10-08-2003 03:10 PM - edited 02-21-2020 12:48 PM
Hello All,
I'm having an issue creating an IPsec transport with a Win2k Laptop.
I have gone through all the VPN examples I could find and built a system that is pretty flexible(has sets for ah-sha-hmac esp-3des esp-sha-hmac and esp-des esp-sha-hmac for L2TP vpdn connections.
I'm a little confused by the examples use of language. My impression is that by using L2TP ports to connect to IKE to build the tunnel then it should kick on IPsec.
I seem to be able to build the L2TP transport tunnel to the PIX from my Win2k Laptop, but it doesn't seem to go much further then that and times out with there was no answer.
One Error I do see is the NAT hash's don't match during the ISAKMP connection but it seems to continue on and finish building the tunnel.
Any help would be great.
Here is the config info:
object-group network vpn_pool
description VPN Client IP Pool
network-object host 192.168.1.30
network-object host 192.168.1.31
network-object host 192.168.1.32
network-object host 192.168.1.33
network-object host 192.168.1.34
network-object host 192.168.1.35
access-list vpnbound permit ip 192.168.0.0 255.255.0.0 object-group vpn_pool
access-list vpnbound deny ip any object-group vpn_pool
ip local pool vpn-pool 192.168.1.30-192.168.1.50
nat (inside) 0 access-list vpnbound
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set myset1 esp-des esp-sha-hmac
crypto ipsec transform-set myset1 mode transport
crypto ipsec transform-set myset2 ah-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set myset2 mode transport
crypto dynamic-map dynmap 10 set pfs group2
crypto dynamic-map dynmap 10 set transform-set myset1 myset2
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local vpn-pool outside
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption des
isakmp policy 2 hash sha
isakmp policy 2 group 1
isakmp policy 2 lifetime 86400
vpdn group l2tp_dialin accept dialin l2tp
vpdn group l2tp_dialin ppp authentication mschap
vpdn group l2tp_dialin client configuration address local vpn-pool
vpdn group l2tp_dialin client authentication local
vpdn group l2tp_dialin l2tp tunnel hello 60
vpdn group pptp_dialin accept dialin pptp
vpdn group pptp_dialin ppp authentication mschap
vpdn group pptp_dialin ppp encryption mppe auto
vpdn group pptp_dialin client configuration address local vpn-pool
vpdn group pptp_dialin pptp echo 60
vpdn group pptp_dialin client authentication local
vpdn username vpdn password *********
vpdn enable outside
Here is the Debug info:
crypto_isakmp_process_block:src:xx.xxx.xxx.93, dest:xx.xxx.xxx.192 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a MSWIN2K client
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:xx.xxx.xxx.93, dest:xx.xxx.xxx.192 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
hash received: a2 6c f3 b5 9d 38 a6 e0 a d 86 c8 1 3e b5 13 2d 62 3f e3
his nat hash : 24 b1 7c a0 6e bb 33 c5 7a d7 10 ef 77 6e d4 78 31 17 d8 13
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:xx.xxx.xxx.93, dest:xx.xxx.xxx.192 spt:64844 dpt:4500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for xx.xxx.xxx.93, peer port 19709
ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 0
length : 27
ISAKMP (0): Total payload length: 31
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:xx.xxx.xxx.93/64844 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:xx.xxx.xxx.93/64844 Ref cnt incremented to:1 Total VPN Peers:1
10-11-2003 12:45 PM
Does no one know what's going on?
I could really use some help here....
-c
10-19-2003 01:33 PM
looking at some more examples I tried addin in bi-directional static statements.
I'm not sure if the PIX is having issues with the fact that the VPN and inside networks are the same addressing. From the examples I saw and the results I want I built my comfigs but I am not sure if there is some routing or nat issue going on.
I can get past IKE and get SA's
VPN Peer: ISAKMP: Added new peer: ip:*.*.*.51/4500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:*.*.*.51/4500 Ref cnt incremented to:1 Total VPN Peers:1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide