pix vpn connection problem

jawwalit · ‎11-10-2005

dear sir:

i am using pix (525) with ios 6.1 , i configured vpn tunnel between it and another firewall and it work good , and i also configure it as client vpn server and it also work , but when configure Xauthentication (crypto map client authentication ) as to use multi user account for vpn clients, the vpn client is work good but the vpn client doesnt work i made a debug and i have the following:

ixfirewall(config)#

VPN Peer: ISAKMP: Added new peer: ip:213.244.119.253 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:X.X.X.253 Ref cnt incremented to:1 Total VPN Peers:1

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block: src X.X.X.253, dest X.X.X.2

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src X.X.X.253, dest X.X.X.2

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 213.244.119.253, dest X.X.X.2

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0:0): Need XAUTH

ISAKMP/xauth: request attribute XAUTH_TYPE

ISAKMP/xauth: request attribute XAUTH_USER_NAME

ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD

ISAKMP (0:0): initiating peer config to 213.244.119.253. ID = 2737760968 (0xa32eeac8)modecfg: sa: 83346ad0, new mess id= a32eeac8

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): retransmitting phase 2...

jackko · ‎11-10-2005

there is a typo with your original post, "to use multi user account for vpn clients, the vpn client is work good but the vpn client doesnt work".

just wondering which one doesn't work, the lan-lan vpn or the remote vpn.

jawwalit · ‎11-10-2005

the peer to peer tunnel is not working

regards

jackko · ‎11-10-2005

after configuring remote vpn access with xauth, the pix runs into issue as it tries to authenticate all vpn (i.e. both lan-lan vpn and remote vpn access) with xauth.

to resolve the issue, you can specify the lan-lan vpn doesn't require xauth. to configure, add the key word "no-xauth" and "no-config-mode" to the existing isakmp key.

e.g.

isakmp key cisco123 address netmask 255.255.255.255 no-xauth no-config-mode

jawwalit · ‎11-12-2005

its work

thank you very much

jackko · ‎11-12-2005

it's good to learn that your issue has been resolved. please feel free to discuss any other issue.

according to cisco:

Why should I rate posts?

If you see a post that you think deserves recognition, please take a moment to rate it.

You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page