Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX 520 VPN doesn't work with Microsoft CA

I have the PIX 520 6.0(1). I am trying to set up the L2tp using the Microsoft CA. I can get the certificate from the Microsoft CA. However, when I try to establish the L2TP tunnel. I alway get the following error

Any thought about this?

This Error Message is from windows

Error 792: The L2TP connection attempt failed because security negotiation timed out

This Error Message is from PIX

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are not acceptable. Next payload is 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): SA is doing RSA signature authentication using id type ID_FQ

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 216.254.67.200, dest 63.92.151.130

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 216.254.67.200, dest 63.92.151.130

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): Unknown error in cert validation, 65535

return status is IKMP_ERR_RETRANS

crypto_isakmp_process_block: src 216.254.67.200, dest 63.92.151.130

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): Unknown error in cert validation, 65535

return status is IKMP_ERR_RETRANS

crypto_isakmp_process_block: src 216.254.67.200, dest 63.92.151.130

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): Unknown error in cert validation, 65535

return status is IKMP_ERR_RETRANS

crypto_isakmp_process_block: src 216.254.67.200, dest 63.92.151.130

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): Unknown error in cert validation, 65535

return status is IKMP_ERR_RETRANS

crypto_isakmp_process_block: src 216.254.67.200, dest 63.92.151.130

Here is my configuration in PIX

ca identity ktivpn 10.10.10.10:/certsrv/mscep/mscep.dll

ca configure ktivpn ra 1 20 crloptional

isakmp policy 8 authentication rsa-sig

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

crypto ipsec transform-set basic esp-des esp-sha-hmac

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto ipsec transform-set l2tp esp-des esp-sha-hmac

crypto ipsec transform-set l2tp mode transport

crypto ipsec transform-set ciscoclient esp-des esp-md5-hmac

crypto ipsec transform-set ciscoclientRSA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto dynamic-map dyna 4 set transform-set ciscoclientRSA

crypto dynamic-map dyna 10 set transform-set ciscoclient

crypto dynamic-map dyna 20 match address l2tp

crypto dynamic-map dyna 20 set transform-set l2tp

crypto dynamic-map dyna 20 set security-association lifetime seconds 28800 kilob

ytes 4608000

crypto map mymap 10 ipsec-isakmp dynamic dyna

crypto map mymap interface outside

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local pptp-pool

vpdn group 1 client configuration dns 192.168.10.2 192.168.10.3

vpdn group 1 client configuration wins 192.168.10.2

vpdn group 1 client authentication aaa AuthInbound

vpdn group 1 pptp echo 60

vpdn group 2 accept dialin l2tp

vpdn group 2 ppp authentication pap

vpdn group 2 ppp authentication chap

vpdn group 2 ppp authentication mschap

vpdn group 2 client configuration address local kti-pool

vpdn group 2 client configuration dns 192.168.10.2 192.168.10.3

vpdn group 2 client configuration wins 192.168.10.2

vpdn group 2 client authentication aaa AuthInbound

vpdn group 2 l2tp tunnel hello 60

vpdn group l2tpipsec accept dialin l2tp

vpdn group l2tpipsec ppp authentication pap

vpdn group l2tpipsec ppp authentication chap

vpdn group l2tpipsec ppp authentication mschap

vpdn group l2tpipsec client configuration address local l2tp

vpdn group l2tpipsec l2tp tunnel hello 60

vpdn username cisco password cisco

vpdn enable outside

1 REPLY
Silver

Re: PIX 520 VPN doesn't work with Microsoft CA

146
Views
0
Helpful
1
Replies
CreatePlease to create content