PIX 501 to IOS Router (Easy VPN)

ciscoblood · ‎07-21-2003

Trying to configure a vpn session from PIX 501 to Router. The router is loaded with an IOS supporting Easy VPN Server feature. PIX has 6.2(2) software.

Configuration in the following URL has been used.

http://www.cisco.com/warp/public/110/pix-ios-easyvpn.html

The IKE phase 1 completes. and after that, XAUTH phase doesnt complete properly. I have double checked the configs on either ends, and they are correct.

Some debug messages that I captured, while troubleshooting are,

-----------------debug crypto isakmp on router-------

*Mar 1 06:58:20.086: ISAKMP (0:1): processing vendor id payload

*Mar 1 06:58:20.086: ISAKMP (0:1): vendor ID is DPD

*Mar 1 06:58:20.086: ISAKMP (0:1): processing vendor id payload

*Mar 1 06:58:20.086: ISAKMP (0:1): claimed IOS but failed authentication

*Mar 1 06:58:20.086: ISAKMP (0:1): processing vendor id payload

*Mar 1 06:58:20.086: ISAKMP (0:1): vendor ID is Unity

*Mar 1 06:58:20.086: ISAKMP (0:1) Authentication by xauth preshared

*Mar 1 06:58:20.086: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy

*Mar 1 06:58:20.090: ISAKMP: encryption 3DES-CBC

*Mar 1 06:58:20.090: ISAKMP: hash SHA

*Mar 1 06:58:20.090: ISAKMP: default group 2

*Mar 1 06:58:20.090: ISAKMP: auth XAUTHInitPreShared

*Mar 1 06:58:20.090: ISAKMP: life type in seconds

*Mar 1 06:58:20.090: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 06:58:20.090: ISAKMP (0:1): Encryption algorithm offered does not match policy!

*Mar 1 06:58:20.090: ISAKMP (0:1): atts are not acceptable. Next payload is 3

*Mar 1 06:58:20.090: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 10 policy

*Mar 1 06:58:20.090: ISAKMP: encryption 3DES-CBC

*Mar 1 06:58:20.090: ISAKMP: hash MD5

*Mar 1 06:58:20.090: ISAKMP: default group 2

*Mar 1 06:58:20.090: ISAKMP: auth XAUTHInitPreShared

*Mar 1 06:58:20.090: ISAKMP: life type in seconds

*Mar 1 06:58:20.090: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 06:58:20.094: ISAKMP (0:1): Encryption algorithm offered does not match policy!

*Mar 1 06:58:20.094: ISAKMP (0:1): atts are not acceptable. Next payload is 3

*Mar 1 06:58:20.094: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 10 policy

*Mar 1 06:58:20.094: ISAKMP: encryption DES-CBC

*Mar 1 06:58:20.094: ISAKMP: hash SHA

*Mar 1 06:58:20.094: ISAKMP: default group 2

*Mar 1 06:58:20.094: ISAKMP: auth XAUTHInitPreShared

*Mar 1 06:58:20.094: ISAKMP: life type in seconds

*Mar 1 06:58:20.094: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 06:58:20.094: ISAKMP (0:1): atts are acceptable. Next payload is 3

*Mar 1 06:58:20.306: ISAKMP (0:1): processing KE payload. message ID = 0

*Mar 1 06:58:20.574: ISAKMP (0:1): processing NONCE payload. message ID = 0

*Mar 1 06:58:20.574: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

*Mar 1 06:58:20.578: ISAKMP (0:1): Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

*Mar 1 06:58:20.578: ISAKMP: got callback 1

*Mar 1 06:58:20.582: ISAKMP (0:1): SKEYID state generated

*Mar 1 06:58:20.582: ISAKMP (0:1): SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR

*Mar 1 06:58:20.586: ISAKMP (1): ID payload

next-payload : 10

type : 1

addr : 63.241.212.4

protocol : 17

port : 0

length : 8

*Mar 1 06:58:20.586: ISAKMP (1): Total payload length: 12

*Mar 1 06:58:20.586: ISAKMP (0:1): sending packet to 10.10.10.10 my_port 500 peer_port 500 (R) AG_INIT_EXCH

*Mar 1 06:58:20.586: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

*Mar 1 06:58:20.586: ISAKMP (0:1): Old State = IKE_R_AM_AAA_AWAIT New St,

bring down existing phase 1 and 2 SA's with local 63.241.212.4 remote 10.10.10.10 remote port 500

*Mar 1 06:58:21.130: ISAKMP (0:1): returning IP addr to the address pool

*Mar 1 06:58:21.130: ISAKMP (0:1): SA has been authenticated with 10.10.10.10

*Mar 1 06:58:21.130: ISAKMP: Trying to insert a peer 63.241.212.4/10.10.10.10/500/, and inserted successfully.

