11-25-2003 08:17 AM - edited 02-21-2020 12:53 PM
With the below config, all of the S-t-S VPNs are operating normally. However, the incorporated Client is not permitting connections. I'm using 6.3.1 PIX IOS on the host firewall and VPN Client 4.0.3 for the remote access piece. I will paste the config from the host (edited for content), the debug output from "Debug crypto ipsec" whilst attempting to connect via the Client, and a description of the Client log during the same process.
Any assistance is appreciated in advance.
THE HOST PIX CONFIG
: Saved
: Written by enable_15 at 13:42:32.880 UTC Mon Nov 24 2003
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 100full
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
interface gb-ethernet0 1000full
nameif ethernet0 outside security0
nameif ethernet1 dmz2 security40
nameif ethernet2 dmz3 security70
nameif ethernet3 dmz4 security80
nameif ethernet4 intf4 security8
nameif ethernet5 intf5 security10
nameif gb-ethernet0 inside security100
hostname PIX
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list 102 permit ip 192.168.169.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list 102 permit ip 192.168.169.0 255.255.255.0 10.2.4.0 255.255.255.0
access-list 102 permit ip 192.168.169.0 255.255.255.0 10.2.5.0 255.255.255.0
access-list 102 permit ip 192.168.169.0 255.255.255.0 10.2.3.0 255.255.255.0
access-list 102 permit ip 192.168.169.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list 102 permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list 102 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list 102 permit ip 10.1.1.0 255.255.255.0 10.2.3.0 255.255.255.0
access-list 102 permit ip 10.1.1.0 255.255.255.0 10.2.4.0 255.255.255.0
access-list 102 permit ip 10.1.1.0 255.255.255.0 10.2.5.0 255.255.255.0
access-list 103 permit ip 192.168.169.0 255.255.255.0 10.3.1.0 255.255.255.0
access-list 103 permit ip 10.1.1.0 255.255.255.0 10.3.1.0 255.255.255.0
access-list 104 permit ip 192.168.169.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list 104 permit ip 10.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list 104 permit ip 10.1.3.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list 105 permit ip 192.168.169.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list 105 permit ip 192.168.169.0 255.255.255.0 10.2.4.0 255.255.255.0
access-list 105 permit ip 192.168.169.0 255.255.255.0 10.2.5.0 255.255.255.0
access-list 105 permit ip 192.168.169.0 255.255.255.0 10.2.3.0 255.255.255.0
access-list 105 permit ip 192.168.169.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list 105 permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0
access-list 105 permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list 105 permit ip 10.1.1.0 255.255.255.0 10.2.3.0 255.255.255.0
access-list 105 permit ip 10.1.1.0 255.255.255.0 10.2.4.0 255.255.255.0
access-list 105 permit ip 10.1.1.0 255.255.255.0 10.2.5.0 255.255.255.0
access-list 105 permit ip 192.168.169.0 255.255.255.0 10.3.1.0 255.255.255.0
access-list 105 permit ip 10.1.1.0 255.255.255.0 10.3.1.0 255.255.255.0
access-list 105 permit ip 192.168.169.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list 105 permit ip 10.1.1.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list 105 permit ip 10.1.3.0 255.255.255.0 10.4.1.0 255.255.255.0
access-list 105 permit ip 192.168.169.0 255.255.255.0 10.5.1.0 255.255.255.0
access-list 105 permit ip 10.1.1.0 255.255.255.0 10.5.1.0 255.255.255.0
access-list 105 permit ip 10.1.3.0 255.255.255.0 10.5.1.0 255.255.255.0
access-list 106 permit ip 192.168.169.0 255.255.255.0 10.5.1.0 255.255.255.0
access-list 106 permit ip 10.1.1.0 255.255.255.0 10.5.1.0 255.255.255.0
access-list 106 permit ip 10.1.3.0 255.255.255.0 10.5.1.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu dmz2 1500
mtu dmz3 1500
mtu dmz4 1500
mtu intf4 1500
mtu intf5 1500
mtu inside 1500
ip address outside x.x.x.x 255.255.255.128
ip address dmz2 x.x.x.x 255.255.255.0
ip address dmz3 x.x.x.x 255.255.255.0
ip address dmz4 x.x.x.x 255.255.255.0
no ip address intf4
no ip address intf5
ip address inside x.x.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool r_vpnIT 10.5.1.1-10.5.1.30
failover
failover timeout 0:00:00
failover poll 15
failover ip address outside x.x.x.x
failover ip address dmz2 x.x.x.x
failover ip address dmz3 x.x.x.x
failover ip address dmz4 x.x.x.x
no failover ip address intf4
no failover ip address intf5
failover ip address inside x.x.x.x
pdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x-x.x.x.x netmask 255.255.255.128
global (outside) 1 x.x.x.x netmask 255.255.255.128
global (dmz2) 1 x.x.x.x-x.x.x.x netmask 255.255.255.0
global (dmz3) 1 x.x.x.x-x.x.x.x netmask 255.255.255.0
global (dmz4) 1 x.x.x.x-x.x.x.x netmask 255.255.255.0
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz3) 0 access-list 105
nat (dmz3) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz4) 0 access-list 105
nat (dmz4) 1 0.0.0.0 0.0.0.0 0 0
nat (inside) 0 access-list 105
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group acl_out in interface outside
access-group acl_dmz2 in interface dmz2
access-group acl_dmz3 in interface dmz3
access-group acl_dmz4 in interface dmz4
