Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
2
Replies

IPSEC Tunnel Prob

aessome
Level 1
Level 1

‎07-31-2002 04:24 AM - edited ‎02-21-2020 11:58 AM

Hello VPN Gurus!

ich have configured a VPN client 1.1 to PIX 6.1 Gateway to Authenticate with Xauth.

wenn I start the connection the IKE Pase one is done but no Ike phase 2

wenn i test this with the 3000 Client with adding on the Pix the Group config all works!

But my customer do not need to use the 3000 Client

cann you help mee to solve this Prob?

the config looks like this

access-list nonatraz permit ip host 193.96.2.114 10.70.254.0 255.255.255.0

ip local pool mypool 10.62.0.1-10.62.63.254

nat (raz) 0 access-list nonatraz

aaa-server TACACS+ protocol tacacs+

aaa-server SCGACS protocol tacacs+

aaa-server SCGACS (raz) host 10.70.254.2 hallo timeout 5

crypto ipsec transform-set dvag_set esp-3des esp-md5-hmac

crypto dynamic-map mydynmap 10 set transform-set dvag_set

crypto map vpnpeer 20 ipsec-isakmp dynamic mydynmap

crypto map vpnpeer client configuration address initiate

crypto map vpnpeer client authentication SCGACS

crypto map vpnpeer interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local mypool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

best regards !

Labels:
0 Helpful
2 Replies 2

yusuff
Cisco Employee
Cisco Employee

‎07-31-2002 10:56 PM

Config looks ok. Check the key

isakmp key cisco123 address 0.0.0.0 netmask 0.0.0.0

sometimes by mistake, if you press ENTER after the address 0.0.0.0, the netmask defaults to 255.255.255.255 which causes the problem.

Furthermore, see following sample config to check futher;

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/basclnt.htm#xtocid20

Turn on the debugs, where does it exactly fail, what are the error messages.

HTH

R/Yusuf

0 Helpful

aessome
Level 1
Level 1

‎07-31-2002 11:25 PM

thanks Yu,

all works now, the next prob is to make ACS Server Assigning Client IP Address. wich command on the Pix remplace the "ip local pool mypool 10.62.0.1-10.62.63.254 " and "isakmp client configuration address-pool local mypool outside " in this case ?

I see on the ACS bokk how to configure the Pool. but what is about the pix ? wich command could i use on the pix to forward the client ip adress request on the ACS server.

thanks for any help

Alain

0 Helpful
Customers Also Viewed These Support Documents