Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Microsoft L2TP/IPSEC to PIX515 connection failure

Hi!

I try to connect through a dial-up vpn connection a Windows 2000 PC to the PIX 515 (ver 6.3) using L2TP over IPSEC. I create the security policy in the windows terminal and the crypto map in the pix.

When I try to connect I get de following error in the client: error 678: there was no answer.

In the PIX I get:

crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:gandalf/500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:gandalf/500 Ref cnt incremented to:1 Total VPN Peers:1

crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1809116666

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 2

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 192.168.111.1, src= gandalf,

dest_proxy= 192.168.111.1/255.255.255.255/0/0 (type=1),

src_proxy= gandalf/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200

ISAKMP (0): processing NONCE payload. message ID = 1809116666

ISAKMP (0): processing ID payload. message ID = 1809116666

ISAKMP (0): ID_IPV4_ADDR src gandalf prot 0 port 0

ISAKMP (0): processing ID payload. message ID = 1809116666

ISAKMP (0): ID_IPV4_ADDR dst 192.168.111.1 prot 0 port 0IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x38f8d870(955832432) for SA

from gandalf to 192.168.111.1 for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending NOTIFY message 11 protocol 3

crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAITmap_alloc_entry: allocating entry 7

map_alloc_entry: allocating entry 8

ISAKMP (0): Creating IPSec SAs

inbound SA from gandalf to 192.168.111.1 (proxy gandalf to 192.168.111.1)

has spi 955832432 and conn_id 7 and flags 0

outbound SA from 192.168.111.1 to gandalf (proxy 192.168.111.1 to gandalf)

has spi 3827610160 and conn_id 8 and flags 0IPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 192.168.111.1, src= gandalf,

dest_proxy= 192.168.111.1/0.0.0.0/0/0 (type=1),

src_proxy= gandalf/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x38f8d870(955832432), conn_id= 7, keysize= 0, flags= 0x0

IPSEC(initialize_sas): ,

(key eng. msg.) src= 192.168.111.1, dest= gandalf,

src_proxy= 192.168.111.1/0.0.0.0/0/0 (type=1),

dest_proxy= gandalf/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0xe424b230(3827610160), conn_id= 8, keysize= 0, flags= 0x0

VPN Peer: IPSEC: Peer ip:gandalf/500 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: IPSEC: Peer ip:gandalf/500 Ref cnt incremented to:3 Total VPN Peers:1

return status is IKMP_NO_ERRORIPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.

IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.

Why is it discarding the packets? Any idea?

Regards,

Nuria

2 REPLIES
New Member

Re: Microsoft L2TP/IPSEC to PIX515 connection failure

any update on this one?

New Member

Re: Microsoft L2TP/IPSEC to PIX515 connection failure

Hi,

i don´t get this to work. I get the same error. The sa is created but after receiving the error, it is deleted.

IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.

IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.

IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.

IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.

map_free_entry: freeing entry 3

CRYPTO(epa_release_conn): released conn 3

VPN Peer: IPSEC: Peer ip:gandalf/500 Decrementing Ref cnt to:1 Total VPN Peers:1map_free_entry: freeing entry 4

CRYPTO(epa_release_conn): released conn 4

VPN Peer: IPSEC: Peer ip:gandalf/500 Decrementing Ref cnt to:0 Total VPN Peers:1

VPN Peer: IPSEC: Deleted peer: Peer ip:gandalf/500 Total VPN Peers:0

Any suggestion? I need new ideas.

Nuria

154
Views
0
Helpful
2
Replies