policy

01:15:56: ISAKMP: encryption AES-CBC

01:15:56: ISAKMP: keylength of 128

01:15:56: ISAKMP: hash SHA

01:15:56: ISAKMP: default group 2

01:15:56: ISAKMP: auth pre-share

01:15:56: ISAKMP: life type in seconds

01:15:56: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

01:15:56: ISAKMP (0:3): Preshared authentication offered but does not match policy!

01:15:56: ISAKMP (0:3): atts are not acceptable. Next payload is 3 0

However, show crypto isak policy demonstrates that they should have matched:

Global IKE policy

Protection suite of priority 10

encryption algorithm: AES - Advanced Encryption Standard (128 bit keys

).

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

On the pix, I have configured vpnclient for preshared auth with the group defined in the 2611. It will not allow me to define ike authentication, since it is a easy vpn client. Any thoughts as to how to fix this or what is failing? TIA!

stomasko · ‎01-03-2006

Try comparing the following sample config to the one at the link below. If this doesn't help you may want to post your config.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

Steve

d.calton · ‎01-03-2006

Thanks - I am close to the config, although there are a few differences.

First, I am interfacing with a PIX client, not a VPN software client.

Second, I am using Network Extension Mode, not client. This eliminates the need for a local IP pool.

Third, I have different IKE policy.

Also, I noticed earlier that older IOS versions showed the authentication Pre-Share, while my version does not show that in the config, even though it is NOT the default, but does show up on the policy. Curious.

I will print out the configs when I get back to the units and post. Thanks!

stomasko · ‎01-03-2006

Sorry I put in the wrong link. I think this is a little closer to what you are trying to achive.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ab518.shtml

Steve

d.calton · ‎01-04-2006

Thanks - the only two things I see are that the IOS sample configs an address pool and that it is running 12.3(3). My 2611 is at 12.3(17a), I think. I don't think that the address pool is used for NEM, but that goes back and forth in the documentation. When I config'd an NEM with an ASA as the server, I would swear that no pool addresses were allocated, but I will test it out. If possible, I may also try to downgrade the IOS version - it REALLY bugs me that it doesn't show the IKE authentication as pre-share, even though I enter that, and even though a show crypto isakmp policy shows that config. Thanks again!