Cisco VPN Client and PIX

pawelus · ‎10-28-2002

Hi there,

I have trouble with making my PIX 506 v.6.2(2) work with Cisco VPN Client v. 3.62A. I also tried v. 3.51, with different symptoms but no success as well.

Here is output from debug on PIX (Client 3.62A):

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4

'7' in encryption algorithm field stands for Blowfish, right? So does it mean that this client wants to use Blowfish? At least strange.

The PIX itself is configured according to the book (I think), serves 'static address' VPNs quite well (terminated by Linksys BEFVP41). Only DES (single) is available for encryption.

Here some config from the PIX:

ip local pool demos-rmt-cli 192.168.3.1-192.168.3.254

access-list remote-vpn-client permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

crypto ipsec transform-set demos-vpn-client-tset esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map demos-dyn-map 99 set transform-set demos-vpn-client-tset

crypto map demos-vpn-map-ike 99 ipsec-isakmp dynamic demos-dyn-map

crypto map demos-vpn-map-ike interface outside

...

isakmp identity key-id 123.45.67.89

isakmp client configuration address-pool local demos-rmt-cli outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 28800

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup demos-secret-agent address-pool demos-rmt-cli

vpngroup demos-secret-agent dns-server 192.168.1.2

vpngroup demos-secret-agent default-domain demos.domain.xyz

vpngroup demos-secret-agent split-tunnel remote-vpn-client

vpngroup demos-secret-agent idle-time 1800

vpngroup demos-secret-agent password qwerty

When I tried the 3.51 client (right from the box), it refused to go past Phase 1 as well. When I changed the DH group parameter in the policy file (client side) to 1 - it succeded with phase 1 but failed with phase 2. Is there a particular version of the client software, that will work with PIX 506 software v. 6.2(2)?

I am feeling, like running in circles with this problem, I would appreciate help from someone knowledgable in this matter.

levter · ‎10-28-2002

The 3.0 clients use D-H group 2 policy and PIX 6.0 code.

see http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093f89.shtml

If you are trying just vpn client and pix then it looks like you could have some software that used ipsec before and did changes in security policy. So try to do it on clean machine. Should work.

gfullage · ‎10-28-2002

Try "isakmp identity address" instead of the key-id, not sure what that'll do. Can't say I've ever seen anyone use that before.

In the 3.6 client they included AES support, which meant they actually dropped support for DES/MD5/G2, but you don't have that so you should be OK.