05-26-2006 03:00 AM - edited 02-21-2020 02:26 PM
Hello, I'm having problems connecting with Cisco VPN client to a Cisco IOS router. There is a PIX between the client and the router, with protocols enabled, NAT-T, sysopt conn permit-ipsec ..., but I still can't connect...
On the router I get (when using cert authentication):
366071: *May 26 11:30:54.076 PCTime: ISAKMP:(0:498:SW:1): failed to find usage restriction in ext.
On the client I get:
574 11:34:36.739 05/26/06 Sev=Info/4 CERT/0x63600015
Cert (1.2.840.113549.1.9.2=#1613323835312e73796e657267792d66732e636f6d) verification succeeded.
575 11:34:36.739 05/26/06 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
576 11:34:36.739 05/26/06 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194
577 11:34:36.739 05/26/06 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
578 11:34:36.739 05/26/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
579 11:34:36.769 05/26/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx
580 11:34:36.769 05/26/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xx.xx.xx.xx
581 11:34:36.769 05/26/06 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
582 11:34:36.769 05/26/06 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
583 11:34:47.034 05/26/06 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
** followed by numerous keepalives, and then an IKE SA deletion:
612 11:39:36.951 05/26/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=97E05EB0AED2C3A3 R_Cookie=8E7AA274E4EDFB3C) reason = DEL_REASON_CANNOT_AUTH
If I used pre-shared key, I get the following on the router:
366272: *May 26 11:41:12.156 PCTime: ISAKMP:(0:0:N/A:0):no offers accepted!
366273: *May 26 11:41:12.156 PCTime: ISAKMP:(0:0:N/A:0): phase 1 SA policy not acceptable! (local xx.xx.xx.xx remote xx.xx.xx.xx)
and on the client:
632 11:44:54.708 05/26/06 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)
633 11:44:54.718 05/26/06 Sev=Info/4 IKE/0xE30000A4
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
634 11:44:54.718 05/26/06 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
635 11:44:59.915 05/26/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
The config on the IOS router has been tested with the VPN client, and it works. I just have a problem when I put a PIX inbetween...
I've attached the PIX config, and afaik, it's got all that's required... any ideas?
Many thanks,
Michael
05-26-2006 07:46 AM
Found the error!!
I had a crypto map setup for the same address that the VPN client was using, so when I was trying to connect with the client, the router was checking the crypto map and pre-shared key instead VPN client config... hope this may help someone in the future..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: