Solved: Re: VPN Client 3.6.3 and PIX 506e

IanChalmers · ‎12-13-2002

Hi,

I'm trying to build a VPN between a VPN Client Ver 3.6.3 and a PIX 506e running 6.2(2) with 3DES.

Firewall# sh ver

Cisco PIX Firewall Version 6.2(2)

Cisco PIX Device Manager Version 2.1(1)

Compiled on Fri 07-Jun-02 17:49 by morlee

Firewall up 7 days 4 hours

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz

Flash E28F640J3 @ 0x300, 8MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Licensed Features:

Failover: Disabled

VPN-DES: Enabled

VPN-3DES: Enabled

Maximum Interfaces: 2

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Limited

IKE peers: Unlimited

Configuration last modified by enable_15 at 22:59:47.355 UTC Fri Dec 13 2002

Firewall#

I am getting the following errors:

Firewall#

crypto_isakmp_process_block: src Mike, dest 198.

VPN Peer: ISAKMP: Added new peer: ip:Mike Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:Mike Ref cnt incremented to:1 Total VPN Peers:1

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: attribute 3584

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption... What? 7?

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4

crypto_isakmp_process_block: src Mike, dest 198.

VPN Peer: ISAKMP: Peer ip:Mike Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:Mike Ref cnt decremented to:1 Total VPN Peers:1

crypto_isakmp_process_block: src Mike, dest 198.

VPN Peer: ISAKMP: Peer ip:Mike Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:Mike Ref cnt decremented to:1 Total VPN Peers:1

crypto_isakmp_process_block: src Mike, dest 198.

VPN Peer: ISAKMP: Peer ip:Mike Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:Mike Ref cnt decremented to:1 Total VPN Peers:1

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src Mike, dst 198.143.226.158

ISADB: reaper checking SA 0x812ba828, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:Mike Ref cnt decremented to:0 Total VPN Peers:1

VPN Peer: ISAKMP: Deleted peer: ip:Mike Total VPN peers:0

Looks like I have an encryption problem. Here is most of my configuration:

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password encrypted

passwd encrypted

hostname Firewall

domain-name

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

names

access-list outside_access_in .255.255.224 any

access-list outside_access_in 255.255.255.224 any

access-list outside_access_in permit tcp any hosteq smtp

access-list outside_access_in permit tcp any host eq pop3

access-list outside_access_in permit tcp any host eq 5993

access-list outside_access_in permit tcp any hostq smtp

access-list outside_access_in permit tcp any hosteq pop3

access-list outside_access_in permit tcp any host eq www

access-list outside_access_in permit tcp any hosteq ftp

access-list outside_access_in permit tcp any hosteq www

access-list outside_access_in permit ip host Toronto any

access-list outside_access_in permit ip host Mike any

access-list outside_access_in deny ip any any

pager lines 24

logging on

logging monitor debugging

logging buffered critical

logging trap warnings

logging history warnings

logging host inside

interface ethernet0 auto

interface ethernet1 auto

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside whatever 255.255.255.248

ip address inside 10.1.1.1 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnpool 192.168.1.50-192.168.1.75

pdm location xxx 255.255.255.255 inside

pdm location Router 255.255.255.255 outside

pdm location xxx 255.255.255.255 inside

pdm location Mike 255.255.255.255 outside

pdm location Web1 255.255.255.255 inside

pdm location xxx 255.255.255.255 inside

pdm location xxx 255.255.255.224 outside

pdm location xxx255.255.255.224 outside

pdm location xxx 255.255.255.255 outside

pdm location 10.1.1.153 255.255.255.255 inside

pdm location 10.1.1.154 255.255.255.255 inside

pdm logging critical 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

Several statics to inside servers...

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 Router 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 30 set transform-set myset

crypto map newmap 20 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address Mike netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup mycompany address-pool vpnpool

vpngroup mycompany dns-server SERVER101

vpngroup mycompany wins-server SERVER101

vpngroup mycompany default-domain whatever.com

vpngroup mycompany idle-time 1800

vpngroup mycompany password ********

ssh timeout 15

dhcpd address 10.1.1.50-10.1.1.150 inside

dhcpd dns Skhbhb

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd domain ljkn

dhcpd enable inside

terminal width 80

Cryptochecksum:0e4c08a9e834d03338974105bb73355f

: end

[OK]

Firewall#

Any ideas?

Thanks,

Mike

ajagadee · ‎12-17-2002

Hi Mike,

You are welcome anytime. Will wait for your update

Regards,

Arul

View solution in original post

IanChalmers · ‎12-16-2002

So what have I done wrong? Used the wrong forum? Didn't RTFM (or at least the right one)?

At least I know it's not my deoderant ;-)

Mike

ajagadee · ‎12-16-2002

Hi,

From the config that you have posted, you are missing NAT 0 command and an access-list to bypass NAT for the IPSec traffic. You can follow the below URL for the same:

http://www.cisco.com/warp/public/110/pix3000.html

http://www.cisco.com/warp/public/110/pixpixvpn.html

And regarding your Client connection, what is happening when you try to connect ??

Are you able to connect and not able to pass any traffic or the client does not even connect ??

Regards,

Arul

IanChalmers · ‎12-17-2002

Thanks for the reply. I just want to say that I am having (nontechnical) problems with my testing equipment and will keep the group updated.

Mike

ajagadee · ‎12-17-2002

Hi Mike,

You are welcome anytime. Will wait for your update

Regards,

Arul