Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX Remote Access VPN

Hi,

I have setup a PIX 515 running v803 for remote access from a VPN client. I cyrrently have site-to-site VPN's which have been setup and work fine. Currently, when i connect using the VPN client (v5), although Phase 1 completes Phase 2 does not, I just get IKE negotiation failed.

crypto dynamic-map vpnmap_dynmap 5 set transform-set TRANS_ESP_3DES_MD5

crypto dynamic-map vpnmap_dynmap 15 set transform-set ESP-3DES-SHA

crypto dynamic-map vpnmap_dynmap 30 set transform-set ESP-DES-MD5

crypto dynamic-map vpnmap_dynmap 40 set transform-set ESP-DES-SHA

crypto dynamic-map vpnmap_dynmap 50 set pfs

crypto dynamic-map vpnmap_dynmap 50 set transform-set ESP-3DES-SHA

crypto map vpnmap 65535 ipsec-isakmp dynamic vpnmap_dynmap

crypto isakmp enable outside

crypto map vpnmap interface outside

group-policy client_vpn_access internal

group-policy client_vpn_access attributes

vpn-tunnel-protocol IPSec

dns-server value 10.1.1.1

tunnel-group client_vpn_access type remote-access

tunnel-group client_vpn_access general-attributes

default-group-policy client_vpn_access

address-pool client_vpn_access

tunnel-group client_vpn_access ipsec-attributes

pre-shared-key presharedkey

#### Log from Cisco VPN Client v5 ####

445 21:12:12.686 07/18/08 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

467 21:12:12.766 07/18/08 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from x.x.x.x

470 21:12:12.766 07/18/08 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=29790EF2FE6728A8 R_Cookie=D4C90BEBCF7838BE) reason = DEL_REASON_IKE_NEG_FAILED

545 21:46:40.379 07/18/08 Sev=Info/4 CM/0x63100012

Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

Please can you help.

Thanks

6 REPLIES

Re: PIX Remote Access VPN

deb crypto isakmp 10

deb crypto ipsec 10

Gold

Re: PIX Remote Access VPN

please post your isakmp policies

sh run all isakmp

Community Member

Re: PIX Remote Access VPN

Hi,

Please find the debugs attached.

Thanks

Community Member

Re: PIX Remote Access VPN

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 40

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 80

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Re: PIX Remote Access VPN

no crypto dynamic-map vpnmap_dynmap 5 set transform-set TRANS_ESP_3DES_MD5

no crypto dynamic-map vpnmap_dynmap 15 set transform-set ESP-3DES-SHA

no crypto dynamic-map vpnmap_dynmap 30 set transform-set ESP-DES-MD5

no crypto dynamic-map vpnmap_dynmap 40 set transform-set ESP-DES-SHA

crypto dynamic-map vpnmap_dynmap 50 set pfs

crypto dynamic-map vpnmap_dynmap 50 set transform-set ESP-3DES-SHA

and show me your transform-set ESP-3DES-SHA

Community Member

Re: PIX Remote Access VPN

Hi,

I have removed the dynamic crypto maps as above, which has resulted in the Cisco VPN client now connecting.

However, I had to also remove pfs as I am also using the PIX for L2TP/IPSEC VPN from a Windows client.

Could you explain why this wasn't working before? Shouldn't the VPN client have been presented with all the SA options and picked the one that suited it?

Thanks

272
Views
5
Helpful
6
Replies
CreatePlease to create content