Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Need help with PIX to VPN3005 connection

I have a problem with connecting remote PIX501 to my VPN3005. I followed the suggested code in the following:

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094cf8

.shtml

In following the syslog from the VPN3005, I see if gets to: PHASE 1 COMPLETED... then stops. At that point

the PIX starts to issue this statement while "debug crypto isakmp" is on: (every 10 seconds)

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block:src:<VPN3000 IP ADDRESS>, dest:<PIX501 IP ADDRESS> spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 36137 protocol 1

spi 0, message ID = 660117357

ISAMKP (0): received DPD_R_U_THERE_ACK from peer <VPN3000 IP ADDRESS>

return status is IKMP_NO_ERR_NO_TRANS

Below is the entire debug crypto isakmp from the PIX.

Can anybody help with this?

Thanks. - Jay

------------------------------------------------

ISAKMP (0): ID payload

next-payload : 13

type : 11

protocol : 17

port : 0

length : 13

ISAKMP (0): Total payload length: 17

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0): beginning Aggressive Mode exchange

crypto_isakmp_process_block:src:<VPN3000 IP ADDRESS>, dest:<PIX501 IP ADDRESS> spt:500 dpt:500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65001 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65002 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65003 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65004 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65005 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65006 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65007 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65008 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing KE payload. message ID = 0

ISADB: reaper checking SA 0x9e83ac, conn_id = 0

ISADB: reaper checking SA 0xa73d84, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:<VPN3000 IP ADDRESS>/500 Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:<VPN3000 IP ADDRESS>/500 Total VPN peers:0

ISADB: reaper checking SA 0x9e83ac, conn_id = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block:src:<VPN3000 IP ADDRESS>, dest:<PIX501 IP ADDRESS> spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 36137 protocol 1

spi 0, message ID = 660117357

ISAMKP (0): received DPD_R_U_THERE_ACK from peer <VPN3000 IP ADDRESS>

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block:src:<VPN3000 IP ADDRESS>, dest:<PIX501 IP ADDRESS> spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 36137 protocol 1

spi 0, message ID = 236223124

ISAMKP (0): received DPD_R_U_THERE_ACK from peer <VPN3000 IP ADDRESS>

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block:src:<VPN3000 IP ADDRESS>, dest:<PIX501 IP ADDRESS> spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 36137 protocol 1

spi 0, message ID = 1914704689

ISAMKP (0): received DPD_R_U_THERE_ACK from peer <VPN3000 IP ADDRESS>

return status is IKMP_NO_ERR_NO_TRANS

3 REPLIES
Community Member

Re: Need help with PIX to VPN3005 connection

try turning off dead peer detection on the concentrator

do a 'debug crypto ipsec' because your phase1 appears to be negotiating OK.

"ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing KE payload. message ID = 0

ISADB: reaper checking SA 0x9e83ac, conn_id = 0

ISADB: reaper checking SA 0xa73d84, conn_id = 0 DELETE "

make sure you are allowing the ipsec protocol (esp/ah), there have been instances where i have had to explicitly configure it in an acl (instead of using the sysopt command).

Community Member

Re: Need help with PIX to VPN3005 connection

If I do a "Sysopt connection ipsec-permit" I get:

pixfirewall(config)# sysopt connection permit-ipsec

ERROR: sysopt connection permit-ipsec configuration cannot be modified

with PIX Easy VPN Remote enabled.

Not sure how I would enable it in the acl as you mention.

You are correct the syslog on the vpn3000 states that phase 1 completed, but then just sits there.

debug crypto ipsec: I get the following:

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 12.146.xx.124

debug crypto isakmp: I get the following:

VPN Peer: ISAKMP: Peer ip:12.146.xx.124/500 Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:12.146.xx.124/500 Total VPN peers:0

ISAKMP (0): ID payload

next-payload : 13

type : 11

protocol : 17

port : 0

length : 18

ISAKMP (0): Total payload length: 22

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0): beginning Aggressive Mode exchange

crypto_isakmp_process_block:src:12.146.xx.124, dest:12.146.xx.123 spt:500 dpt:500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65001 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65002 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65003 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65004 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65005 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65006 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65007 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 65008 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): recalc my hash for NAT-D

ISAKMP (0:0): NAT match MINE hash

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): recalc his hash for NAT-D

ISAKMP (0:0): NAT match HIS hash

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block:src:12.146.xx.124, dest:12.146.xx.123 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 36137 protocol 1

spi 0, message ID = 2256657453

ISAMKP (0): received DPD_R_U_THERE_ACK from peer 12.146.xx.124

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block:src:12.146.xx.124, dest:12.146.xx.123 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 36137 protocol 1

spi 0, message ID = 442225445

ISAMKP (0): received DPD_R_U_THERE_ACK from peer 12.146.xx.124

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block:src:12.146.xx.124, dest:12.146.xx.123 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 36137 protocol 1

spi 0, message ID = 3491695105

ISAMKP (0): received DPD_R_U_THERE_ACK from peer 12.146.xx.124

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block:src:12.146.xx.124, dest:12.146.xx.123 spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 36137 protocol 1

spi 0, message ID = 4243276284

ISAMKP (0): received DPD_R_U_THERE_ACK from peer 12.146.xx.124

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block:src:12.146.xx.124, dest:12.146.xx.123 spt:500 dpt:500

pixfirewall(config)#

Community Member

Re: Need help with PIX to VPN3005 connection

i didn't realize you were doing ezVpn, sorry

create an access-list that allows esp and ike even though sysopt connection permit-ipsec exists

access-list 111 permit udp host 3005ExtIP host PIXExtIP eq isakmp (or 500)

access-list 111 permit esp host 3005ExtIP host PIXExtIP

access-list 111 permit WHATEVERELSEyouNEED

access-list 111 deny any any

access-group 111 in interface outside

142
Views
0
Helpful
3
Replies
CreatePlease to create content