Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

pix 6.3 w/vnpclient 4.02a

This is the pIX515 current config for the remote access vpn using client 4.02a. I am not able to make the vpn connection to the headend device.

**************pix_config***********

access-list vpn_clients permit ip 192.168.0.0 255.255.255.0 192.168.1.7 255.255.255.0

nat (inside) 0 access-list vpn_clients

:

ip local pool vpn_clients_ip 192.168.7.1-192.168.7.254

:

sysopt connection permit-ipsec

crypto ipsec transform-set bscuset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 30 set transform-set bscuset

:

crypto map bscumap 30 ipsec-isakmp dynamic dynmap

crypto map bscumap interface outside

:

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 8640

vpngroup vpn_mis address-pool vpn_clients_ip

vpngroup vpn_mis dns-server %%%%%%%%%%%%

vpngroup vpn_mis wins-server $$$$$$$$$$

vpngroup vpn_mis default-domain @@@@@@@@

vpngroup vpn_mis idle-time 1800

vpngroup vpn_mis password ***********

*******error messages***************

91 15:38:50.697 08/27/03 Sev=Info/4 IKE/0x63000055

Received a key request from Driver: Local IP = 192.168.7.1, GW IP = 65.198.196.148, Remote IP = 0.0.0.0

92 15:38:50.697 08/27/03 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 65.198.196.148

93 15:38:51.258 08/27/03 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

94 15:38:51.749 08/27/03 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 65.198.196.148

95 15:38:51.749 08/27/03 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 65.198.196.148

96 15:38:51.749 08/27/03 Sev=Warning/3 IKE/0xA300004B

Received a NOTIFY message with an invalid protocol id (0)

1 REPLY
Silver

Re: pix 6.3 w/vnpclient 4.02a

Does this configuration work for anyone, or just not for 4.02 clients?

I have a very similar config to yours, but I use md5 for the hashing algorithm. I honestly cannot recall if sha is supported on the software client. If you want to try switching to md5:

crypto ipsec transform-set bscuset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 30 set transform-set bscuset

isakmp policy 10 hash md5

isakmp enable outside

crypto map bscumap interface outside

125
Views
0
Helpful
1
Replies
CreatePlease to create content