Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Pix 515E cannot get the VPN client to work

Hi there,

I am having some difficulties configuring two things:

1. After a couple of hours struggling to create a tunnel (lan to lan) I finally got it to work. When I try to do the same for remote users using the Cisco vpn client I only get an error 412: the remote peer is no longer responding.

Client log:

Cisco Systems VPN Client Version 5.0.00.0340

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.0.6000

Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 15:30:11.745 06/07/07 Sev=Info/6 GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.

2 15:30:14.116 06/07/07 Sev=Info/4 CM/0x63100002

Begin connection process

3 15:30:14.120 06/07/07 Sev=Info/4 CM/0x63100004

Establish secure connection

4 15:30:14.122 06/07/07 Sev=Info/4 CM/0x63100024

Attempt connection with server "82.94.31.134"

5 15:30:14.128 06/07/07 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 82.94.31.134.

6 15:30:14.144 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 82.94.31.134

7 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

8 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

9 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

10 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

11 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

12 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

13 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

14 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

15 15:30:34.565 06/07/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16 15:30:35.077 06/07/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17 15:30:35.078 06/07/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "82.94.31.134" because of "DEL_REASON_PEER_NOT_RESPONDING"

18 15:30:35.078 06/07/07 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

19 15:30:35.120 06/07/07 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

20 15:30:35.121 06/07/07 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

21 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

22 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

23 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

24 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Attachted is the config file from the Pix 515e

2. I need to access RDP with port redirection. So when i access 82.x.x.x:4000 it would translate to 192.168.1.50:3389. So far I'm not able to get this to work.

Any help would be greatly appreciated.

Regards,

Jeroen

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Pix 515E cannot get the VPN client to work

Does this do the trick?

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

26 REPLIES
Green

Re: Pix 515E cannot get the VPN client to work

#1. Start by changing your vpn client pool to a different subnet, it should not be the same as your inside subnet.

ip local pool vpnclient 192.168.5.150-192.168.5.200

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

#2. If 82.x.x.x is your outside interface address then...

static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 82.x.x.x eq 4000

If it is another address then...

static (inside,outside) tcp 82.x.x.x 4000 192.168.1.50 3389 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host 82.x.x.x eq 4000

New Member

Re: Pix 515E cannot get the VPN client to work

Thank you for the reply, I gave the commands as you told me but still i can not reach the terminal server on the other side. I know the terminal server is responding cause I can access it accross the working vpn tunnel.

Do you know why I have to enter a pre-shared key when i run the VPN wizzard (client access) from ASDM when i cannot setup one in the cisco client?

My config file:

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

access-list Internet_nat0_inbound extended permit ip any 192.168.0.0 255.255.255.0

access-list Internet_cryptomap_20 extended permit ip any 192.168.0.0 255.255.255.0

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 10.39.5.0 255.255.255.0

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 222 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list 222 extended permit ip any 192.168.1.128 255.255.255.128

access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list vpnclient_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.128 255.255.255.128

access-list outside_access_in extended permit tcp any host 82.94.31.134 eq 4000

pager lines 24

logging trap emergencies

logging asdm informational

logging class auth trap emergencies

mtu outside 1500

mtu inside 1500

ip local pool VPNclientpool 192.168.1.175-192.168.1.225 mask 255.255.255.0

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm-501.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

global (inside) 2 192.168.1.50

nat (outside) 0 access-list Internet_nat0_inbound outside

nat (inside) 0 access-list 222

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.1.50 4000 netmask 255.255.255.255

static (inside,outside) tcp 82.94.31.134 4000 192.168.1.50 3389 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 82.94.31.129 1

Green

Re: Pix 515E cannot get the VPN client to work

"Do you know why I have to enter a pre-shared key when i run the VPN wizzard (client access) from ASDM when i cannot setup one in the cisco client?"

-Sure you can, under group authentication, you need the group name and password (password = pre-shared key)

"I gave the commands as you told me but still i can not reach the terminal server on the other side"

no static (inside,outside) tcp interface 3389 192.168.1.50 4000 netmask 255.255.255.255

no static (inside,outside) tcp 82.94.31.134 4000 192.168.1.50 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255

New Member

Re: Pix 515E cannot get the VPN client to work

1: Oeps, thats a dumb mistake. I keep getting the same error connecting though even after changing the VPNclient pool to 192.168.5.x

I have done a reset to factory defaults so i could not get errors after making previous mistakes. Still I cannot access the terminal server on port 4000 from another location.

