Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Identity errors with remote 501 to 515 VPN

Hello,

We are setting up PIX 501s for several of our remote users so they can stop using the software client when working from home. Using the Easy VPN capabilities of the PIX (we have a 515 at the corporate office), we are able to connect and establish the IKE and IPSEC tunnels.

We are also using a split-tunnel so the remote users can have internet access. The internet access works fine when the VPN tunnels are established.

The problem is that when we try to access internal resources on the corporate network (10.0.10.X), the connections time out and we get this message in the PDM log:

402103: identity doesn't match negotiated identity (ip) dest_addr=10.0.11.87, prot= udp, (ident) local=192.168.2.101 remote= 209.XXX.XXX.34, local proxy=192.168.2.101/255.255.255.255/0/0, remote_proxy=10.0.10.06

The software client still works fine and allows internal access to the network (and also internet access).

Thanks for any suggestions,

Dan

  • VPN
2 REPLIES
Silver

Re: Identity errors with remote 501 to 515 VPN

Hi Dan,

An unencapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. It may be due to an security association selection error by the peer. This may be a hostile event. Better to contact the peer's administrator to compare policy settings The problem seems largely due to the fact that the systems that are accessing the vpn tunnel are infected.Therefore, any traffic that is permitted through the vpn tunnel will be causing the problems because of the viruses on the systems. Since the vpn on pix requires to use the nat 0 statement to bypass nat therefore any traffic on any port is permitted through the vpn tunnel. Better to check the infected systems. By default the pix will block any incoming traffic not originated by the host on the inside interface.Therefore an express permission of access-list for any inbound traffic is required. Since the security association implies a trust relationship therefore taking care of the infected systems will be the resolution of the issue.

New Member

Re: Identity errors with remote 501 to 515 VPN

Thanks, Ursula. So you suspect that the laptop we are using through the PIX 501 might be infected and sending bad packets?

Dan

157
Views
0
Helpful
2
Replies