01-02-2006 07:49 AM
I am trying to set up an easy vpn session between a PIX 501 client (6.3(5)) and a 2611 server (12.3(17a)), but cannot establish IKE session. Running debug on the 2611, I get (only showing relevant failure):
01:15:56: ISAKMP (0:3): Checking ISAKMP transform 14 against priority 10 policy
01:15:56: ISAKMP: encryption AES-CBC
01:15:56: ISAKMP: keylength of 128
01:15:56: ISAKMP: hash SHA
01:15:56: ISAKMP: default group 2
01:15:56: ISAKMP: auth pre-share
01:15:56: ISAKMP: life type in seconds
01:15:56: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
01:15:56: ISAKMP (0:3): Preshared authentication offered but does not match policy!
01:15:56: ISAKMP (0:3): atts are not acceptable. Next payload is 3 0
However, show crypto isak policy demonstrates that they should have matched:
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys
).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
On the pix, I have configured vpnclient for preshared auth with the group defined in the 2611. It will not allow me to define ike authentication, since it is a easy vpn client. Any thoughts as to how to fix this or what is failing? TIA!
01-03-2006 05:19 AM
Try comparing the following sample config to the one at the link below. If this doesn't help you may want to post your config.
Steve
01-03-2006 07:27 AM
Thanks - I am close to the config, although there are a few differences.
First, I am interfacing with a PIX client, not a VPN software client.
Second, I am using Network Extension Mode, not client. This eliminates the need for a local IP pool.
Third, I have different IKE policy.
Also, I noticed earlier that older IOS versions showed the authentication Pre-Share, while my version does not show that in the config, even though it is NOT the default, but does show up on the policy. Curious.
I will print out the configs when I get back to the units and post. Thanks!
01-03-2006 08:00 AM
Sorry I put in the wrong link. I think this is a little closer to what you are trying to achive.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ab518.shtml
Steve
01-04-2006 10:57 AM
Thanks - the only two things I see are that the IOS sample configs an address pool and that it is running 12.3(3). My 2611 is at 12.3(17a), I think. I don't think that the address pool is used for NEM, but that goes back and forth in the documentation. When I config'd an NEM with an ASA as the server, I would swear that no pool addresses were allocated, but I will test it out. If possible, I may also try to downgrade the IOS version - it REALLY bugs me that it doesn't show the IKE authentication as pre-share, even though I enter that, and even though a show crypto isakmp policy shows that config. Thanks again!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: