We are setting up PIX 501s for several of our remote users so they can stop using the software client when working from home. Using the Easy VPN capabilities of the PIX (we have a 515 at the corporate office), we are able to connect and establish the IKE and IPSEC tunnels.
We are also using a split-tunnel so the remote users can have internet access. The internet access works fine when the VPN tunnels are established.
The problem is that when we try to access internal resources on the corporate network (10.0.10.X), the connections time out and we get this message in the PDM log:
402103: identity doesn't match negotiated identity (ip) dest_addr=10.0.11.87, prot= udp, (ident) local=192.168.2.101 remote= 209.XXX.XXX.34, local proxy=192.168.2.101/255.255.255.255/0/0, remote_proxy=10.0.10.06
The software client still works fine and allows internal access to the network (and also internet access).
An unencapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. It may be due to an security association selection error by the peer. This may be a hostile event. Better to contact the peer's administrator to compare policy settings The problem seems largely due to the fact that the systems that are accessing the vpn tunnel are infected.Therefore, any traffic that is permitted through the vpn tunnel will be causing the problems because of the viruses on the systems. Since the vpn on pix requires to use the nat 0 statement to bypass nat therefore any traffic on any port is permitted through the vpn tunnel. Better to check the infected systems. By default the pix will block any incoming traffic not originated by the host on the inside interface.Therefore an express permission of access-list for any inbound traffic is required. Since the security association implies a trust relationship therefore taking care of the infected systems will be the resolution of the issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...