12-13-2002 11:26 AM - edited 02-21-2020 12:14 PM
I am trying to setup vpn on our PIX using the configuration example from http://www.cisco.com/warp/public/110/pix3000.html and I have installed the vpn client ver. 3.6. I am connecting to the pix and by running the debug, see that I never get the "atts are acceptable" message that the example shows I should get. What would be the cause of that problem.
12-13-2002 03:11 PM
Hi Brian,
Its kind of very difficult to say why you are not getting those outputs on your debugs. Is it possible for you to post the config from the pix and also the isakmp and ipsec debugs from the Pix when the client is trying to make a connection.
Regards,
Arul
12-13-2002 03:56 PM
I have a lot of editing to do before I post my PIX config here - I will post an edited version when I get a chance - but I wanted to post the debug as quick as I could. I did take the configuration from the article, which I listed in the original post. I'm using group 2 on the isakmp. It makes a connection but I can't transfer any data between my laptop and the network via VPN. My PIX already does PIX to PIX VPN with a vendor that had a consultant help set it up so I am working around that one. That one is using group 1isakmp policy.
The article shows in bold "atts are acceptable" at one point. I never see that in the following debug.
My debug listing is as follows:
pixfirewall(config)#
crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACT
ISAKMP (0): SA has been authenticated
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 66.42.71.241. message ID = 0
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute APPLICATION_VERSION (7)
Unsupported Attr: 7
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute UNKNOWN (28674)
ISAKMP: attribute UNKNOWN (28676)
ISAKMP: attribute UNKNOWN (28675)
Unsupported Attr: 28675
ISAKMP: attribute UNKNOWN (28679)
Unsupported Attr: 28679
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28681)
Unsupported Attr: 28681
ISAKMP: attribute UNKNOWN (28682)
Unsupported Attr: 28682
ISAKMP: attribute UNKNOWN (28677)
Unsupported Attr: 28677
ISAKMP: attribute UNKNOWN (28678)
Unsupported Attr: 28678
ISAKMP (0:0): responding to peer config from 66.42.71.241. ID = 1141969392
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1251100752
ISAKMP : Checking IPSec proposal 1
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 7
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 9
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (9)
ISAKMP : Checking IPSec proposal 10
crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3388384967
ISAKMP : Checking IPSec proposal 1
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 7
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8
ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 9
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (9)
ISAKMP : Checking IPSec proposal 10
crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound SA from 66.42.71.241 to 206.155.96.34 (proxy 10.1.2.
1 to 206.155.96.34)
has spi 97776760 and conn_id 15 and flags 4
lifetime of 2147483 seconds
outbound SA from 206.155.96.34 to 66.42.71.241 (proxy 204.155.47.
34 to 10.1.2.1)
has spi 4086616109 and conn_id 16 and flags 4
lifetime of 2147483 seconds
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 66.42.71.241, dest 206.155.96.34
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound SA from 66.42.71.241 to 206.155.96.34 (proxy 10.1.2.
1 to 0.0.0.0)
has spi 1792043488 and conn_id 13 and flags 4
lifetime of 2147483 seconds
outbound SA from 206.155.96.34 to 66.42.71.241 (proxy 0.0.0
.0 to 10.1.2.1)
has spi 559308994 and conn_id 14 and flags 4
lifetime of 2147483 seconds
return status is IKMP_NO_ERROR
pixfirewall(config)#
pixfirewall(config)#
12-13-2002 10:35 PM
Hi,
I did see you mentioning that you are able to connect but not able to pass traffic.
1. How is the client connected to the internet. If the client is sitting behind a PAT device, then you wont be able to send any data eventhough you make a connection.
2. VPN Client to Pix uses UDP Port 500 and Protocol 50 (ESP). Since ESP is a protocol, this will not work if the client is sitting behind a PAT device and this is true only if you terminate the VPN connection on a Pix.
3. If you were to terminate the tunnel on a VPN3000, then you can use the feature IPSec Over UDP or TCP, which will overcome the PAT and ESP Issue.
4. What is the ip address that you are trying to ping, make sure that you are not pinging the inside ip address of the Pix through the tunnel.
5. Once your tunnel is up and you try sending some traffic through the tunnel , what do you see under the client session, does the counter under the packets encrypted increases or not.
6. If it increases, then what do you see on the Pix, do you see decrypts.
7. If you see decrypts, do you also see encrypts for that SA.
8. If you were behind a PAT device while doing the testing, is it possible to use a dial up connection and do the testing.
Regards,
Arul
12-17-2002 11:21 AM
Thanks for your reply.
I did have UDP port 500 blocked and opened it up on the PIX. I am now getting "atts are acceptable" message. I have not been able to pass any information between the client and the network though.
When I PING from the PIX, the packets decrypted on the client increase by 3.
When I PING from the client, the packets encrypted increase by 4 and the following is displayed on the PIX:
crypto_isakmp_process_block: src 66.42.71.21, dest xxx.155.xxx.xxx
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 528152713
ISAMKP (0): received DPD_R_U_THERE from peer 66.42.71.21
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src 66.42.71.21, dest xxx.155.xxx.xxx
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 1700279068
ISAMKP (0): received DPD_R_U_THERE from peer 66.42.71.21
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
Neither PING get a response. I have enabled ICMP on the PIX temporarily to test. I am trying to PING a server on the inside of the PIX and I get no response.
We do not have a DNS Server so that statement on the PIX for the VPNGROUP has been left out.
The Client is a laptop with Cisco VPN Client loaded. I am connected to my personnal ISP with no communications restricted on that side. On my work side I have a Cisco 2600 router followed by a PIX 520 running ver6.0(1) IOS.
The client connects to the PIX, but I am unable to connect to servers on the inside.
I have added the following statements to the PIX (looking at number 2 item you address above).
conduit permit udp any range 500 500 any
conduit permit esp any any
I'm new to the VPN world and am thankful for your help and time.
Thank you.
Brian
12-17-2002 11:49 AM
Hi Brian,
Thanks for the update!!
1. If you are connecting using your ISP and not going through a PAT device, then you client should be good.
2. Once the client is connected, try to ping an ip address on the internal network other than the inside ip address of the Pix. If you see encrypts on the client, do a sh crypto ipsec sa and look for decrypts on the Pix.
3. If you see decryts and no encrypts, then looks like the Pix is not sending the packets back to the Client.
4. Make sure that you have NAT 0 command to bypass NAT for the ipsec traffic.
5. And make sure that the ip address that you are trying to ping knows that it has to send the traffic back to the Pix for the remote clients.
Let me know how the testing goes.
Regards,
Arul
12-17-2002 12:45 PM
I did a ping from the client to an inside address and this is the results of the sh crypto ipsec sa command - no encrypts.
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.1/255.255.255.255/0/0)
current_peer: 66.42.71.254
dynamic allocated peer ip: 10.1.2.1
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify 20
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 204.155.47.34, remote crypto endpt.: 66.42.71.254
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: b8fd9273
inbound esp sas:
spi: 0x2049d1c9(541708745)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: customer
sa timing: remaining key lifetime (k/sec): (4607998/28070)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xb8fd9273(3103625843)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: customer
sa timing: remaining key lifetime (k/sec): (4608000/28061)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Here is the nats I have on the PIX:
nat (inside) 0 access-list bypass_nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (wwwdmz) 0 0.0.0.0 0.0.0.0 0 0
nat (otherdmz) 0 0.0.0.0 0.0.0.0 0 0
Here are the pertinent route statements:
route outside 0.0.0.0 0.0.0.0 xxx.155.xx.xx 1 (PIX outside address)
route inside xxx.155.xx.0 255.255.255.0 xxx.155.xx.xxx 1 (one of the valid C class networks to router in PIX network)
I am using 10.1.2.0 network for my vpn pool of addresses.
It appears then that the client is talking correctly with the PIX but the inside network can't get back to the client?
Brian
12-17-2002 02:30 PM
Hi Brian,
You are right, looks like the Pix is not sending the packets back to the client.
1. Try to ping the ip address from the pix and make sure that it is alive.
2. And also your access-list bypass_nat should be something like:
access-list bypass_nat permit ip xxx.155.xx.0 255.255.255.0 10.1.2.0 255.255.255.0
3. Like I mentioned to you earlier, make sure that your internal routes know that it has send the packets back to the Pix for the clients 10.1.2.0
4. Make sure that you do not have any other lan to lan tunnels that includes that 10.1.2.0 subnet.
5. And also do a clear xlate and then do the testing.
Regards,
Arul
12-19-2002 04:18 PM
Hi Arul,
Our network has 16 valid Class "C" networks. We also have our cisco hardware on a private network (192...). I created an arbitrary pool (10.1.2.0) and my network knows nothing of it - only the pix. From my MSFC i did a trace ip on 10.1.2.1 (my laptop vpn connected) and I finally get encrypts (see below) but no replys.
The network has the following statement in it that I thought would send all ip's unknown to the network out to my PIX:
ip route 0.0.0.0 0.0.0.0 xxx.155.xx.xx (my inside ip to the PIX)
Having been a while since I have configured the Cisco network, do I need to create a static route for the 10.1.2.0 network to my inside IP of the PIX? What would the statements be?
I will probably not be working on this until after the new year. I appreciate your help to this point. If you want details of my configs, please contact me @ bkootstra@ci.visalia.ca.us - Don't want to post it out on the web.
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.1/255.255.255.255/0/0)
current_peer: 66.42.71.27
dynamic allocated peer ip: 10.1.2.1
PERMIT, flags={}
#pkts encaps: 45, #pkts encrypt: 45, #pkts digest 45
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.155.xx.xx, remote crypto endpt.: 66.42.71.27
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 54660594
inbound esp sas:
spi: 0x84abe32e(2225857326)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 15, crypto map: customer
sa timing: remaining key lifetime (k/sec): (4607999/28022)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x54660594(1415972244)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 16, crypto map: customer
sa timing: remaining key lifetime (k/sec): (4607998/28022)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
03-26-2003 03:46 AM
Hi,
just wondering whether you have the outcome...i am encountering this problem ?? should I use VPN Client 3.0 I am using VP Client 3.6
thanks
03-26-2003 07:39 AM
I never got it to work. Had some big projects that took precedence and gave up on it. I will get back to VPN, but we will be using different equipment to allow VPN at that time.
Sorry.
Brian
03-27-2003 05:21 PM
ok
thanks
-santo-
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: