Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
1
Replies

VPN client hang at securing communication channel when connecting to PIX515

lehpoh
Level 1
Level 1

‎06-13-2003 07:35 AM - edited ‎02-21-2020 12:36 PM

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

When I tried to use VPN client v3.6.4 or v4.0.1 to connect to PIX 515E, the VPN client just stopped at message "securing communication channel". I have checked my config many times but fail to find any config error. My config is as below: (IP address already amended for security reason)

firewall(config)# wr t

Building configuration...

: Saved

:

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxx encrypted

hostname firewall

domain-name cisco.com

clock timezone SGT 8

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name xxx.xx.133.288 mailserver

object-group service mailserver_grp tcp

port-object eq ftp

port-object eq smtp

port-object eq www

access-list acl_outside permit tcp any host mailserver object-group mailserver_grp

access-list acl_outside permit icmp any any

access-list nonat permit ip zzz.zz.63.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nonat permit ip zzz.zz.63.0 255.255.255.0 172.16.2.0 255.255.255.0

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside xxx.xx.133.283 255.255.255.240

ip address inside zzz.zz.63.140 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp_pool 172.16.1.1-172.16.1.250

ip local pool vpn_pool 172.16.2.1-172.16.2.250

pdm location zzz.zz.63.223 255.255.255.255 inside

pdm location 172.16.1.0 255.255.255.0 outside

pdm location 172.16.2.0 255.255.255.0 outside

pdm location zzz.zz.63.200 255.255.255.255 inside

pdm location nnn0.0.0 255.0.0.0 outside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) mailserver zzz.zz.63.200 netmask 255.255.255.255 0 0

access-group acl_outside in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xx.133.277 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http zzz.zz.63.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto dynamic-map cisco 20 set transform-set strong

crypto map client-map 20 ipsec-isakmp dynamic cisco

crypto map client-map interface outside

isakmp enable outside

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup cisco address-pool vpn_pool

vpngroup cisco idle-time 1800

vpngroup abc password abc

telnet zzz.zz.63.0 255.255.255.0 inside

telnet timeout 5

ssh nnn0.0.0 255.0.0.0 outside

ssh timeout 5

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication pap

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe 40

vpdn group PPTP-VPDN-GROUP client configuration address local pptp_pool

vpdn group PPTP-VPDN-GROUP client configuration dns www.ww.ww.88 qqq.qq.100.88

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn username xxxxxxxxxx password xxxxxxxxxxxxxxxxxxxx

vpdn enable outside

terminal width 80

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxx

: end

[OK]

Anyone care to enlighten me?? Thanks a lot.

Labels:
0 Helpful
1 Reply 1

lehpoh
Level 1
Level 1

‎06-14-2003 12:43 AM

Problem solved! The problem lies on the ipsec transform-set. des can never work with sha, des only work with md5.

0 Helpful
Customers Also Viewed These Support Documents