My config file as for now:

asdm image flash:/asdm-501.bin

asdm history enable

: Saved

:

PIX Version 7.0(1)

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 82.94.x.x.255.255.248

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

enable password xxx

passwd xxx

hostname sabrapix

domain-name asp.local

ftp mode passive

access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.0

access-list VPNclient_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.5.0 255.255.255.0

access-list outside_access_in extended permit tcp any host 82.94.31.134 eq 4000

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool clientpool 192.168.5.10-192.168.5.200 mask 255.255.255.0

monitor-interface outside

monitor-interface inside

asdm image flash:/asdm-501.bin

asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 4000 192.168.1.50 3389 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 82.94.31.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy VPNclient internal

group-policy VPNclient attributes

dns-server value 194.109.6.66 194.109.9.99

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPNclient_splitTunnelAcl

username sabra password 9zpQIMMxEQ2QXgFd encrypted privilege 15

username jeroen password Q.HHDJ8rYk7zK0/K encrypted privilege 0

http server enable

http 192.168.1.0 255.255.255.0 inside

snmp-server host outside 192.168.1.50 community public

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.50-192.168.1.250 inside

dhcpd dns 194.109.6.66 194.109.9.99

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable inside

tunnel-group VPNclient type ipsec-ra

tunnel-group VPNclient general-attributes

address-pool clientpool

default-group-policy VPNclient

tunnel-group VPNclient ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

Green

Re: Pix 515E cannot get the VPN client to work

"Still I cannot access the terminal server on port 4000 from another location."

-You acl is not applied.

access-group outside_access_in in interface outside

New Member

Re: Pix 515E cannot get the VPN client to work

Great that solved my redirect problem! great!

VPN client software is still not responding though.

Client log is different:

16 17:23:17.952 06/07/07 Sev=Warning/2 IKE/0xE300009B

Invalid SPI size (PayloadNotify:116)

17 17:23:17.952 06/07/07 Sev=Info/4 IKE/0xE30000A6

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

18 17:23:17.952 06/07/07 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

19 17:23:23.017 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

20 17:23:23.017 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

21 17:23:23.043 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

22 17:23:23.043 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

23 17:23:23.046 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

24 17:23:23.046 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

25 17:23:28.018 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

26 17:23:28.018 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

27 17:23:28.043 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

28 17:23:28.043 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

29 17:23:28.046 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

30 17:23:28.046 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

31 17:23:33.024 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

32 17:23:33.024 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

33 17:23:33.072 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

34 17:23:33.072 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

35 17:23:33.075 06/07/07 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 82.94.31.134

36 17:23:33.075 06/07/07 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

37 17:23:38.038 06/07/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=D862884C20A335FF R_Cookie=55083D7233A62738) reason = DEL_REASON_PEER_NOT_RESPONDING

38 17:23:39.035 06/07/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=D862884C20A335FF R_Cookie=55083D7233A62738) reason = DEL_REASON_PEER_NOT_RESPONDING

39 17:23:39.035 06/07/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "82.94.31.134" because of "DEL_REASON_PEER_NOT_RESPONDING"

40 17:23:39.035 06/07/07 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

41 17:23:39.040 06/07/07 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

42 17:23:39.040 06/07/07 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

43 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

44 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

45 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

46 17:23:39.054 06/07/07 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Green

Re: Pix 515E cannot get the VPN client to work

Can you log on the pix? Are you getting prompted for username/password?

New Member

Re: Pix 515E cannot get the VPN client to work

I dont have an ASA, I have a Pix 515E. I thought i did not need a asa to use the vpn client?

I dont get a message prompting me for a username and password. Just get the message: Reason 412: the remote peer is no longer responding.

(edit: you changed it already...i was getting worried there :))

Green

Re: Pix 515E cannot get the VPN client to work

Ya, my mistake. So can you log on pix?

debug crypto isakmp

New Member

Re: Pix 515E cannot get the VPN client to work

I can exec the command but it gave no output, just the promt again.

Green

Re: Pix 515E cannot get the VPN client to work

Are you on console or telnet/ssh? Try this then try the client, you should receive isakmp debugging info.

logging monitor debugging

or

logging console debugging

New Member

Re: Pix 515E cannot get the VPN client to work

Thanks for you patience.

I entered the commands succesfully, but de debugging command still gives no output.

Not in hyperterm and not trough telnet.

Does this mean there is no communication going from here to the pix? I'll try again at home in a couple of minutes.

Thanks again.

