Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Easy VPN Server on 2600 to PIX client

I am trying to set up an easy vpn session between a PIX 501 client (6.3(5)) and a 2611 server (12.3(17a)), but cannot establish IKE session. Running debug on the 2611, I get (only showing relevant failure):

01:15:56: ISAKMP (0:3): Checking ISAKMP transform 14 against priority 10 policy

01:15:56: ISAKMP: encryption AES-CBC

01:15:56: ISAKMP: keylength of 128

01:15:56: ISAKMP: hash SHA

01:15:56: ISAKMP: default group 2

01:15:56: ISAKMP: auth pre-share

01:15:56: ISAKMP: life type in seconds

01:15:56: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

01:15:56: ISAKMP (0:3): Preshared authentication offered but does not match policy!

01:15:56: ISAKMP (0:3): atts are not acceptable. Next payload is 3 0

However, show crypto isak policy demonstrates that they should have matched:

Global IKE policy

Protection suite of priority 10

encryption algorithm: AES - Advanced Encryption Standard (128 bit keys

).

hash algorithm: Secure Hash Standard

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

On the pix, I have configured vpnclient for preshared auth with the group defined in the 2611. It will not allow me to define ike authentication, since it is a easy vpn client. Any thoughts as to how to fix this or what is failing? TIA!

4 REPLIES
Silver

Re: Easy VPN Server on 2600 to PIX client

Try comparing the following sample config to the one at the link below. If this doesn't help you may want to post your config.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

Steve

New Member

Re: Easy VPN Server on 2600 to PIX client

Thanks - I am close to the config, although there are a few differences.

First, I am interfacing with a PIX client, not a VPN software client.

Second, I am using Network Extension Mode, not client. This eliminates the need for a local IP pool.

Third, I have different IKE policy.

Also, I noticed earlier that older IOS versions showed the authentication Pre-Share, while my version does not show that in the config, even though it is NOT the default, but does show up on the policy. Curious.

I will print out the configs when I get back to the units and post. Thanks!

Silver

Re: Easy VPN Server on 2600 to PIX client

Sorry I put in the wrong link. I think this is a little closer to what you are trying to achive.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800ab518.shtml

Steve

New Member

Re: Easy VPN Server on 2600 to PIX client

Thanks - the only two things I see are that the IOS sample configs an address pool and that it is running 12.3(3). My 2611 is at 12.3(17a), I think. I don't think that the address pool is used for NEM, but that goes back and forth in the documentation. When I config'd an NEM with an ASA as the server, I would swear that no pool addresses were allocated, but I will test it out. If possible, I may also try to downgrade the IOS version - it REALLY bugs me that it doesn't show the IKE authentication as pre-share, even though I enter that, and even though a show crypto isakmp policy shows that config. Thanks again!

139
Views
0
Helpful
4
Replies
CreatePlease to create content