Solved: VPN Client hangs at securing communication channel

t.whiten · ‎08-07-2003

I created 2 pix-to-pix vpn connnections on my pix506. Since my vpn clients cannot connect. We are using Cisco client ver3.5.2

Client log shows Msg. severity 3 Invalid Protocol id (0)

Thanks

*PIX CONFIG*

PIX Ver6.2(2)

access-list 110 permit ip 172.20.0.0 255.255.0.0 172.16.1.0 255.255.255.0

access-list NAT0 permit ip host 172.20.100.214 192.168.20.0 255.255.255.0

access-list NAT0 permit ip host 172.20.100.215 192.168.20.0 255.255.255.0

access-list NAT0 permit ip host 172.20.100.0 192.168.1.0 255.255.255.0

access-list NAT0 permit ip 172.20.0.0 255.255.0.0 172.16.1.0 255.255.255.0

access-list NAT0 permit ip host 172.20.100.0 192.168.6.0 255.255.255.0

access-list GVW_VPN permit ip host 172.20.100.214 192.168.20.0 255.255.255.0

access-list GVW_VPN permit ip host 172.20.100.215 192.168.20.0 255.255.255.0

access-list GLDR_VPN permit ip 172.20.100.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list CLIENT permit ip any 172.16.1.0 255.255.255.0

access-list PELHM_VPN permit ip 172.20.100.0 255.255.255.0 192.168.6.0 255.255.255.0

ip local pool dealer 172.16.1.1-172.16.1.254

global (outside) 1 x

nat (inside) 0 access-list NAT0

nat (inside) 1 172.20.0.0 255.255.0.0 0 0

route outside 0 0 0.0.0.1 1

sysopt connection permit-ipsec

sysopt ipsec pl-compatible

no sysopt route dnat

crypto ipsec transform-set VPN3000 esp-des esp-md5-hmac

crypto ipsec transform-set GVW_VPN esp-des esp-md5-hmac

crypto ipsec transform-set GLDR_VPN esp-des esp-md5-hmac

crypto ipsec transform-set PELHM_VPN esp-des esp-md5-hmac

crypto dynamic-map CLIENT 50 match address CLIENT

crypto dynamic-map CLIENT 50 set transform-set VPN3000

crypto map PEER_VPN_MAP 20 ipsec-isakmp

crypto map PEER_VPN_MAP 20 match address GVW_VPN

crypto map PEER_VPN_MAP 20 set peer x

crypto map PEER_VPN_MAP 20 set transform-set GVW_VPN

crypto map PEER_VPN_MAP 22 ipsec-isakmp

crypto map PEER_VPN_MAP 22 match address GLDR_VPN

crypto map PEER_VPN_MAP 22 set peer x

crypto map PEER_VPN_MAP 22 set transform-set GLDR_VPN

crypto map PEER_VPN_MAP 26 ipsec-isakmp

crypto map PEER_VPN_MAP 26 match address PELHM_VPN

crypto map PEER_VPN_MAP 26 set peer x

crypto map PEER_VPN_MAP 26 set transform-set PELHM_VPN

crypto map PEER_VPN_MAP interface outside

crypto map CLIENT 50 ipsec-isakmp

isakmp enable outside

isakmp key *** address x netmask 255.255.255.255

isakmp key *** address 0.0.0.0 netmask 0.0.0.0

isakmp client configuration address-pool local dealer outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup WCRSA address-pool dealer

vpngroup WCRSA dns-server 172.20.100.4

vpngroup WCRSA wins-server 172.20.100.4

vpngroup WCRSA split-tunnel 110

vpngroup WCRSA idle-time 1800

vpngroup WCRSA password ***

*DEBUG*

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 8 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP: Created a peer node for 165.247.183.138

ISAKMP (0): ID payload

next-payload : 10

type : 2

protocol : 17

port : 500

length : 19

ISAKMP (0): Total payload length: 23

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 165.247.183.138, dest

OAK_AG exchange

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 165.247.183.138

ISAKMP (0): SA has been authenticated

return status is IKMP_NO_ERROR

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

crypto_isakmp_process_block: src 165.247.183.138, dest

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 165.247.183.138. message ID = 2166937244

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

Unsupported Attr: 5

ISAKMP: attribute APPLICATION_VERSION (7)

Unsupported Attr: 7

ISAKMP: attribute UNKNOWN (28672)

Unsupported Attr: 28672

ISAKMP: attribute UNKNOWN (28673)

Unsupported Attr: 28673

ISAKMP: attribute ALT_DEF_DOMAIN (28674)

ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)

ISAKMP: attribute ALT_PFS (28679)

ISAKMP: attribute UNKNOWN (28680)

Unsupported Attr: 28680

ISAKMP: attribute UNKNOWN (28677)

Unsupported Attr: 28677

ISAKMP (0:0): responding to peer config from 165.247.183.138. ID = 840554125

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 165.247.183.138, dest x.x.x.x

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 165.247.183.138. message ID = 2166937244

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

Unsupported Attr: 5

ISAKMP: attribute APPLICATION_VERSION (7)

Unsupported Attr: 7

ISAKMP: attribute UNKNOWN (28672)

Unsupported Attr: 28672

ISAKMP: attribute UNKNOWN (28673)

Unsupported Attr: 28673

ISAKMP: attribute ALT_DEF_DOMAIN (28674)

ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)

ISAKMP: attribute ALT_PFS (28679)

ISAKMP: attribute UNKNOWN (28680)

Unsupported Attr: 28680

ISAKMP: attribute UNKNOWN (28677)

Unsupported Attr: 28677

ISAKMP (0:0): responding to peer config from 165.247.183.138. ID = 2883274625

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 165.247.183.138, dest x.x.x.x

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 2877072397

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (1)

ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (2)

ISAKMP : Checking IPSec proposal 3

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 4

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 5

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (5)

ISAKMP : Checking IPSec proposal 6

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (6)

ISAKMP : Checking IPSec proposal 7

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 8

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-SHA

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): peer address 165.247.183.138 not found

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP : Checking IPSec proposal 9

ISAKMP: transform 1, ESP_NULL

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 1

ISAKMP: SA life type in secondssh debug

gfullage · ‎08-07-2003

Add the following:

> crypto map PEER_VPN_MAP 100 ipsec-isakmp dynamic CLIENT

That should get you going.

View solution in original post

gfullage · ‎08-07-2003

Add the following:

> crypto map PEER_VPN_MAP 100 ipsec-isakmp dynamic CLIENT

That should get you going.