Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Netlock VPN client for Mac to PIX firewall

I have successfully configured the PIX firewall for Cisco VPN client. However, when I could not let Netlock VPN client for Mac connect to it. I will appreicate if anyone could help me out. Following is the Log from PIX Firewall, it seems phase 1 is successful:

crypto_isakmp_process_block: src 65.230.89.61, dest 67.32.141.226

VPN Peer: ISAKMP: Added new peer: ip:65.230.89.61 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:65.230.89.61 Ref cnt incremented to:1 Total VPN Peers:

1

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: extended auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: extended auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP: Created a peer node for 65.230.89.61

ISAKMP (0): ID payload

next-payload : 10

type : 2

protocol : 17

port : 500

length : 16

ISAKMP (0): Total payload length: 20

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src 65.230.89.61, dst 67.32.141.226

ISAKMP (0): deleting IPSEC SAs with peer at 65.230.89.61IPSEC(key_engine): got a

queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 65.230.89.61

ISADB: reaper checking SA 0x809dea68, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:65.230.89.61 Ref cnt decremented to:0 Total VPN Peers:

1

VPN Peer: ISAKMP: Deleted peer: ip:65.230.89.61 Total VPN peers:0

ISAKMP: Deleting peer node for 65.230.89.61

2 REPLIES
New Member

Re: Netlock VPN client for Mac to PIX firewall

Well, I upgraded the PIX to 6.2.1... It seems let me getting further. However the connection is killed in Phase 2, with "return Status is IKMP_NO_ERR_NO_TRANS". Following is the full log:

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

VPN Peer: ISAKMP: Added new peer: ip:63.11.28.147 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:63.11.28.147 Ref cnt incremented to:1 Total VPN Peers:

1

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: extended auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: extended auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP: Created a peer node for 63.11.28.147

ISAKMP (0): ID payload

next-payload : 10

type : 2

protocol : 17

port : 500

length : 16

ISAKMP (0): Total payload length: 20

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

OAK_AG exchange

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even

t...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 63.11.28.147

ISAKMP (0): SA has been authenticated

return status is IKMP_NO_ERROR

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 3752133894

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: authenticator is HMAC-SHA

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80 IPSEC(validate_propos

al): transform proposal (prot 3, trans 3, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: authenticator is HMAC-MD5

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part

#1,

(key eng. msg.) dest= 67.32.141.226, src= 63.11.28.147,

dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

src_proxy= 63.11.28.147/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 3752133894

ISAKMP (0): processing ID payload. message ID = 3752133894

ISAKMP (0): ID_IPV4_ADDR src 63.11.28.147 prot 0 port 0

ISAKMP (0): processing ID payload. message ID = 3752133894

ISAKMP (0): ID_IPV4_ADDR_RANGE dst 0.0.0.0/0.0.0.0 prot 0 port 0IPSEC(key_engine

): got a queue event...

IPSEC(spi_response): getting spi 0xbc74b5c1(3161765313) for SA

from 63.11.28.147 to 67.32.141.226 for prot 3

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAIT

ISAKMP (0): Creating IPSec SAs

inbound SA from 63.11.28.147 to 67.32.141.226 (proxy 63.11.28.14

7 to 0.0.0.0)

has spi 3161765313 and conn_id 1 and flags 4

lifetime of 31536000 seconds

outbound SA from 67.32.141.226 to 63.11.28.147 (proxy 0.0.0

.0 to 63.11.28.147)

has spi 1668866929 and conn_id 2 and flags 4

lifetime of 31536000 secondsIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 67.32.141.226, src= 63.11.28.147,

dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

src_proxy= 63.11.28.147/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 31536000s and 0kb,

spi= 0xbc74b5c1(3161765313), conn_id= 1, keysize= 0, flags= 0x4

IPSEC(initialize_sas): ,

(key eng. msg.)

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

ISAKMP (0): processing DELETE payload. message ID = 296222340IPSEC(key_engine):

got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

VPN Peer: IPSEC: Peer ip:63.11.28.147 Decrementing Ref cnt to:2 Total VPN Peers:

1

VPN Peer: IPSEC: Peer ip:63.11.28.147 Decrementing Ref cnt to:1 Total VPN Peers:

1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

ISAKMP (0): processing DELETE payload. message ID = 2257656427

ISAKMP (0): deleting SA: src 63.11.28.147, dst 67.32.141.226

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x80a4ba88, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:63.11.28.147 Ref cnt decremented to:0 Total VPN Peers:

1

VPN Peer: ISAKMP: Deleted peer: ip:63.11.28.147 Total VPN peers:0IPSEC(key_engin

e): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 63.11.28.147

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

VPN Peer: ISAKMP: Added new peer: ip:63.11.28.147 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:63.11.28.147 Ref cnt incremented to:1 Total VPN Peers:

1

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: extended auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: extended auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: auth pre-share

ISAKMP: default group 2

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): ID payload

next-payload : 10

type : 2

protocol : 17

port : 500

length : 16

ISAKMP (0): Total payload length: 20

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

OAK_AG exchange

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even

t...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 63.11.28.147

ISAKMP (0): SA has been authenticated

return status is IKMP_NO_ERROR

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1608224600

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: authenticator is HMAC-SHA

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80 IPSEC(validate_propos

al): transform proposal (prot 3, trans 3, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: authenticator is HMAC-MD5

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part

#1,

(key eng. msg.) dest= 67.32.141.226, src= 63.11.28.147,

dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

src_proxy= 63.11.28.147/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

ISAKMP (0): processing NONCE payload. message ID = 1608224600

ISAKMP (0): processing ID payload. message ID = 1608224600

ISAKMP (0): ID_IPV4_ADDR src 63.11.28.147 prot 0 port 0

ISAKMP (0): processing ID payload. message ID = 1608224600

ISAKMP (0): ID_IPV4_ADDR_RANGE dst 0.0.0.0/0.0.0.0 prot 0 port 0IPSEC(key_engine

): got a queue event...

IPSEC(spi_response): getting spi 0xd817b45a(3625432154) for SA

from 63.11.28.147 to 67.32.141.226 for prot 3

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAIT

ISAKMP (0): Creating IPSec SAs

inbound SA from 63.11.28.147 to 67.32.141.226 (proxy 63.11.28.14

7 to 0.0.0.0)

has spi 3625432154 and conn_id 2 and flags 4

lifetime of 31536000 seconds

outbound SA from 67.32.141.226 to 63.11.28.147 (proxy 0.0.0

.0 to 63.11.28.147)

has spi 2101326708 and conn_id 1 and flags 4

lifetime of 31536000 secondsIPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 67.32.141.226, src= 63.11.28.147,

dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

src_proxy= 63.11.28.147/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 31536000s and 0kb,

spi= 0xd817b45a(3625432154), conn_id= 2, keysize= 0, flags= 0x4

IPSEC(initialize_sas):

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

ISAKMP (0): processing DELETE payload. message ID = 2972009236IPSEC(key_engine):

got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

VPN Peer: IPSEC: Peer ip:63.11.28.147 Decrementing Ref cnt to:2 Total VPN Peers:

1

VPN Peer: IPSEC: Peer ip:63.11.28.147 Decrementing Ref cnt to:1 Total VPN Peers:

1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226

ISAKMP (0): processing DELETE payload. message ID = 3336293860

ISAKMP (0): deleting SA: src 63.11.28.147, dst 67.32.141.226

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x80a4ba88, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:63.11.28.147 Ref cnt decremented to:0 Total VPN Peers:

1

VPN Peer: ISAKMP: Deleted peer: ip:63.11.28.147 Total VPN peers:0IPSEC(key_engin

e): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 63.11.28.147

ISAKMP: Deleting peer node for 63.11.28.147

Bronze

Re: Netlock VPN client for Mac to PIX firewall

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even

t...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

that means that Pix firewall is getting a delete message from the other IPSec peer. Check the logs on the other device and see what it complains about

Jazib

279
Views
0
Helpful
2
Replies
CreatePlease to create content