*Mar 1 06:58:21.134: ISAKMP: set new node -1993895430 to CONF_XAUTH

*Mar 1 06:58:21.134: ISAKMP (0:1): sending packet to 10.10.10.10 my_port 500 peer_port 500 (R) QM_IDLE

*Mar 1 06:58:21.134: ISAKMP (0:1): purging node -1993895430ate = IKE_R_AM2

*Mar 1 06:58:21.126: ISAKMP (0:1): received packet from 10.10.10.10 dport 500 sport 500 Global (R) AG_INIT_EXCH

*Mar 1 06:58:21.126: ISAKMP (0:1): processing HASH payload. message ID = 0

*Mar 1 06:58:21.130: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1

spi 0, message ID = 0, sa = 8130E520

*Mar 1 06:58:21.130: ISAKMP (0:1): Process initial contact

*Mar 1 06:58:21.134: ISAKMP: Sending phase 1 responder lifetime 86400

*Mar 1 06:58:21.134: ISAKMP (0:1): peer matches *none* of the profiles

*Mar 1 06:58:21.138: ISAKMP (0:1): Input = IKE_MESG.142: ISAKMP: set new node -1066138592 to CONF_XAUTH _FROM_PEER, IKE_AM_EXCH

*Mar 1 06:58:21.138: ISAKMP (0:1): Old State = IKE_R_AM2 New State = IKE_P1_COMPLETE

*Mar 1 06:58:21.138: ISAKMP (0:1): Need XAUTH

*Mar 1 06:58:21.138: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar 1 06:58:21.138: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_AAA_START_LOGIN_AWAIT

*Mar 1 06:58:21.142: ISAKMP: got callback 1

*Mar 1 06:58:21

*Mar 1 06:58:21.142: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

*Mar 1 06:58:21.142: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

*Mar 1 06:58:21.142: ISAKMP (0:1): initiating peer config to 10.10.10.10. ID = -1066138592

*Mar 1 06:58:21.142: ISAKMP (0:1): sending packet to 10.10.10.10 my_port 500 peer_port 500 (R) CONF_XAUTH

*Mar 1 06:58:21.190: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN

*Mar 1 06:58:21.190: ISAKMP (0:1): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT

*Mar 1 06:58:21.194: ISAKMP (0:1): received packet from 10.10.10.10 dport 500 sport 500 Global (R) CONF_XAUTH GIN_AWAIT New State = IKE_XAUTH02: ISAKMP: set new node -1308184873 to CONF_XAUTH

*Mar 1 06:58:21.202: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2_REQ_SENT

*Mar 1 06:58:21.178: ISAKMP (0:1)

*Mar 1 06:58:21.202: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

*Mar 1 06:58:21.202: ISAKMP (0:1): initiating peer config to 10.10.10.10. ID = -1308184873

*Mar 1 06:58:21.202: ISAKMP (0:1): sending packet to 10.10.10.10 my_port 500 peer_port 500 (R) CONF_XAUTH

*Mar 1 06:58:21.206: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN

*Mar 1 06:58:21.206: ISAKMP (0:1): Old State = IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT

*Mar 1 06:58:21.214: ISAKMP (0:1): received packet from 10.10.10.10 dport 500 sport 500 Global (R) CONF_XAUTH : received packet from 10.10.10.10 dport 500 sport 500 Global (R) CONF_XAUTH

*Mar 1 06:58:21.182: ISAKMP (0:1): processing transaction payload from 10.10.10.10. message ID = -1066138592

*Mar 1 06:58:21.182: ISAKMP: Config payload REPLY

*Mar 1 06:58:21.182: ISAKMP/xauth: Expected attribute XAUTH_USER_NAME_V2 not received

*Mar 1 06:58:21.182: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY

*Mar 1 06:5

*Mar 1 06:58:21.194: ISAKMP (0:1): processing transaction payload from 10.10.10.10. message ID = -1567596430

*Mar 1 06:58:21.198: ISonfig payload REPLY

*Mar 1 06:58:21.218: ISAKMP/xauth: Expected attribute XAUTH_USER_NAME_V2 not received

*Mar 1 06:58:21.218: ISAKMP (0:1): peer does not do paranoid keepalives.

*Mar 1 06:58:21.218: ISAKMP (0:1): deleting SA reason "XAuthenticate fail" state (R) CONF_XAUTH (peer 10.10.10.10) input queue 0

*Mar 1 06:58:21.218: ISAKMP: set new node -421410454 to CONF_XAUTH

*Mar 1 06:58:21.222: ISAKMP (0:1): sending packet to 10.10.10.10 my_port 500 peer_port 500 (R) MM_NO_STATEAKMP: Config payload REPLY

*Mar 1 06:58:21.198: ISAKMP/xauth: Expected attribute XAUTH_USER_NAME_V2 not received

*Mar 1 06:58:21.198: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY

*Mar 1 06:58:21.198: ISAKMP (0:1): Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_START_LOGIN_AWAIT

*Mar 1 06:58:21.198: ISAKMP: got callback 1

*Mar 1 06:58:21.2

*Mar 1 06:58:21.214: ISAKMP (0:1): processing transaction payload from 10.10.10.10. message ID = -1308184873

*Mar 1 06:58:21.218: ISAKMP: C

*Mar 1 06:58:21.222: ISAKMP (0:1): purging node -421410454

*Mar 1 06:58:21.222: ISAKMP (0:1): deleting node -1066138592 error FALSE reason "XAuthenticate fail"

*Mar 1 06:58:21.222: ISAKMP (0:1): deleting node -1567596430 error FALSE reason "XAuthenticate fail"

*Mar 1 06:58:21.222: ISAKMP (0:1): deleting node -1308184873 error FALSE reason "XAuthenticate fail"

*Mar 1 06:58:21.222: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY

*Mar 1 06:58:21.222: ISAKMP (0:1): Old State = IKE_XAUTH_REQ_SENT Nendor id payload

*Mar 1 06:58:21.754: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch

*Mar 1 06:58:21.754: ISAKMP (0:2): vendor ID is XAUTH

*Mar 1 06:58:21.754: ISAKMP (0:2): processing vendor id payload

*Mar 1 06:58:21.754: ISAKMP (0:2): vendor ID is DPD

*Mar 1 06:58:21.754: ISAKMP (0:2): processing vendor id payload

*Mar 1 06:58:21.754: ISAKMP (0:2): claimed IOS but failed authentication

*Mar 1 06:58:21.754: ISAKMP (0:2): processing vendor id payload

*Mar 1 06:58:21.758: ISAKMP (0:2): vendor ID is Unity

*Mar 1 06:58:21.758: ISAKMP (0:2) local preshared key foundw State = IKE_DEST_SA

-----------------------------------------------------

Note that it says --- "ERROR FALSE REASON - XAuthenticate fail"

I have verified the user names, and they are keyed in correct. Is this some kind of bug in the code?

Any help is appreciated.

gfullage · ‎07-21-2003

Here's the real issue:

*Mar 1 06:58:21.182: ISAKMP/xauth: Expected attribute XAUTH_USER_NAME_V2 not received

Note it says that it didn't receive a username from the PIX. This is probably bug CSCea19586, you cna either run 12.2(8)T on the router and it should work, or if you're running 12.2(13)T or higher on the router, upgrade the PIX to 6.3(1) and it should work also. There's basically an incompatibility between 6.2(2) and higher than 12.2(8)T, so change either side and it should work for you.

thisisshanky · ‎07-22-2003

this

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

ciscoblood · ‎07-22-2003

Glenn,

Thank you very much for the prompt response.

The IOS I am using is 12.3(1a). I will upgrade the pix to 6.3(1) and let you know how it went.

Meanwhile, I tried the same PIX 501 (6.2(2)) to act as a VPN hardware client, with a VPN concentrator 3000 at the other end, pushing the configurations. The VPN concentrator shows the following error logs.

6390 07/18/2003 10:17:29.180 SEV=8 IKEDECODE/0 RPT=55684 172.17.2.112

ISAKMP HEADER : ( Version 1.0 )

Initiator Cookie(8): CE 4A 6F 5E FB 43 3F CF

Responder Cookie(8): 00 00 00 00 00 00 00 00

Next Payload : SA (1)

Exchange Type : Oakley Aggressive Mode

Flags : 0

Message ID : 0

Length : 575

6396 07/18/2003 10:17:29.180 SEV=8 IKEDBG/0 RPT=57070 172.17.2.112

RECEIVED Message (msgid=0) with payloads :

HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR

(13) + VENDOR (13) + NONE (0)

total length : 575

6399 07/18/2003 10:17:29.180 SEV=4 IKE/2 RPT=93 172.17.2.112

Filter missing on interface 1, IKE data from Peer 172.17.2.112 dropped

I have checked the filter settings on the interface, and have also configured the VPN concentrator not to drop, but accept the packets on each of the filters.

Any idea, why this is happening?

gfullage · ‎07-22-2003

Usually means there's no filter applied to the Public interface (I know the message refers to Interface 1 which is the Private, but hey). It's quite valid (and the default actually) to have no filter applied to the Private interface, so that shouldn't be the issue. It's not valid however, to have no filter applied to the Public interface, so make sure that has the Public/default filter applied to it and try again.