Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX501, VPN client 3.5.2.(B), linksys router, "remote peer is no longer....

I tried all suggestions in cco support and discussion but still not solved.

I'm using PIX501 running PIX6.2 as VPN server

And Cisco VPN client 3.5.2.(B) on windows 2000 pro, as VPN client

I'm trying to connect from client to server

I verified the group , the password, I followed directions on both server and client.

On client I get the following error..."remote peer is no longer responding"

And the following log entries (same errors all the time):

14 23:27:07.718 08/05/02 Sev=Warning/2 IKE/0xE300007C

Exceeded 3 IKE SA negotiation retransmits... peer is not responding

15 23:27:07.781 08/05/02 Sev=Warning/3 DIALER/0xE3300015

GI VPN start callback failed "CM_PEER_NOT_RESPONDING" (16h).

16 23:27:54.906 08/05/02 Sev=Warning/2 IKE/0xE300007C

Exceeded 3 IKE SA negotiation retransmits... peer is not responding

17 23:27:54.968 08/05/02 Sev=Warning/3 DIALER/0xE3300015

GI VPN start callback failed "CM_PEER_NOT_RESPONDING" (16h).

The Client can ping the PIX outside interface:

C:\>ping 168.103.127.229

Pinging 168.103.127.229 with 32 bytes of data:

Reply from 168.103.127.229: bytes=32 time=15ms TTL=128

Reply from 168.103.127.229: bytes=32 time<10ms TTL=128

Reply from 168.103.127.229: bytes=32 time<10ms TTL=128

Reply from 168.103.127.229: bytes=32 time<10ms TTL=128

Ping statistics for 168.103.127.229:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 15ms, Average = 3ms

The client PC is behind a NAT eqiupment (linksys DSL router) BUT it is set to let IPSec trafic go through ("IPSec pass through == enabled")

I thought maybe the following would help so I forward all traffic coming in on the following ports on the linksys to the client computer:

UDP port 500

UDP port 10000

--> But still doesn't work.

Linksys website says:

"Linksys Router will work with cisco PIX VPN provided that the following conditions are met:

- The Cisco VPN client has an option to connect via NAT Transparency. This will work provided the network administrator has configured the VPN Server to allow such connections. Most versions of the server side program come with this already enabled.

Note: Some firmware versions need the NAT Transparency to be disabled, so please try both ways"

I don't know exactly what they means but the client is configured as default:

"enabled trasnsperant tunneling"

"allow IPSec over UDP (NAT/PAT)"

Some other data that may be relevant:

- the PIX external interface is 168.103.127.229 and is on network 168.103.127.224/255.255.255.248

- the linksys router external interface is 168.103.127.225

- both go to 168.103.127.230 as their gateway

Any idea why not working?

Followed is the PIX config.

Thanks.

Lior Paster

IT Manager

lpaster@digital-parts.com

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password DvgG2ZzvLdD3UYnW encrypted

passwd DvgG2ZzvLdD3UYnW encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside_access_in permit tcp any host 168.103.127.229 eq ftp

access-list outside_access_in permit tcp any host 168.103.127.229 eq 1999

access-list outside_access_in permit udp any host 168.103.127.229 eq 1234

access-list outside_access_in permit tcp any host 168.103.127.229 eq www

access-list outside_access_in permit tcp any host 168.103.127.229 eq 5800

access-list outside_access_in permit tcp any host 168.103.127.229 eq 5900

access-list outside_access_in permit icmp any any

access-list outside_access_in permit tcp any host 168.103.127.227 eq ftp

access-list outside_access_in permit tcp any host 168.103.127.227 eq www

access-list outside_access_in permit udp any host 168.103.127.227 eq 1234

access-list outside_access_in permit tcp any host 168.103.127.227 eq 1999

access-list outside_access_in permit tcp any host 168.103.127.227 range 5001 5002

access-list outside_access_in permit tcp any host 168.103.127.227 eq 5800

access-list outside_access_in permit tcp any host 168.103.127.227 eq 5900

access-list outside_access_in permit udp any range 2074 2076 host 168.103.127.227 range 2074 2076

access-list outside_access_in permit tcp any host 168.103.127.227 range 10327 10328

access-list outside_access_in permit tcp any host 168.103.127.228 eq ftp

access-list outside_access_in permit tcp any host 168.103.127.228 eq www

access-list outside_access_in permit udp any host 168.103.127.228 eq 1234

access-list outside_access_in permit tcp any host 168.103.127.228 eq 1999

access-list outside_access_in permit tcp any host 168.103.127.228 range 5001 5002

access-list outside_access_in permit tcp any host 168.103.127.228 eq 5800

access-list outside_access_in permit tcp any host 168.103.127.228 eq 5900

access-list outside_access_in permit tcp any host 168.103.127.228 range 10327 10328

access-list inside_access_in permit icmp any any

access-list inside_access_in permit udp any any eq domain

access-list inside_access_in permit tcp any any eq www

access-list inside_access_in permit tcp any any eq ftp

access-list inside_access_in permit udp any any range 2074 2076

access-list inside_access_in permit udp any any eq 9002

access-list inside_outbound_nat0_acl permit ip any 192.168.1.240 255.255.255.240

access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.240 255.255.255.240

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10full

icmp permit any echo-reply outside

icmp permit any echo-reply inside

mtu outside 1500

mtu inside 1500

ip address outside 168.103.127.229 255.255.255.248

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNpool 192.168.1.240-192.168.1.250

pdm location 0.0.0.0 0.0.0.0 inside

pdm location 192.168.1.100 255.255.255.255 inside

pdm location 192.168.1.101 255.255.255.255 inside

pdm location 192.168.1.102 255.255.255.255 inside

pdm location 192.168.1.224 255.255.255.224 outside

pdm location 192.168.1.128 255.255.255.192 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.168.1.100 255.255.255.255 0 0

nat (inside) 1 192.168.1.101 255.255.255.255 0 0

nat (inside) 1 192.168.1.102 255.255.255.255 0 0

static (inside,outside) interface 192.168.1.100 netmask 255.255.255.255 0 0

static (inside,outside) 168.103.127.227 192.168.1.101 netmask 255.255.255.255 0 0

static (inside,outside) 168.103.127.228 192.168.1.102 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 168.103.127.230 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

tftp-server inside 192.168.1.100 /pix501config

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup VPNgroup address-pool VPNpool

vpngroup VPNgroup idle-time 1800

vpngroup VPNgroup password ********

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

vpdn enable outside

dhcpd dns 169.132.8.81 198.4.75.69

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:f7e1915a8139114efcf7a6adccf4d7ac

: end

[OK]

6 REPLIES
New Member

Re: PIX501, VPN client 3.5.2.(B), linksys router, "remote peer i

Please change the PIX and linksys router default gateway pointing each other and have a quick test see it will be working or not.

By the way:

"Nat transparency" feature currently only work with VPN 3000 concentrator and VPN client 3.x

If the router or PIX is the VPN server, it will not work. "NAT transparency" feature will be supported in the PIX and IOS router later release.

If you do not use linksys router, the VPN client connecting fine, right ?

Because ISAKMP key exchange using UDP 500 and real IPSEC traffic using protocl ESP (50) and protocl AH (51).

Please make sure linksys router can pass protocol 50 as well as UDP 500.

Best Regards,

New Member

Re: PIX501, VPN client 3.5.2.(B), linksys router, "remote peer i

to eliminate the linksys router problem, I tried connecting from a different w2k client that has external IP 64.192.222.161

it's on a seperate DSL line I got here.

from client, I can ping the PIX501

PIX config did not change.

But still I get the same error "remote peer no longer respomding"

New Member

Re: PIX501, VPN client 3.5.2.(B), linksys router, "remote peer i

Have you run a isakmp debug from the PIX ? What's the output say ? Just check what isakmp phase it is failing on.

New Member

Re: PIX501, VPN client 3.5.2.(B), linksys router, "remote peer i

I entered the following on PIX501:

debug crypto isakmp

then I tried the connection again from client, and it failed "remote peer is no longer responding"

then I ran on PIX501:

show debug

and I got the following:

Result of PIX command: "show debug"

debug crypto isakmp 1

failed to get debug trace information

failed to get debug trace information

failed to get debug trace information

failed to get debug trace information

failed to get debug trace information

failed to get debug trace information

failed to get debug trace information

failed to get debug trace information

failed to get debug trace information

failed to get debug trace information

failed to get debug trace information

failed to get debug trace information

New Member

Re: PIX501, VPN client 3.5.2.(B), linksys router, "remote peer i

Hi,

If you "debug crypto isakmp" and you are in the console connection, when your remote vpn client try to connect, you should see a lot of debug information, see more details as following:

http://www.cisco.com/warp/customer/707/ipsec_debug.html

Otherwise, the UDP 500 still being blocked.

Best Regards,

New Member

Re: PIX501, VPN client 3.5.2.(B), linksys router, "remote peer i

I got a (stupid) question:

do I need to open UDP port 500 on the PIX explicitely?

I thought that once VPN was configured through PDM, it takes care of that.

if yes, what other ports?

BTW the "debug crypto isakmp" from console didn't give anything when client tried to connect.

209
Views
0
Helpful
6
Replies
CreatePlease login to create content