01-02-2006 07:49 AM
I am trying to set up an easy vpn session between a PIX 501 client (6.3(5)) and a 2611 server (12.3(17a)), but cannot establish IKE session. Running debug on the 2611, I get (only showing relevant failure):
01:15:56: ISAKMP (0:3): Checking ISAKMP transform 14 against priority 10 policy
01:15:56: ISAKMP: encryption AES-CBC
01:15:56: ISAKMP: keylength of 128
01:15:56: ISAKMP: hash SHA
01:15:56: ISAKMP: default group 2
01:15:56: ISAKMP: auth pre-share
01:15:56: ISAKMP: life type in seconds
01:15:56: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
01:15:56: ISAKMP (0:3): Preshared authentication offered but does not match policy!
01:15:56: ISAKMP (0:3): atts are not acceptable. Next payload is 3 0
However, show crypto isak policy demonstrates that they should have matched:
Global IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (128 bit keys
).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
On the pix, I have configured vpnclient for preshared auth with the group defined in the 2611. It will not allow me to define ike authentication, since it is a easy vpn client. Any thoughts as to how to fix this or what is failing? TIA!
01-03-2006 05:19 AM
Try comparing the following sample config to the one at the link below. If this doesn't help you may want to post your config.
Steve
01-03-2006 07:27 AM
Thanks - I am close to the config, although there are a few differences.
First, I am interfacing with a PIX client, not a VPN software client.
Second, I am using Network Extension Mode, not client. This eliminates the need for a local IP pool.
Third, I have different IKE policy.
Also, I noticed earlier that older IOS versions showed the authentication Pre-Share, while my version does not show that in the config, even though it is NOT the default, but does show up on the policy. Curious.
I will print out the configs when I get back to the units and post. Thanks!
01-03-2006 08:00 AM
Sorry I put in the wrong link. I think this is a little closer to what you are trying to achive.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ab518.shtml
Steve
01-04-2006 10:57 AM
Thanks - the only two things I see are that the IOS sample configs an address pool and that it is running 12.3(3). My 2611 is at 12.3(17a), I think. I don't think that the address pool is used for NEM, but that goes back and forth in the documentation. When I config'd an NEM with an ASA as the server, I would swear that no pool addresses were allocated, but I will test it out. If possible, I may also try to downgrade the IOS version - it REALLY bugs me that it doesn't show the IKE authentication as pre-share, even though I enter that, and even though a show crypto isakmp policy shows that config. Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide