Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Connectivity Problem

I'm using PIX 515E and ACS 3.0.2 to provide VPN access to the romote users. I've added the following commands to PIX:

sysopt connection permit-ipsec

ip local pool IPPool1 10.151.1.1-10.151.1.254

vpngroup vpngroup1 password vpnpass1

vpngroup vpngroup1 address-pool IPPool1

vpngroup vpngroup1 dns-server 10.200.1.1

vpngroup vpngroup1 wins-server 10.200.1.1

vpngroup vpngroup1 default-domain domain1.com

isakmp policy 20 authen pre-share

isakmp policy 20 encrypt des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp enable outside

access-list NatExemptACL permit ip any 10.151.1.0 255.255.255.0

nat (inside) 0 access-list NatExemptACL

crypto ipsec transform-set Transform1 esp-des esp-sha-hmac

access-list VpnAcl1 permit ip any 10.151.1.0 255.255.255.0

crypto dynamic-map DynamicMap1 20 match address VpnAcl1

crypto dynamic-map DynamicMap1 20 set transform-set Transform1

crypto dynamic-map DynamicMap1 20 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map CryptoMap1 65535 ipsec-isakmp dynamic DynamicMap1

crypto map CryptoMap1 client authentication RADIUS

crypto map CryptoMap1 interface outside

When I run the debug, this is what I get. The VPN Client 3.5x just shows me "Authenticating User" and just sits there for ever. Any Idea?

fw01(config)# debug crypto isakmp

fw01(config)#

crypto_isakmp_process_block: src 10.150.1.20, dest 10.150.1.1

VPN Peer: ISAKMP: Added new peer: ip:10.150.1.20 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:10.150.1.20 Ref cnt incremented to:1 Total VPN Peers:1

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP: Created a peer node for 10.150.1.20

ISAKMP (0): ID payload

next-payload : 10

type : 2

protocol : 17

port : 500

length : 21

ISAKMP (0): Total payload length: 25

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 10.150.1.20, dest 10.150.1.1

OAK_AG exchange

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACT

ISAKMP (0): SA has been authenticated

return status is IKMP_NO_ERROR

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

ISAKMP/xauth: request attribute XAUTH_TYPE

ISAKMP/xauth: request attribute XAUTH_USER_NAME

ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD

ISAKMP (0:0): initiating peer config to 10.150.1.20. ID = 603293618 (0x23f587b2)

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

1 REPLY
New Member

Re: VPN Connectivity Problem

What do you see in the radius server logs?

90
Views
0
Helpful
1
Replies