apply (dmz2) 1 outgoing_src
apply (dmz3) 1 outgoing_src
apply (dmz4) 1 outgoing_src
apply (inside) 1 outgoing_src
route outside 0.0.0.0 0.0.0.0 65.208.169.3 1
route inside 10.1.0.0 255.255.0.0 192.168.169.1 1
route inside 172.17.0.0 255.255.0.0 192.168.169.1 1
route inside 172.18.0.0 255.255.0.0 192.168.169.1 1
route inside 192.102.102.0 255.255.255.0 192.168.169.1 1
route inside 192.104.104.0 255.255.255.0 192.168.169.1 1
route inside 192.105.105.0 255.255.255.0 192.168.169.1 1
route inside 192.106.106.0 255.255.255.0 192.168.169.1 1
route inside 192.109.109.0 255.255.255.0 192.168.169.1 1
route inside 192.168.0.0 255.255.0.0 192.168.169.1 1
route inside 192.168.4.0 255.255.255.0 192.168.169.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server tacas+ protocol tacacs+
aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host x.x.x.x AAA timeout 10
url-server (inside) vendor websense host x.x.x.x timeout 10 protocol TCP version 1
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate
sysopt connection permit-ipsec
crypto ipsec transform-set toPIX01 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set toPIXLTNV esp-aes-256 esp-md5-hmac
crypto ipsec transform-set toPIXHB esp-aes-256 esp-md5-hmac
crypto ipsec transform-set toPIXWLVIT esp-aes-256 esp-md5-hmac
crypto ipsec transform-set r_vpnIT esp-aes-256 esp-md5-hmac
crypto dynamic-map dynmap 50 set transform-set r_vpnIT
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 102
crypto map newmap 20 set peer x.x.x.x
crypto map newmap 20 set transform-set toPIXLTNV
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address 103
crypto map newmap 30 set peer x.x.x.x
crypto map newmap 30 set transform-set toPIXHB
crypto map newmap 40 ipsec-isakmp
crypto map newmap 40 match address 104
crypto map newmap 40 set peer x.x.x.x
crypto map newmap 40 set transform-set toPIXWLVIT
crypto map newmap 50 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
isakmp enable outside
isakmp key "key" address x.x.x.x netmask 255.255.255.255
isakmp key "key" address x.x.x.x netmask 255.255.255.255
isakmp key "key" address x.x.x.x netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 5
isakmp policy 10 lifetime 1000
vpngroup r_vpnIT address-pool r_vpnIT
vpngroup r_vpnIT dns-server x.x.x.x
vpngroup r_vpnIT wins-server x.x.x.x
vpngroup r_vpnIT default-domain nationsholdinggroup.com
vpngroup r_vpnIT split-tunnel 106
vpngroup r_vpnIT idle-time 1800
vpngroup r_vpnIT password "passwd"
(rest to follow in second post.)
11-25-2003 08:19 AM
THE DEBUG OUTPUT
crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): Proposed key length does not match policy
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): Proposed key length does not match policy
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for x.x.x.x/500 not found - peers:1
crypto_isakmp_process_block:src:x.x.x.x, dest:x.x.x.x spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for x.x.x.x/500 not found - peers:1
THE CLIENT LOG OUTPUT
113 12:02:47.164 08/01/03 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with X.X.X.X.
114 12:02:51.270 08/01/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to X.X.X.X
115 12:02:51.400 08/01/03 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
116 12:02:51.400 08/01/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
117 12:02:51.400 08/01/03 Sev=Info/4 IPSEC/0x6370000D
Key(s) deleted by Interface (X.X.X.X)
118 12:02:51.961 08/01/03 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = X.X.X.X
119 12:02:51.961 08/01/03 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)
120 12:02:51.961 08/01/03 Sev=Info/4 IKE/0xE30000A4
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:148)
121 12:02:51.961 08/01/03 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
122 12:02:56.367 08/01/03 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
123 12:02:56.367 08/01/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X
124 12:03:01.375 08/01/03 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
125 12:03:01.375 08/01/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X
126 12:03:06.382 08/01/03 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
127 12:03:06.382 08/01/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to X.X.X.X
128 12:03:11.389 08/01/03 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=4C2814A7C299B252 R_Cookie=2F7EED9EA7C43E3A) reason = DEL_REASON_PEER_NOT_RESPONDING
129 12:03:11.930 08/01/03 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=4C2814A7C299B252 R_Cookie=2F7EED9EA7C43E3A) reason = DEL_REASON_PEER_NOT_RESPONDING
130 12:03:11.950 08/01/03 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
131 12:03:11.960 08/01/03 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully
132 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
133 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
134 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
135 12:03:12.400 08/01/03 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I've run the HOST PIX config through the Cisco Interpreter and it discovered no errors or misconfigurations of any sort.
11-26-2003 09:28 AM
no takers?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: