Cisco VPN Client 4.6.02.0011 cannot connect to a PIX 501 Easy VPN Server

richard.bahcic · ‎12-05-2005

Dear vpn-professionals,

since days i try to establish a connection to our PIX 501 easy VPN Server.

I read several documents and all seems to be right, for example on the PIX side:

..... start

sysopt connection permit ipsec

crypto ipsec transform-set XYZ esp-aes-256 esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set XYZ

isakmp policy 20 authentication pre-share

isakmp policy 20 encrytion aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 5

.... end

In the Clients connection.pcf - file i added the value

DHGroup=5

but nothing changes.

In the Log-window of the client there comes soon after:

34 09:38:17.401 12/05/05 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 80.129.46.143

... an answer :

37 09:38:17.532 12/05/05 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 80.129.46.143

38 09:38:17.532 12/05/05 Sev=Warning/2 IKE/0xE3000099

Invalid SPI size (PayloadNotify:116)

39 09:38:17.532 12/05/05 Sev=Info/4 IKE/0xE30000A4

Invalid payload: Stated payload length, 192, is not sufficient for Notification:(PayloadList:149)

40 09:38:17.532 12/05/05 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

Can anyone out there tell us, what's going wrong here?

What is Invalid SPI size?

And what is Invalid payload?

Stated length of 192 ? That sounds like an unsupported AES-Encrytion key-length, doesn't it?

But the PIX is configured to use a key-length of 256, so what's going wrong here?

There is another firewall, a WLAN-Router from BELKIN on the Client-Side between the two sites. Does this impact the IPSec Phase 1 in any way?

Pleas help us.

TIA,

Richard Bahcic

jackko · ‎12-05-2005

the belkin wireless router/firewall needs to be configured to pass ipsec.

on the pix, "isakmp nat-traversal 20" needs to be enabled.

also, you may try to use dh group 2 instead of 5.

if further assistance is needed, please post the entire config with public ip masked.

richard.bahcic · ‎12-05-2005

Thank you so much for your response.

1.

> the belkin wireless router/firewall needs to be configured to pass ipsec

I think i've done this by defining a "virtual server" with the internal IP-address of my notebook and the port 500 for UDP

On the second hand i tried some days before to connect from my notebook via the VPN client over two PIX 501 from the customers local net 1 to his other local net 2.

And on both firewalls there is a command

sysopt connection permit-ipsec

If i understood right, then all the IPSec-Traffic passed through the firewalls without being checked against any access-lists, isn't it?

But the connection still couldn't be established.

So i think, that the belkin is not the problem.

2.

> on the pix, "isakmp nat-traversal 20" needs to be enabled

This command indeed is not configured and i will set it up soon.

3.

> also, you may try to use dh group 2 instead of 5

In the PIX's manual on page 6-21 there is a sentence which states, that AES-256 encryption has to be used with DHGroup 5.

So, if we go back to use DHGroup 2, don't we have to use AES-128 encryption, too?

I'm so confused now about so many keys, encryption, access lists, static and dynamic crypto maps and all that stuff that i think, i don't see the forest when seeing all the trees.

Therefore i post the whole config-file and hope you can explain where the conflicts are produced.

Thank you very, very much once more for your help!

<<<<<<<< config starts <<<<<<<<<

i added the file as attachement and hope, you get it.

if not, i will post the text in one of the next messages, because it was too long.

<<<<<<<< config ends <<<<<<<<<

i think there are one, two or more heavy conflicts, but in the moment i don't see anything.

TIA,

Richard

jackko · ‎12-05-2005

access-list hotzPartnerVPN_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any

access-list hotzPartnerVPN_splitTunnelAcl permit ip echterdingen 255.255.255.0 any

access-list hotzPartnerVPN_splitTunnelAcl permit ip 192.168.100.0 255.255.255.0 any

access-list hotzPartnerVPN_splitTunnelAcl permit ip 192.168.99.0 255.255.255.0 any

just wondering what exactly you are trying to achieve with these acls for split tunneling.

also add "isakmp identity address".

further, with the dh group:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a00802d3ac3.html#wp1168133

according to this doc, both pre-shared and pre-shared xauth don't support dh group 5.

richard.bahcic · ‎12-12-2005

Dear jackko,

I THANK YOU SO MUCH vfor your help.

The problem with the connection is now SOLVED!

I do not receive any Bytes through the tunnel, but this is an extra post i think.

I believe that the facts that helped solving the problem were:

1. the right DHGroup. DH 5 really seems not to be supported with preshared keys.

2. the "isakmp nat-traversal 20"

3. the "isakmp identity address"

These were the only changes i made in the configuration of the pix 501 firewall and since then the VPN-Client CAN CONNECT!

Thank you once more for your help and your deep understanding of this material.

Yours truly,

Richard