Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
253
Views
0
Helpful
2
Replies

VPN Client 3.5.4 to PIX 6.1(2)

darj
Level 1
Level 1

‎11-28-2002 06:01 AM - edited ‎02-21-2020 12:12 PM

Can anyone help?

I am currently setting up our PIX to be able to accept VPN tunneling from VPN Client s/w ver 3.5.4.

From the debug on the PIX I can see the connection gets through the first level of authentication but then when it finds the atts acceptable during the second level it returns the following error and then continues trying to find acceptable attributes until it hangs and returns an error at the VPN client side

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 187.45.225.2, src= 155.147.89.212,

dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

src_proxy= 10.200.100.1/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

The VPN client gives the following error:

Sev=Warning/3 IKE0xA3000058

Received malformed message or negotiation no longer active

Can anyone give any pointers. I have seen similar problems in the forum but nothing exactly matching this.

The additional config to the PIX is below

access-list nat0vpn permit ip 10.200.0.0 255.255.0.0 10.200.100.0 255.255.255.0

access-list VPDN permit ip 10.200.0.0 255.255.0.0 10.200.100.0

255.255.255.0

ip local pool vpdnpool 10.200.100.1-10.200.100.254

nat (inside) 0 access-list nat0vpn

route outside 10.200.100.0 255.255.255.0 187.45.225.1 1

sysopt connection permit-ipsec

crypto ipsec transform-set tripledesmd5 esp-3des esp-md5-hmac

crypto dynamic-map dynmap 1 match address VPDN

crypto dynamic-map dynmap 1 set transform-set tripledesmd5

crypto map mapname 1 ipsec-isakmp dynamic dynmap

crypto map mapname interface outside

isakmp enable outside

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

vpngroup vpngroup address-pool vpdnpool

vpngroup vpngroup dns-server 10.200.155.9

vpngroup vpngroup wins-server 10.200.155.11

vpngroup vpngroup default-domain test.com

vpngroup vpngroup idle-time 1800

vpngroup vpngroup max-time 86400

vpngroup vpngroup password ********

Labels:
0 Helpful
2 Replies 2

darj
Level 1
Level 1

‎11-28-2002 07:26 AM

Before anyone replies to this please don't bother as the answer has turned out to be an access-list issue.

Cheers

0 Helpful

daniel.kline
Level 1
Level 1
In response to darj

‎01-31-2003 01:45 PM

What exactly was the issue with the acl?

dan.kline@networksvcs.net

0 Helpful
Customers Also Viewed These Support Documents