08-07-2003 08:57 AM - edited 02-21-2020 12:42 PM
I created 2 pix-to-pix vpn connnections on my pix506. Since my vpn clients cannot connect. We are using Cisco client ver3.5.2
Client log shows Msg. severity 3 Invalid Protocol id (0)
Thanks
*PIX CONFIG*
PIX Ver6.2(2)
access-list 110 permit ip 172.20.0.0 255.255.0.0 172.16.1.0 255.255.255.0
access-list NAT0 permit ip host 172.20.100.214 192.168.20.0 255.255.255.0
access-list NAT0 permit ip host 172.20.100.215 192.168.20.0 255.255.255.0
access-list NAT0 permit ip host 172.20.100.0 192.168.1.0 255.255.255.0
access-list NAT0 permit ip 172.20.0.0 255.255.0.0 172.16.1.0 255.255.255.0
access-list NAT0 permit ip host 172.20.100.0 192.168.6.0 255.255.255.0
access-list GVW_VPN permit ip host 172.20.100.214 192.168.20.0 255.255.255.0
access-list GVW_VPN permit ip host 172.20.100.215 192.168.20.0 255.255.255.0
access-list GLDR_VPN permit ip 172.20.100.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list CLIENT permit ip any 172.16.1.0 255.255.255.0
access-list PELHM_VPN permit ip 172.20.100.0 255.255.255.0 192.168.6.0 255.255.255.0
ip local pool dealer 172.16.1.1-172.16.1.254
global (outside) 1 x
nat (inside) 0 access-list NAT0
nat (inside) 1 172.20.0.0 255.255.0.0 0 0
route outside 0 0 0.0.0.1 1
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
no sysopt route dnat
crypto ipsec transform-set VPN3000 esp-des esp-md5-hmac
crypto ipsec transform-set GVW_VPN esp-des esp-md5-hmac
crypto ipsec transform-set GLDR_VPN esp-des esp-md5-hmac
crypto ipsec transform-set PELHM_VPN esp-des esp-md5-hmac
crypto dynamic-map CLIENT 50 match address CLIENT
crypto dynamic-map CLIENT 50 set transform-set VPN3000
crypto map PEER_VPN_MAP 20 ipsec-isakmp
crypto map PEER_VPN_MAP 20 match address GVW_VPN
crypto map PEER_VPN_MAP 20 set peer x
crypto map PEER_VPN_MAP 20 set transform-set GVW_VPN
crypto map PEER_VPN_MAP 22 ipsec-isakmp
crypto map PEER_VPN_MAP 22 match address GLDR_VPN
crypto map PEER_VPN_MAP 22 set peer x
crypto map PEER_VPN_MAP 22 set transform-set GLDR_VPN
crypto map PEER_VPN_MAP 26 ipsec-isakmp
crypto map PEER_VPN_MAP 26 match address PELHM_VPN
crypto map PEER_VPN_MAP 26 set peer x
crypto map PEER_VPN_MAP 26 set transform-set PELHM_VPN
crypto map PEER_VPN_MAP interface outside
crypto map CLIENT 50 ipsec-isakmp
isakmp enable outside
isakmp key *** address x netmask 255.255.255.255
isakmp key *** address x netmask 255.255.255.255
isakmp key *** address x netmask 255.255.255.255
isakmp key *** address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local dealer outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup WCRSA address-pool dealer
vpngroup WCRSA dns-server 172.20.100.4
vpngroup WCRSA wins-server 172.20.100.4
vpngroup WCRSA split-tunnel 110
vpngroup WCRSA idle-time 1800
vpngroup WCRSA password ***
*DEBUG*
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 8 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP: Created a peer node for 165.247.183.138
ISAKMP (0): ID payload
next-payload : 10
type : 2
protocol : 17
port : 500
length : 19
ISAKMP (0): Total payload length: 23
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 165.247.183.138, dest
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 165.247.183.138
ISAKMP (0): SA has been authenticated
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src 165.247.183.138, dest
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 165.247.183.138. message ID = 2166937244
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute APPLICATION_VERSION (7)
Unsupported Attr: 7
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute ALT_DEF_DOMAIN (28674)
ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute ALT_PFS (28679)
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28677)
Unsupported Attr: 28677
ISAKMP (0:0): responding to peer config from 165.247.183.138. ID = 840554125
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 165.247.183.138, dest x.x.x.x
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 165.247.183.138. message ID = 2166937244
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute APPLICATION_VERSION (7)
Unsupported Attr: 7
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute ALT_DEF_DOMAIN (28674)
ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute ALT_PFS (28679)
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28677)
Unsupported Attr: 28677
ISAKMP (0:0): responding to peer config from 165.247.183.138. ID = 2883274625
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 165.247.183.138, dest x.x.x.x
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2877072397
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 4
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 5
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (5)
ISAKMP : Checking IPSec proposal 6
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (6)
ISAKMP : Checking IPSec proposal 7
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 9
ISAKMP: transform 1, ESP_NULL
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: SA life type in secondssh debug
Solved! Go to Solution.
08-07-2003 04:13 PM
Add the following:
> crypto map PEER_VPN_MAP 100 ipsec-isakmp dynamic CLIENT
That should get you going.
08-07-2003 04:13 PM
Add the following:
> crypto map PEER_VPN_MAP 100 ipsec-isakmp dynamic CLIENT
That should get you going.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide