10-28-2002 07:07 AM - edited 02-21-2020 12:08 PM
Hi there,
I have trouble with making my PIX 506 v.6.2(2) work with Cisco VPN Client v. 3.62A. I also tried v. 3.51, with different symptoms but no success as well.
Here is output from debug on PIX (Client 3.62A):
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4
'7' in encryption algorithm field stands for Blowfish, right? So does it mean that this client wants to use Blowfish? At least strange.
The PIX itself is configured according to the book (I think), serves 'static address' VPNs quite well (terminated by Linksys BEFVP41). Only DES (single) is available for encryption.
Here some config from the PIX:
ip local pool demos-rmt-cli 192.168.3.1-192.168.3.254
access-list remote-vpn-client permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
crypto ipsec transform-set demos-vpn-client-tset esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map demos-dyn-map 99 set transform-set demos-vpn-client-tset
crypto map demos-vpn-map-ike 99 ipsec-isakmp dynamic demos-dyn-map
crypto map demos-vpn-map-ike interface outside
...
isakmp identity key-id 123.45.67.89
isakmp client configuration address-pool local demos-rmt-cli outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 28800
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup demos-secret-agent address-pool demos-rmt-cli
vpngroup demos-secret-agent dns-server 192.168.1.2
vpngroup demos-secret-agent default-domain demos.domain.xyz
vpngroup demos-secret-agent split-tunnel remote-vpn-client
vpngroup demos-secret-agent idle-time 1800
vpngroup demos-secret-agent password qwerty
When I tried the 3.51 client (right from the box), it refused to go past Phase 1 as well. When I changed the DH group parameter in the policy file (client side) to 1 - it succeded with phase 1 but failed with phase 2. Is there a particular version of the client software, that will work with PIX 506 software v. 6.2(2)?
I am feeling, like running in circles with this problem, I would appreciate help from someone knowledgable in this matter.
10-28-2002 10:59 AM
The 3.0 clients use D-H group 2 policy and PIX 6.0 code.
If you are trying just vpn client and pix then it looks like you could have some software that used ipsec before and did changes in security policy. So try to do it on clean machine. Should work.
10-28-2002 05:50 PM
Try "isakmp identity address" instead of the key-id, not sure what that'll do. Can't say I've ever seen anyone use that before.
In the 3.6 client they included AES support, which meant they actually dropped support for DES/MD5/G2, but you don't have that so you should be OK.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide