Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
536
Views
0
Helpful
1
Replies

Unable to use VPN client to IOS router from behind PIX

blakem
Level 1
Level 1

‎05-26-2006 03:00 AM - edited ‎02-21-2020 02:26 PM

Hello, I'm having problems connecting with Cisco VPN client to a Cisco IOS router. There is a PIX between the client and the router, with protocols enabled, NAT-T, sysopt conn permit-ipsec ..., but I still can't connect...

On the router I get (when using cert authentication):

366071: *May 26 11:30:54.076 PCTime: ISAKMP:(0:498:SW:1): failed to find usage restriction in ext.

On the client I get:

574 11:34:36.739 05/26/06 Sev=Info/4 CERT/0x63600015

Cert (1.2.840.113549.1.9.2=#1613323835312e73796e657267792d66732e636f6d) verification succeeded.

575 11:34:36.739 05/26/06 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

576 11:34:36.739 05/26/06 Sev=Info/4 IKE/0x63000083

IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194

577 11:34:36.739 05/26/06 Sev=Info/5 IKE/0x63000072

Automatic NAT Detection Status:

Remote end is NOT behind a NAT device

This end IS behind a NAT device

578 11:34:36.739 05/26/06 Sev=Info/4 CM/0x6310000E

Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

579 11:34:36.769 05/26/06 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.xx.xx.xx

580 11:34:36.769 05/26/06 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xx.xx.xx.xx

581 11:34:36.769 05/26/06 Sev=Info/5 IKE/0x63000045

RESPONDER-LIFETIME notify has value of 86400 seconds

582 11:34:36.769 05/26/06 Sev=Info/5 IKE/0x63000047

This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

583 11:34:47.034 05/26/06 Sev=Info/6 IKE/0x63000055

Sent a keepalive on the IPSec SA

** followed by numerous keepalives, and then an IKE SA deletion:

612 11:39:36.951 05/26/06 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=97E05EB0AED2C3A3 R_Cookie=8E7AA274E4EDFB3C) reason = DEL_REASON_CANNOT_AUTH

If I used pre-shared key, I get the following on the router:

366272: *May 26 11:41:12.156 PCTime: ISAKMP:(0:0:N/A:0):no offers accepted!

366273: *May 26 11:41:12.156 PCTime: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local xx.xx.xx.xx remote xx.xx.xx.xx)

and on the client:

632 11:44:54.708 05/26/06 Sev=Warning/2 IKE/0xE3000099

Invalid SPI size (PayloadNotify:116)

633 11:44:54.718 05/26/06 Sev=Info/4 IKE/0xE30000A4

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

634 11:44:54.718 05/26/06 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

635 11:44:59.915 05/26/06 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

The config on the IOS router has been tested with the VPN client, and it works. I just have a problem when I put a PIX inbetween...

I've attached the PIX config, and afaik, it's got all that's required... any ideas?

Many thanks,

Michael

Labels:
Preview file
3 KB
0 Helpful
1 Reply 1

blakem
Level 1
Level 1

‎05-26-2006 07:46 AM

Found the error!!

I had a crypto map setup for the same address that the VPN client was using, so when I was trying to connect with the client, the router was checking the crypto map and pre-shared key instead VPN client config... hope this may help someone in the future..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents