11-17-2002 10:13 PM - edited 02-21-2020 12:10 PM
I'm using PIX 515E and ACS 3.0.2 to provide VPN access to the romote users. I've added the following commands to PIX:
sysopt connection permit-ipsec
ip local pool IPPool1 10.151.1.1-10.151.1.254
vpngroup vpngroup1 password vpnpass1
vpngroup vpngroup1 address-pool IPPool1
vpngroup vpngroup1 dns-server 10.200.1.1
vpngroup vpngroup1 wins-server 10.200.1.1
vpngroup vpngroup1 default-domain domain1.com
isakmp policy 20 authen pre-share
isakmp policy 20 encrypt des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp enable outside
access-list NatExemptACL permit ip any 10.151.1.0 255.255.255.0
nat (inside) 0 access-list NatExemptACL
crypto ipsec transform-set Transform1 esp-des esp-sha-hmac
access-list VpnAcl1 permit ip any 10.151.1.0 255.255.255.0
crypto dynamic-map DynamicMap1 20 match address VpnAcl1
crypto dynamic-map DynamicMap1 20 set transform-set Transform1
crypto dynamic-map DynamicMap1 20 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map CryptoMap1 65535 ipsec-isakmp dynamic DynamicMap1
crypto map CryptoMap1 client authentication RADIUS
crypto map CryptoMap1 interface outside
When I run the debug, this is what I get. The VPN Client 3.5x just shows me "Authenticating User" and just sits there for ever. Any Idea?
fw01(config)# debug crypto isakmp
fw01(config)#
crypto_isakmp_process_block: src 10.150.1.20, dest 10.150.1.1
VPN Peer: ISAKMP: Added new peer: ip:10.150.1.20 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:10.150.1.20 Ref cnt incremented to:1 Total VPN Peers:1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 20 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
ISAKMP: Created a peer node for 10.150.1.20
ISAKMP (0): ID payload
next-payload : 10
type : 2
protocol : 17
port : 500
length : 21
ISAKMP (0): Total payload length: 25
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 10.150.1.20, dest 10.150.1.1
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACT
ISAKMP (0): SA has been authenticated
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to 10.150.1.20. ID = 603293618 (0x23f587b2)
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
11-18-2002 03:54 AM
What do you see in the radius server logs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide