09-25-2003 10:48 AM - edited 02-21-2020 12:47 PM
I am trying to connect cisco vpn client 4.0 to a pix 515 ver 6.1 and receive following errors which I assume are Hash algorithm related but am not sure. Only DES is enabled not 3DES. Posted config in Cisco output interpreter but apparently no config errors.
vpn client log:
Cisco Systems VPN Client Version 4.0 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.0.2195
1 10:58:34.890 09/25/03 Sev=Info/4 CM/0x63100002
Begin connection process
2 10:58:34.906 09/25/03 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
3 10:58:34.906 09/25/03 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
4 10:58:34.906 09/25/03 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.226"
5 10:58:35.953 09/25/03 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.226.
6 10:58:36.000 09/25/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to x.x.x.226
7 10:58:36.000 09/25/03 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 10:58:36.000 09/25/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 10:58:41.093 09/25/03 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
10 10:58:41.093 09/25/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.226
11 10:58:46.093 09/25/03 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
12 10:58:46.093 09/25/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.226
13 10:58:51.093 09/25/03 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
14 10:58:51.093 09/25/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to x.x.x.226
15 10:58:56.093 09/25/03 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=20FC277498A5D2DC R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
16 10:58:56.593 09/25/03 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=20FC277498A5D2DC R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
17 10:58:56.593 09/25/03 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "x.x.x.226" because of "DEL_REASON_PEER_NOT_RESPONDING"
18 10:58:56.593 09/25/03 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
19 10:58:56.593 09/25/03 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
20 10:58:56.625 09/25/03 Sev=Critical/1 CVPND/0xE3400001
Microsoft IPSec Policy Agent service started successfully
21 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
22 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
23 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
24 10:58:57.093 09/25/03 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Pix log:
crypto_isakmp_process_block: src x.x.x.194, dest x.x.x.226
VPN Peer: ISAKMP: Added new peer: ip:x.x.x.194 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt incremented to:1 Total VPN Pee
rs:1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4
crypto_isakmp_process_block: src x.x.x.194, dest x.x.x.226
VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt incremented to:2 Total VPN Pee
rs:1
VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt decremented to:1 Total VPN Pee
rs:1
crypto_isakmp_process_block: src x.x.x.194, dest x.x.x.226
VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt incremented to:2 Total VPN Pee
rs:1
VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt decremented to:1 Total VPN Pee
rs:1
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src x.x.x.194, dst x.x.x.226
ISADB: reaper checking SA 0x80db91c8, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:x.x.x.194 Ref cnt decremented to:0 Total VPN Pee
rs:1
VPN Peer: ISAKMP: Deleted peer: ip:x.x.x.194 Total VPN peers:0
ISAKMP: Deleting peer node for x.x.x.194
Thanks for any help
Solved! Go to Solution.
09-28-2003 08:32 AM
Hi,
The pix isakmp policy should have DES,MD5 and group 2 for the Cisco VPN client 4.x to connect, this are the proposals that the client will send to the server...
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757
This link will show you IKE proposals to be configured on the PIX (VPN server)
Arthur
09-28-2003 08:32 AM
Hi,
The pix isakmp policy should have DES,MD5 and group 2 for the Cisco VPN client 4.x to connect, this are the proposals that the client will send to the server...
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel4_0/admin_gd/vcach6.htm#1157757
This link will show you IKE proposals to be configured on the PIX (VPN server)
Arthur
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: