Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
513
Views
0
Helpful
9
Replies

vpn client not working puzzler

jasosan22
Level 1
Level 1

‎09-18-2008 12:23 PM - edited ‎02-21-2020 03:57 PM

I've got a Cisco Pix 501 and am trying to get the VPN client to work. When I do my debugs (debug crypto isakmp/ipsec) and try to login with the client it points me to the direction of not having the correct pool. Here is the config:

access-list 10 permit ip 192.168.1.0 255.255.255.0 host 172.16.7.33

access-list 10 permit ip 192.168.1.0 255.255.255.0 host 172.16.7.14

access-list Internet permit icmp any any echo-reply

access-list Internet permit icmp any any time-exceeded

access-list Internet permit icmp any any traceroute

access-list Internet permit udp any any eq isakmp

access-list Internet permit esp any any

access-list Internet permit tcp any host 10.1.1.1 eq smtp

access-list Internet permit tcp any host 10.1.1.1 eq https

access-list Internet permit tcp any host 10.1.1.1 eq www

access-list Internet permit tcp any host 10.1.1.1 eq 3389

access-list Internet permit tcp any host 10.1.1.6 eq ssh

access-list Internet permit tcp any host 10.1.1.1 eq 4125

access-list Internet permit tcp any host 10.1.1.1 eq www

access-list Internet deny ip any any log

access-list NO-NAT-VPN permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

logging on

logging console notifications

logging buffered informational

mtu outside 1492

mtu inside 1500

ip address outside 10.1.1.1 255.255.255.224

ip address inside 192.168.1.254 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action drop

ip local pool VPNPOOL 192.168.100.1-192.168.100.50

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 10

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside)10.1.1.1 192.168.1.10 netmask 255.255.255.255 0 0

access-group Internet in interface outside

route outside 0.0.0.0 0.0.0.0 98.172.55.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-3des esp-md5-hmac

crypto dynamic-map dynmap 40 set transform-set strong

crypto map VPN 10 ipsec-isakmp

crypto map VPN 10 match address 10

crypto map VPN 10 set peer 10.1.1.1

crypto map VPN 10 set transform-set strong

crypto map VPN 65000 ipsec-isakmp dynamic dynmap

crypto map VPN interface outside

isakmp enable outside

isakmp key ******** address 10.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 3600

vpngroup VPN address-pool VPNPOOL

vpngroup VPN dns-server 192.168.1.104 192.168.2.5

vpngroup VPN default-domain

vpngroup VPN idle-time 1800

vpngroup VPN password

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 15

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

console timeout 0

username vpnclient password ****** encrypted privilege 2

terminal width 80

Labels:
0 Helpful
9 Replies 9

singhsaju
Level 4
Level 4

‎09-18-2008 06:04 PM

Hello,

Do the following and check .

no nat (inside) 0 access-list 10

nat (inside) 0 access-list NO-NAT-VPN

Also post the debugs to help us troubleshoot the problem.

Noticed that the outside interface has 10.0.0.0 network ip address , can you explain how is this device connected to the internet?

HTH

Saju

Pls rate helpful posts

0 Helpful

jasosan22
Level 1
Level 1
In response to singhsaju

‎09-19-2008 06:38 AM

I changed the outside address to a non-routable (RFC 1918) address for security reaseons.

0 Helpful

jasosan22
Level 1
Level 1
In response to singhsaju

‎09-19-2008 08:23 AM

Saju,

Thanks for your help I had done what you suggested and tried it again.

Here is the debug from the router: ( have changed the outside address to 10.1.1.1 and the client address to 192.168.1.1 for security reasons.

1615Poydras-FW#

crypto_isakmp_process_block:src:192.168.1.1, dest:10.1.1.1 spt:1801 dpt:500

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 40 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 40 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable.

crypto_isakmp_process_block:src:192.168.1.1, dest:10.1.1.1 spt:1801 dpt:500

ISAKMP: error, msg not encrypted

crypto_isakmp_process_block:src:192.168.1.1, dest:10.1.1.1 spt:1801 dpt:500

ISAKMP: error, msg not encrypted

0 Helpful

singhsaju
Level 4
Level 4
In response to jasosan22

‎09-19-2008 08:38 AM

"ISAKMP (0): atts are not acceptable"

Can you add following policy and then check ?

isakmp policy 50 authentication pre-share

isakmp policy 50 encryption 3des

isakmp policy 50 hash md5

isakmp policy 50 group 2

0 Helpful

jasosan22
Level 1
Level 1
In response to singhsaju

‎09-19-2008 09:05 AM

Gave it a try but still isn't working.

0 Helpful

singhsaju
Level 4
Level 4
In response to jasosan22

‎09-19-2008 09:11 AM

what are the debugs now?

0 Helpful

singhsaju
Level 4
Level 4
In response to singhsaju

‎09-19-2008 09:28 AM

Also what's the version of vpn client?

0 Helpful

jasosan22
Level 1
Level 1
In response to singhsaju

‎09-19-2008 11:22 AM

5.0.00.0340. I have about 8 other clients working on it.

0 Helpful

jasosan22
Level 1
Level 1
In response to jasosan22

‎09-19-2008 11:23 AM

I had all of the crypto debugs on isakmp ipsec ca engine and vpnclient

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents