Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN client issue


I am using PIX 7.0 and i have created a IPSEC Vpn and trying to connect the same from my VPN client 4.0

The group authentication is working fine but after for the user authorization is asking for username and password

Since we are not using any TACCAS or RADIUS is it possible to give user authorization as PIX local usrname and password




Re: VPN client issue

yes it is possible - create a local username and password in the PIX, then in the VPN tunnel group add:-

authentication-server-group local.


New Member

Re: VPN client issue


Thanks for your reply

I try to issue the command on my firewall but i dont have that command listed

(config)# vpngroup vpn3000 authe

(config)# vpngroup vpn3000 authentication-server ?

configure mode commands/options:

WORD The name of the IUA AAA server on the firewall headend

(config)# vpngroup vpn3000 authentication-server

Please guide me

Re: VPN client issue

Are you sure you are running code ver 7.x - as the config you posted looks to be in the wrong format for ver 7.x

Post the entire remote VPN config please.

New Member

Re: VPN client issue


As requested i am sending the my config

PIX Version 7.0(1)



interface Ethernet0

description WAN_connectivity

nameif outside

security-level 0

ip address xxx.xx.2.3


interface Ethernet1

description Lan-connectivity

nameif inside

security-level 100

ip address


interface Ethernet2

description WEB_NATACCESS

nameif DMZ

security-level 80

ip address

access-list 101 extended permit ip


ip local pool RemoteVPNpool

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1

static (inside,outside) netmask

route outside xx.xx.2.1 1

route inside 1

route DMZ 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy vpn3000 internal

group-policy vpn3000 attributes

user-authentication enable

username admin password eY/fQXw7Ure8Qrz7 encrypted

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set TCVPN-OLY esp-3des esp-none

crypto ipsec transform-set test-vpn esp-3des esp-none

crypto ipsec transform-set RVPN esp-3des esp-md5-hmac

crypto map mymap 10 set transform-set RVPN

crypto map mymap interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption 3des

isakmp policy 11 hash md5

isakmp policy 11 group 2

isakmp policy 11 lifetime 86400

telnet DMZ

telnet DMZ

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address inside

dhcpd dns

dhcpd lease 3000

dhcpd ping_timeout 50

dhcpd enable inside

tunnel-group vpn3000 type ipsec-ra

tunnel-group vpn3000 general-attributes

address-pool RemoteVPNpool

default-group-policy vpn3000

tunnel-group vpn3000 ipsec-attributes



class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp



Re: VPN client issue

Add the below

tunnel-group vpn3000 ipsec-attributes

authentication-server-group LOCAL


New Member

Re: VPN client issue

Thanks for your reply i entred the command after that i

debug crypto isakmp its shows some error

TCNEW-FW# Jan 13 04:41:02 [IKEv1]: QM IsRekeyed old sa not found by addr

Jan 13 04:41:02 [IKEv1]: QM FSM error (P2 struct &0x20c59a0, mess id 0x2dea489f)


Jan 13 04:41:02 [IKEv1]: Group = vpn3000, Username = admin, IP = xx.xx.37.82,

Removing peer from correlator table failed, no match!


Re: VPN client issue

OK - that is a completly different error for a differnet reason. Checking more of your VPN config, you are missing the below:-

crypto dynamic-map remote_vpn 10 set transform-set RVPN

crypto map mymap 65535 ipsec-isakmp dynamic remote_vpn

add the above and test again.

New Member

Re: VPN client issue

Thanks for your information

now the iam able to login tthrough the VPN Client

I had a small question is it possible to recover VPN pre-share keys in PIX 6.3 (3) since we planned to put new firewall instead of existing one


Re: VPN client issue

Copy the config from the pix to a tftp server:-

write net <>:<>.txt