Hi, I made the changes and I can see by doing sh isakmp sa that the site to site tunnel stays up. The VPN client connection and inside IAS server authenticates me in my domain but stops at the Securing Communication Channel. I remember this from ages ago but cannot remember how I resolved.

Any ideas?

thanks

Martin,

Can you post the pix configuration after you made the changes. And also the outputs of "deb cry is" and "deb cry ips" from the pix and logs from the VPN Client.

Regards,

Arul

** Please rate all helpful posts **

Heres my config:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 webdmz security20

enable password xxx

passwd xxx

hostname SiteA-pix

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

no fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

name 200.x.x.0 SiteA_INT

name 201.x.x.201 SiteA_EXT

name 200.x.x.254 PIX_INT

name 10.10.10.0 SiteB_INT

name 11.11.11.11 SiteB_EXT

access-list inside_outbound_nat0_acl permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0

access-list outside_cryptomap_20 permit ip SiteA_INT 255.255.0.0 SiteB_INT 255.255.255.0

access-list acl_inside permit icmp any any

access-list acl_inside permit ip any any

access-list acl_outside permit ip any any

access-list acl_outside permit icmp any any

access-list 80 permit ip SiteA_INT 255.255.0.0 200.220.0.0 255.255.0.0

pager lines 24

mtu outside 1500

mtu inside 1500

mtu webdmz 1500

ip address outside SiteA_EXT 255.255.255.128

ip address inside PIX_INT 255.255.0.0

no ip address webdmz

ip audit info action alarm

ip audit attack action alarm

ip local pool pix_inside 200.x.x.100-200.220.200.150

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

route outside 0.0.0.0 0.0.0.x.x.201.202 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 200.200.200.20 letmein timeout 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set AAADES esp-3des esp-md5-hmac

crypto dynamic-map DYNOMAP 10 match address 80

crypto dynamic-map DYNOMAP 10 set transform-set AAADES

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer SiteB_EXT

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 30 ipsec-isakmp dynamic DYNOMAP

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

isakmp enable outside

isakmp key secret address SiteB_EXT netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup Remote address-pool pix_inside

vpngroup Remote dns-server 200.200.200.20

vpngroup Remote wins-server 200.200.200.20

vpngroup Remote default-domain mycorp.co.uk

vpngroup Remote idle-time 1800

vpngroup Remote password password

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

I will attach debug output later today.

Thanks

Heres the debug from the pix from the deb cry is command, the vpn client produced no logging.

thanks

Hi Marty,

Is this issue resolved? If not, can you please let me know if you can send me the VPN client logs.

Thanks

Gilbert

Hi Gilbert, still not resolved. Still stopping at the securing communications channel. The VPN client doesnot capture any logs.

I am getting authenticated by the Radius and domain contrller inside the network. If I do sh isakmp sa I see that the site to site tunnel is stillup and the tunnel to remote client ip address is also listed.

Thanks

Send me an email at ggilbert@cisco.com.

We can catch up from there.

Regards,

Gilbert

OK, I captured vpn client log entry,

1 20:38:27.937 12/11/06 Sev=Warning/3 IKE/0xE3000002

Function initialize_qm failed with an error code of 0x00000000(INITIATE:650)

Marty -

Can you try to use the new version of the VPN client instead of the 3.6 version and see what happens.

Thanks

Gilbert

Can this be downloaded from the Cisco site? My account has guest rights only.

Its a cryptographic software.

Your account should be tied to a contract inorder to download this software.

Gilbert

No same thing with it, Securing communication channel...

OK, some success here.

I can connect with VPN client now and the site to site tunnel remains up. I'm assigned an ip address from the address pool 200.220.200.1xx BUT What I cannot do from my remote client is ping or connect to any inside host eg 200.200.200.10.

I found that the line crypto dynamic-map dynmap 10 match address 80 would break the site to site tunnel. so I left it out

The config is attached

Thanks for any help