I'm trying to get VPN remote access working.
as a template; my resulting config file is attached, as is my client profile.
When I try to attach with the VPN client software I get the following error:
Cisco Systems VPN Client Version 4.6.00.0045
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client
1 11:49:25.821 05/14/07 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)
2 11:49:25.821 05/14/07 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
At this point I'm kind of at a loss; this seems to imply that the basic connectivity is corrupt, but I can get internet traffic through the firewall.
Or is the client complaining about the security parameters I've set in the PIX?
Any advice? Is there a way to enable a log at the PIX to see what it thinks is happening?
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication partnerauth
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
I did so; the client now reports an authentication failure. It obviously got a lot further; what's the problem with my original setup?
Here's the isakmp log from the PIX:
ISAKMP Debug Log:
08:09:11.012 UTC Tue May 15 2007, peer 18.104.22.168, DELETE_ALL_SPIS
08:09:10.012 UTC Tue May 15 2007, peer 22.214.171.124, ISAKMP_DISCONNECTED
08:09:09.962 UTC Tue May 15 2007, peer 126.96.36.199, MALFORMED_PAYLOAD (mess_id 3601719422)
08:09:09.152 UTC Tue May 15 2007, peer 188.8.131.52, P2_RETRAN (3) (mess_id 3601719422)
08:09:04.152 UTC Tue May 15 2007, peer 184.108.40.206, P2_RETRAN (2) (mess_id 3601719422)
08:08:59.152 UTC Tue May 15 2007, peer 220.127.116.11, P2_RETRAN (1) (mess_id 3601719422)
08:08:54.152 UTC Tue May 15 2007, peer 18.104.22.168, ISAKMP_CONNECTED
08:08:54.152 UTC Tue May 15 2007, peer 22.214.171.124, P1_DONE
08:08:54.152 UTC Tue May 15 2007, peer 126.96.36.199, DELETE_ALL_SPIS
08:08:54.152 UTC Tue May 15 2007, peer 188.8.131.52, INITIAL_CONTACT_RCVD
08:08:52.602 UTC Tue May 15 2007, peer 184.108.40.206, P1_RESP
In the original procedure step 6 it said:
Note Configure the authentication server with the vendor-specific acl=acl_ID identifier to specify the access-list ID. In this example, the access-list ID is 100. The entry in the authentication server would then be acl=100.
I condensed this into one access-list statement because I don't want to restrict the traffic on the VPN:
access-list 100 permit ip 192.168.100.0 255.255.255.0 192.168.0.0 255.255.255.0
I have 2 questions:
1. Will my access-list statement work?
2. I'm not clear on the "Note" above. My RADIUS server is the one built into Windows Server 2003. I can specify a RADIUS client, and "Cisco" is on the list. If I choose "Cisco", does that simply mean that the access-list ID should also be "Cisco", or is it more complicated than that?
access-list 100 is not doing anything that I can see. The acl that has anything to do with the vpn at all is 80 and does your nat exemption with these commands. These look good.
access-list 80 permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
nat (inside) 0 access-list 80
As far as your radius server goes, I assume you are talking about IAS? All you have to do in IAS is create a new client. That configuration is pretty straight forward. Enter a friendly name, which can be anything, an ip address which would be the inside address of the ASA. Use Radius Standard for Client-Vendor, not Cisco. Also enter a shared secret. You then must create a Remote Access Policy which defines the connection attributes and specify to Grant Remote Access Permission. Here is the doc for pix/asa 7 but it covers the IAS configuration which is the same and is easier than me typing it all out.
A good place to look at when you are trying to authenticate to your IAS/AD machine is your Event Viewer, under System. The authentication requests will show in there and help you troubleshoot.
oh, and acl 100 is not needed you can get rid of it.
Good stuff! This seems to work.
If I may impose on your patience for two more questions:
1. What was wrong with my original isakmp policies:
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption aes
isakmp policy 8 hash sha
isakmp policy 8 group 5
2. The client can't access the internet through the VPN; how do I route that traffic to the outside interface?
Thanks for all your help.
