Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 506e & VPNClient 3.5.2 "Securing communication channel..."

I have a PIX 506e installed and configured.

I can connect with VPN Client to the inside interface but when I try to connect to the outside i see the following:

Initializing the connection...

Contacting the gateway at 213.x.x.x...

Negotiating security policies...

Securing communication channel...

And it does not finishes the connection.

Here comes the relevant PIX config. Maybe I have missed a acl?

name 192.168.0.0 Interno

name 192.168.10.0 jjvpnpool

access-list outside_access_in permit tcp any gt 1024 host 213.x.x.x eq smtp

access-list outside_access_in deny ip any any

access-list 110 permit ip Interno 255.255.255.0 jjvpnpool 255.255.255.0

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 213.x.x.x 255.255.255.192

ip address inside 192.168.0.3 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool poolvpn 192.168.10.1-192.168.10.254

global (outside) 1 interface

nat (inside) 0 access-list 110

nat (inside) 1 Interno 255.255.255.0 0 0

static (inside,outside) tcp interface smtp Correo smtp netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 213.x.x.y 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community gsfdfdgfds

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup jjvpn address-pool poolvpn

vpngroup jjvpn split-tunnel 110

vpngroup jjvpn idle-time 1800

vpngroup jjvpn password ********

4 REPLIES
Bronze

Re: PIX 506e & VPNClient 3.5.2 "Securing communication channel..

Enable the following debugs on the pix

debug crypto isakmp

debug crypto ipsec

and also on the client, enable client log with filter set to HIGH for all classes

Get the output

Jazib

New Member

Re: PIX 506e & VPNClient 3.5.2 "Securing communication channel..

I am having the same problem, and here how you can overcome the problem. Instead of

access-list 110 permit ip Interno 255.255.255.0 jjvpnpool 255.255.255.0

use the following

access-list 110 permit ip 0.0.0.0 0.0.0.0 jjvpnpool 255.255.255.0

I now that that is not what you want to do, and I don't know exactly what Cisco is doing, but, by theory your config should work. If you try to reduce the services that client can access by access-list, also don't work. You have to use extended authentication, and in Radius profile for the user, you can restrict user to access only specific services.

Someone from Cisco has answer maybe?

Sasa Vidanovic

New Member

Re: PIX 506e & VPNClient 3.5.2 "Securing communication channel..

Hi Sasa, I have the same problem as you. Once i apply the acl to the dynamic-map. I will not able to establish the vpn ipsec. On the Cisco vpn client, it's stop at "securing communication channel"...

btw, do you have the solution for this already ???

Steven

New Member

Re: PIX 506e & VPNClient 3.5.2 "Securing communication channel..

No, I don't have official response from Cisco yet, neither complete solution. Just a workaround described in my previous message.

Sasa

155
Views
0
Helpful
4
Replies
CreatePlease login to create content