Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PIX 6.2.2 not negotiating with VPN Client 3.5.2.C

I'm trying to create an IPSec connection between a PIX and a VPN client on a windows machine. Unfortunately I could not make it work. Phase I does negotiate OK but the process gets stuck during the phase II negotiations. It seems that there is some kind of bug with the software versions that I am running. Can somone verify this?

PIX 506E 6.2.2

Windows XP Professional

Cisco VPN Client 3.5.2 C

Below is my configuration and debug output.

Thanks in advance,

Izak

--------------------------------------------------------------------------------------------

:

PIX Version 6.2(2)

!

! Addresses and names changed. Irrelevant conf lines deleted.

!

nameif ethernet0 outside security0

nameif ethernet1 inside security100

!

hostname fw

domain-name abc.com

!

access-list incoming_acl permit tcp any host 1.1.1.34 eq smtp

!

access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

!

ip address outside 1.1.1.35 255.255.255.224

ip address inside 10.1.1.1 255.255.255.0

!

ip local pool vpnpool 10.1.2.1-10.1.2.254

!

global (outside) 1 1.1.1.36-1.1.1.60 netmask 255.255.255.224

global (outside) 1 1.1.1.61 netmask 255.255.255.224

!

nat (inside) 0 access-list 101

nat (inside) 1 10.1.1.0 255.255.255.0 0 0

static (inside,outside) 1.1.1.34 10.1.1.2 netmask 255.255.255.255 0 0

!

access-group incoming_acl in interface outside

!

route outside 0.0.0.0 0.0.0.0 1.1.1.33 1

!

floodguard enable

sysopt security fragguard

sysopt connection permit-ipsec

no sysopt route dnat

!

crypto dynamic-map dynmap 10 set transform-set abcset

crypto map abcmap interface outside

!

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

!

vpngroup abcvpn address-pool vpnpool

vpngroup abcvpn default-domain abc.com

vpngroup abcvpn split-tunnel 101

vpngroup abcvpn idle-time 1800

vpngroup abcvpn password ********

!

fw(config)#

fw(config)#

fw(config)#

fw(config)#

fw(config)#

fw(config)#

crypto_isakmp_process_block: src 212.179.147.159, dest 1.1.1.35

VPN Peer: ISAKMP: Added new peer: ip:212.179.147.159 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:212.179.147.159 Ref cnt incremented to:1 Total VPN Pe1

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): ID payload

next-payload : 10

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 212.179.147.159, dest 1.1.1.35

OAK_AG exchange

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue eve.

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 212.179.147.159

ISAKMP (0): SA has been authenticated

return status is IKMP_NO_ERROR

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

crypto_isakmp_process_block: src 212.179.147.159, dest 1.1.1.35

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 212.179.147.159. message ID =8

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

Unsupported Attr: 5

ISAKMP: attribute APPLICATION_VERSION (7)

crypto_isakmp_process_block: src 212.179.147.159, dest 1.1.1.35

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 212.179.147.159. message ID =8

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

crypto_isakmp_process_block: src 212.179.147.159, dest 1.1.1.35

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 130652998

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

fw(config)#

fw(config)# ! ****** Here stuck for about 5 minutes *****

fw(config)#

fw(config)# sh isakm sa

Total : 1

Embryonic : 0

dst src state pending created

1.1.1.35 212.179.147.159 QM_IDLE 0 0

fw(config)#

fw(config)#

fw(config)#

fw(config)# sh ipsec sa

interface: outside

Crypto map tag: abcmap, local addr. 1.1.1.35

fw(config)#

fw(config)#

fw(config)#

fw(config)# ! At this stage I closed the VPN Client applic at the client side

fw(config)#

fw(config)#

fw(config)#

crypto_isakmp_process_block: src 212.179.147.159, dest 1.1.1.35

ISAKMP (0): processing DELETE payload. message ID = 3274300295

ISAKMP (0): deleting SA: src 212.179.147.159, dst 1.1.1.35

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x8134fb48, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:212.179.147.159 Ref cnt decremented to:0 Total VPN Pe1

VPN Peer: ISAKMP: Deleted peer: ip:212.179.147.159 Total VPN peers:0IPSEC(key_e.

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 212.179.147.159

fw(config)#

fw(config)#

fw(config)# sh isakm sa

Total : 0

Embryonic : 0

dst src state pending created

fw(config)#

fw(config)#

fw(config)#

ISAKMP: Deleting peer node for 212.179.147.159

fw(config)#

2 REPLIES
Cisco Employee

Re: PIX 6.2.2 not negotiating with VPN Client 3.5.2.C

Hi,

Just make sure you are not coming in from behind a PAT device as that would not work with the PIX. Additionally are other clients able to connect to the PIX? Was this setup ever working for you before the upgrades?

Regards,

Aamir

-=-

Community Member

Re: PIX 6.2.2 not negotiating with VPN Client 3.5.2.C

You need to define your transform set, it seems to be failing on IKE phase two, so put a line like: crypto ipsec transform-set abcset esp-des esp-sha-hmac .

113
Views
0
Helpful
2
Replies
CreatePlease to create content