1. Honestly I'm not sure.
2. For internet access while connected to the vpn you will have to set up split tunneling. What this will do is define a policy for what traffic will be encrypted on the vpn. In your case anything to 192.168.0.0 will be encrypted, anthing else (internet) will not be and you will be able to simultaneously access the internet. It has nothing to do with routing. You will see the difference in your vpn client while connected under Status -> Statistics -> Route Details. Without split tunnel you will only see 0.0.0.0 under secured routes. When split tunnel is set up you will only see 192.168.0.0 under secured routes, meaning everything else is unsecured and not part of the vpn.
access-list split_tunnel permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
vpngroup ddiremote split-tunnel split_tunnel
Please rate posts if they helped.
You said: "In your case anything to 192.168.0.0 will be encrypted, anthing else (internet) will not be and you will be able to simultaneously access the internet."
Well, no: when I'm connected to the VPN I want ALL traffic to go through it.
Example: I'm in an airport connected to an unsecured wireless router, and I want to check my email; I want that traffic encrypted!
You did ask how to get the vpn client to access the internet.
If you are concerned about security you should not use split tunnel and should disconnect from the vpn when you want to use the internet.
Where's you mail server? If it is in your network then yes this would be encrypted, but if you wanted to browse www.google.com for example, this traffic can not be encrypted. There is an option in pix/asa version 7 which allows you to bounce vpn client internet traffic off the outside interface of the firewall, so in that case the traffic would be encrypted as far as the firwall, then the client would be nat'ed and the traffic would be cleartext to the internet. The return traffic would be encrypted from the firewall to the client. Hope that make sense.
"If you are concerned about security you should not use split tunnel and should disconnect from the vpn when you want to use the internet."
Well, I'm confused: I *AM* concerned with security, that's why I'm using a VPN. If I could trust the local network I wouldn't need a VPN. I can set up the Microsoft RAS server to send all traffic down the VPN pipe, and then route any non-local traffic out to the default gateway at the server. I assumed that the PIX was able to do the same thing.
Are you implying that at the PIX it's impossible to NAT any traffic not destined for 192.168.0.0. out to the outside interface?
You got it. My mail server is at an internet address.
"There is an option in pix/asa version 7 which allows you to bounce vpn client internet traffic off the outside interface of the firewall, so in that case the traffic would be encrypted as far as the firwall, then the client would be nat'ed and the traffic would be cleartext to the internet. The return traffic would be encrypted from the firewall to the client."
This is EXACTLY what I want, but I bought a PIX-506e which is running version 6.3.
So, did I buy the wrong thing? Can version 7 be loaded onto a 506e?
The PIX 501, PIX 506/506E, and PIX 520 security appliances are not supported in software Version 7.0.
Another option you may have is to have an internal proxy server, not ideal probably, but an option.
OK, let's consider falling back to Microsoft RAS.
With my old router I just specified port forwarding to point connection requests on a specific port to a specific internal IP address. May I assume that this can also be done with the PIX? And if so, can you point me to the commands that I'd need to enable it? Access-list, perhaps?
access-list outside_in permit
access-group outside_in in interface outside
static (inside,outside) tcp 220.127.116.11 80 192.168.0.10 80 netmask 255.255.255.255
access-list outside_in permit tcp any host 18.104.22.168 eq 80
access-group outside_in in interface outside
static (inside,outside) tcp interface 80 192.168.0.10 80 netmask 255.255.255.255
or if you wanted to forward port 80 to inside port 8080
static (inside,outside) tcp 22.214.171.124 80 192.168.0.10 8080 netmask 255.255.255.255
Thanks - this was very helpful.
I had to add:
fixup protocol pptp 1723
Now it's working just like before.
Thanks again for your help. I can't say that the command reference is intuitive, so your advice really helped.
1. i would guess you were using des and sha which doesn't seem to work for me. if i use des then i use md5 and if i 3des i use sha. not sure exactly why but thats how i've alwyas done it and its worked.
2. can't you just split tunnel it?