Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client hangs at securing communication channel

I created 2 pix-to-pix vpn connnections on my pix506. Since my vpn clients cannot connect. We are using Cisco client ver3.5.2

Client log shows Msg. severity 3 Invalid Protocol id (0)

Thanks

*PIX CONFIG*

PIX Ver6.2(2)

access-list 110 permit ip 172.20.0.0 255.255.0.0 172.16.1.0 255.255.255.0

access-list NAT0 permit ip host 172.20.100.214 192.168.20.0 255.255.255.0

access-list NAT0 permit ip host 172.20.100.215 192.168.20.0 255.255.255.0

access-list NAT0 permit ip host 172.20.100.0 192.168.1.0 255.255.255.0

access-list NAT0 permit ip 172.20.0.0 255.255.0.0 172.16.1.0 255.255.255.0

access-list NAT0 permit ip host 172.20.100.0 192.168.6.0 255.255.255.0

access-list GVW_VPN permit ip host 172.20.100.214 192.168.20.0 255.255.255.0

access-list GVW_VPN permit ip host 172.20.100.215 192.168.20.0 255.255.255.0

access-list GLDR_VPN permit ip 172.20.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list CLIENT permit ip any 172.16.1.0 255.255.255.0

access-list PELHM_VPN permit ip 172.20.100.0 255.255.255.0 192.168.6.0 255.255.255.0

ip local pool dealer 172.16.1.1-172.16.1.254

global (outside) 1 x

nat (inside) 0 access-list NAT0

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

route outside 0 0 0.0.0.1 1

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

crypto ipsec transform-set VPN3000 esp-des esp-md5-hmac

crypto ipsec transform-set GVW_VPN esp-des esp-md5-hmac

crypto ipsec transform-set GLDR_VPN esp-des esp-md5-hmac

crypto ipsec transform-set PELHM_VPN esp-des esp-md5-hmac

crypto dynamic-map CLIENT 50 match address CLIENT

crypto dynamic-map CLIENT 50 set transform-set VPN3000

crypto map PEER_VPN_MAP 20 ipsec-isakmp

crypto map PEER_VPN_MAP 20 match address GVW_VPN

crypto map PEER_VPN_MAP 20 set peer x

crypto map PEER_VPN_MAP 20 set transform-set GVW_VPN

crypto map PEER_VPN_MAP 22 ipsec-isakmp

crypto map PEER_VPN_MAP 22 match address GLDR_VPN

crypto map PEER_VPN_MAP 22 set peer x

crypto map PEER_VPN_MAP 22 set transform-set GLDR_VPN

crypto map PEER_VPN_MAP 26 ipsec-isakmp

crypto map PEER_VPN_MAP 26 match address PELHM_VPN

crypto map PEER_VPN_MAP 26 set peer x

crypto map PEER_VPN_MAP 26 set transform-set PELHM_VPN

crypto map PEER_VPN_MAP interface outside

crypto map CLIENT 50 ipsec-isakmp

isakmp enable outside

isakmp key *** address x netmask 255.255.255.255

isakmp key *** address x netmask 255.255.255.255

isakmp key *** address x netmask 255.255.255.255

isakmp key *** address 0.0.0.0 netmask 0.0.0.0

isakmp client configuration address-pool local dealer outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup WCRSA address-pool dealer

vpngroup WCRSA dns-server 172.20.100.4

vpngroup WCRSA wins-server 172.20.100.4

vpngroup WCRSA split-tunnel 110

vpngroup WCRSA idle-time 1800

vpngroup WCRSA password ***

*DEBUG*

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP: Created a peer node for 165.247.183.138

ISAKMP (0): ID payload

next-payload : 10

type : 2

protocol : 17

port : 500

length : 19

ISAKMP (0): Total payload length: 23

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 165.247.183.138, dest

OAK_AG exchange

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 165.247.183.138

ISAKMP (0): SA has been authenticated

return status is IKMP_NO_ERROR

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

crypto_isakmp_process_block: src 165.247.183.138, dest

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 165.247.183.138. message ID = 2166937244

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

Unsupported Attr: 5

ISAKMP: attribute APPLICATION_VERSION (7)

Unsupported Attr: 7

ISAKMP: attribute UNKNOWN (28672)

Unsupported Attr: 28672

ISAKMP: attribute UNKNOWN (28673)

Unsupported Attr: 28673

ISAKMP: attribute ALT_DEF_DOMAIN (28674)

ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)

ISAKMP: attribute ALT_PFS (28679)

ISAKMP: attribute UNKNOWN (28680)

Unsupported Attr: 28680

ISAKMP: attribute UNKNOWN (28677)

Unsupported Attr: 28677

ISAKMP (0:0): responding to peer config from 165.247.183.138. ID = 840554125

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 165.247.183.138, dest x.x.x.x

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 165.247.183.138. message ID = 2166937244

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

Unsupported Attr: 5

ISAKMP: attribute APPLICATION_VERSION (7)

Unsupported Attr: 7

ISAKMP: attribute UNKNOWN (28672)

Unsupported Attr: 28672

ISAKMP: attribute UNKNOWN (28673)

Unsupported Attr: 28673

ISAKMP: attribute ALT_DEF_DOMAIN (28674)

ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)

ISAKMP: attribute ALT_PFS (28679)

ISAKMP: attribute UNKNOWN (28680)

Unsupported Attr: 28680

ISAKMP: attribute UNKNOWN (28677)

Unsupported Attr: 28677

ISAKMP (0:0): responding to peer config from 165.247.183.138. ID = 2883274625

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 165.247.183.138, dest x.x.x.x

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 2877072397

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (1)

ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (2)

ISAKMP : Checking IPSec proposal 3

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 4

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 5

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (5)

ISAKMP : Checking IPSec proposal 6

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (6)

ISAKMP : Checking IPSec proposal 7

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 8

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 9

ISAKMP: transform 1, ESP_NULL

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in secondssh debug

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN Client hangs at securing communication channel

Add the following:

> crypto map PEER_VPN_MAP 100 ipsec-isakmp dynamic CLIENT

That should get you going.

1 REPLY
Cisco Employee

Re: VPN Client hangs at securing communication channel

Add the following:

> crypto map PEER_VPN_MAP 100 ipsec-isakmp dynamic CLIENT

That should get you going.

521
Views
0
Helpful
1
Replies