Green

Re: Pix 515E cannot get the VPN client to work

"Does this mean there is no communication going from here to the pix?"

That's what it sounds like. You are coming from the outside of pix right?

New Member

Re: Pix 515E cannot get the VPN client to work

Yes i'm connecting from another place, and using the same ip adress to connect to. Now i tried it from another connection with different hardware but still i get no debuging information.

I should mension that i am using Vista to connect, but I am using version 5 to connect witch should be compatible. Also i disabled the firewall. Everything else seems to be working just fine.

When i tried again it gave me this:

sabrapix(config)# Jun 07 17:04:48 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191

, Can't find a valid tunnel group, aborting...!

Jun 07 17:04:54 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

Jun 07 17:04:59 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

Jun 07 17:05:04 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

Green

Re: Pix 515E cannot get the VPN client to work

The group should be "VPNclient"

New Member

Re: Pix 515E cannot get the VPN client to work

I noticed, i recreated the profile to check if that had any effect. It only gives me that output when I typed in a wrong group name. When i use the correct group name there is just no output.

At least the software is comunicating with the pix :) but still nothing.

Green

Re: Pix 515E cannot get the VPN client to work

Try "debug crypto isakmp 7"

New Member

Re: Pix 515E cannot get the VPN client to work

That gives me some information:

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing SA payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing ke payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing ISA_KE

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing nonce payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Processing ID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received xauth V6 VID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received DPD VID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received Fragmentation VID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, IKE Peer included IKE fragmenta

tion capability flags: Main Mode: True Aggressive Mode: False

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received NAT-Traversal ver 02 V

ID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received Cisco Unity client VID

Jun 07 17:28:55 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

Jun 07 17:28:55 [IKEv1 DEBUG]: Group = 86.82.7.191, IP = 86.82.7.191, IKE AM Res

ponder FSM error history (struct &0x1bd62b8) , : AM_DONE, EV_ERR

OR-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, E

V_CREATE_TMR

Jun 07 17:28:55 [IKEv1 DEBUG]: Group = 86.82.7.191, IP = 86.82.7.191, IKE SA AM:

7c720620 terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Jun 07 17:28:55 [IKEv1 DEBUG]: sending delete/delete with reason message

Green

Re: Pix 515E cannot get the VPN client to work

Your client is set up with the correct group name? Add this to the pix...

isakmp nat-traversal

New Member

Re: Pix 515E cannot get the VPN client to work

I think where getting somewhere. Now i get another responce:

Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, Connection landed on tunnel_group VPN

client

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, processing I

KE SA

Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, IKE DECODE SENDING Message (msgid=0)

with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, All SA propo

sals found unacceptable

Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, All IKE SA proposals found unacceptab

le!

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, IKE AM Respo

nder FSM error history (struct &0x183af38) , : AM_DONE, EV_ERROR

-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_P

ROCESS_MSG

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, IKE SA AM:b3

981b4d terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Jun 07 17:43:35 [IKEv1 DEBUG]: sending delete/delete with reason message

Something in the security proposal

Green

Re: Pix 515E cannot get the VPN client to work

Mine looks like this...

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

isakmp policy 10

isakmp authentication pre-share

isakmp encryption 3des

isakmp hash md5

isakmp group 2

isakmp lifetime 86400

isakmp policy 30

isakmp authentication pre-share

isakmp encryption 3des

isakmp hash sha

isakmp group 2

isakmp lifetime 86400

New Member

Re: Pix 515E cannot get the VPN client to work

But i dont have the 3DES license, it will only do DES encryption. Could i just replace 3DES with DES ?

Green

Re: Pix 515E cannot get the VPN client to work

Does this do the trick?

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

New Member

Re: Pix 515E cannot get the VPN client to work

It did, thanks! But only after updating my license to 3des/eas.

after inserting:

isakmp policy 65535 encryption 3des

The cpn client prompted me for a username and password and connected. Now the only thing is i'm not recieving anything. I cannot ping a local address on the other side of the pix? Do I have to add something to permit the traffic to the local lan?

After this thing im enrolling myself for some kind of cisco training :)

Thanks again for your help.

New Member

Re: Pix 515E cannot get the VPN client to work

I could not eddit my previous post, but i found the answer in another discussion you had about some vpn troubles (acl).

Everything is working like a charm now! thanks so much for taking the time to help me out here.

Jeroen

Green

Re: Pix 515E cannot get the VPN client to work

Good deal, glad it worked out....thought I lost you there.

731
Views
9
Helpful
26
Replies