Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
218
Views
0
Helpful
1
Replies

VPN Connectivity Problem

kendo.igor
Level 1
Level 1

‎11-17-2002 10:13 PM - edited ‎02-21-2020 12:10 PM

I'm using PIX 515E and ACS 3.0.2 to provide VPN access to the romote users. I've added the following commands to PIX:

sysopt connection permit-ipsec

ip local pool IPPool1 10.151.1.1-10.151.1.254

vpngroup vpngroup1 password vpnpass1

vpngroup vpngroup1 address-pool IPPool1

vpngroup vpngroup1 dns-server 10.200.1.1

vpngroup vpngroup1 wins-server 10.200.1.1

vpngroup vpngroup1 default-domain domain1.com

isakmp policy 20 authen pre-share

isakmp policy 20 encrypt des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp enable outside

access-list NatExemptACL permit ip any 10.151.1.0 255.255.255.0

nat (inside) 0 access-list NatExemptACL

crypto ipsec transform-set Transform1 esp-des esp-sha-hmac

access-list VpnAcl1 permit ip any 10.151.1.0 255.255.255.0

crypto dynamic-map DynamicMap1 20 match address VpnAcl1

crypto dynamic-map DynamicMap1 20 set transform-set Transform1

crypto dynamic-map DynamicMap1 20 set security-association lifetime seconds 28800 kilobytes 4608000

crypto map CryptoMap1 65535 ipsec-isakmp dynamic DynamicMap1

crypto map CryptoMap1 client authentication RADIUS

crypto map CryptoMap1 interface outside

When I run the debug, this is what I get. The VPN Client 3.5x just shows me "Authenticating User" and just sits there for ever. Any Idea?

fw01(config)# debug crypto isakmp

fw01(config)#

crypto_isakmp_process_block: src 10.150.1.20, dest 10.150.1.1

VPN Peer: ISAKMP: Added new peer: ip:10.150.1.20 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:10.150.1.20 Ref cnt incremented to:1 Total VPN Peers:1

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 20 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP: Created a peer node for 10.150.1.20

ISAKMP (0): ID payload

next-payload : 10

type : 2

protocol : 17

port : 500

length : 21

ISAKMP (0): Total payload length: 25

return status is IKMP_NO_ERROR

crypto_isakmp_process_block: src 10.150.1.20, dest 10.150.1.1

OAK_AG exchange

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACT

ISAKMP (0): SA has been authenticated

return status is IKMP_NO_ERROR

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

ISAKMP/xauth: request attribute XAUTH_TYPE

ISAKMP/xauth: request attribute XAUTH_USER_NAME

ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD

ISAKMP (0:0): initiating peer config to 10.150.1.20. ID = 603293618 (0x23f587b2)

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

ISAKMP (0): retransmitting phase 2...

Labels:
0 Helpful
1 Reply 1

kagodfrey
Level 3
Level 3

‎11-18-2002 03:54 AM

What do you see in the radius server logs?

0 Helpful
Customers Also Viewed These Support Documents