Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2062
Views
9
Helpful
26
Replies

Pix 515E cannot get the VPN client to work

Go to solution
sabrasystems
Level 1
Level 1

‎06-07-2007 05:39 AM

Hi there,

I am having some difficulties configuring two things:

1. After a couple of hours struggling to create a tunnel (lan to lan) I finally got it to work. When I try to do the same for remote users using the Cisco vpn client I only get an error 412: the remote peer is no longer responding.

Client log:

Cisco Systems VPN Client Version 5.0.00.0340

Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.0.6000

Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 15:30:11.745 06/07/07 Sev=Info/6 GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.

2 15:30:14.116 06/07/07 Sev=Info/4 CM/0x63100002

Begin connection process

3 15:30:14.120 06/07/07 Sev=Info/4 CM/0x63100004

Establish secure connection

4 15:30:14.122 06/07/07 Sev=Info/4 CM/0x63100024

Attempt connection with server "82.94.31.134"

5 15:30:14.128 06/07/07 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 82.94.31.134.

6 15:30:14.144 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 82.94.31.134

7 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

8 15:30:14.530 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

9 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

10 15:30:19.538 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

11 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

12 15:30:24.542 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

13 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

14 15:30:29.551 06/07/07 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 82.94.31.134

15 15:30:34.565 06/07/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16 15:30:35.077 06/07/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=670D04F60A9F8CB9 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17 15:30:35.078 06/07/07 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "82.94.31.134" because of "DEL_REASON_PEER_NOT_RESPONDING"

18 15:30:35.078 06/07/07 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

19 15:30:35.120 06/07/07 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

20 15:30:35.121 06/07/07 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

21 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

22 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

23 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

24 15:30:36.080 06/07/07 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Attachted is the config file from the Pix 515e

2. I need to access RDP with port redirection. So when i access 82.x.x.x:4000 it would translate to 192.168.1.50:3389. So far I'm not able to get this to work.

Any help would be greatly appreciated.

Regards,

Jeroen

Labels:
Preview file
7 KB
0 Helpful
26 Replies 26

Go to solution
acomiskey
Level 10
Level 10
In response to sabrasystems

‎06-07-2007 09:10 AM

The group should be "VPNclient"

0 Helpful

Go to solution
sabrasystems
Level 1
Level 1
In response to acomiskey

‎06-07-2007 09:19 AM

I noticed, i recreated the profile to check if that had any effect. It only gives me that output when I typed in a wrong group name. When i use the correct group name there is just no output.

At least the software is comunicating with the pix :) but still nothing.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to sabrasystems

‎06-07-2007 09:24 AM

Try "debug crypto isakmp 7"

0 Helpful

Go to solution
sabrasystems
Level 1
Level 1
In response to acomiskey

‎06-07-2007 09:30 AM

That gives me some information:

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing SA payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing ke payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing ISA_KE

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing nonce payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Processing ID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received xauth V6 VID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received DPD VID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received Fragmentation VID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, IKE Peer included IKE fragmenta

tion capability flags: Main Mode: True Aggressive Mode: False

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received NAT-Traversal ver 02 V

ID

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, processing VID payload

Jun 07 17:28:55 [IKEv1 DEBUG]: IP = 86.82.7.191, Received Cisco Unity client VID

Jun 07 17:28:55 [IKEv1]: Group = 86.82.7.191, IP = 86.82.7.191, Can't find a val

id tunnel group, aborting...!

Jun 07 17:28:55 [IKEv1 DEBUG]: Group = 86.82.7.191, IP = 86.82.7.191, IKE AM Res

ponder FSM error history (struct &0x1bd62b8) , : AM_DONE, EV_ERR

OR-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, E

V_CREATE_TMR

Jun 07 17:28:55 [IKEv1 DEBUG]: Group = 86.82.7.191, IP = 86.82.7.191, IKE SA AM:

7c720620 terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Jun 07 17:28:55 [IKEv1 DEBUG]: sending delete/delete with reason message

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to sabrasystems

‎06-07-2007 09:39 AM

Your client is set up with the correct group name? Add this to the pix...

isakmp nat-traversal

0 Helpful

Go to solution
sabrasystems
Level 1
Level 1
In response to acomiskey

‎06-07-2007 09:45 AM

I think where getting somewhere. Now i get another responce:

Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, Connection landed on tunnel_group VPN

client

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, processing I

KE SA

Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, IKE DECODE SENDING Message (msgid=0)

with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, All SA propo

sals found unacceptable

Jun 07 17:43:35 [IKEv1]: IP = 86.82.7.191, All IKE SA proposals found unacceptab

le!

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, IKE AM Respo

nder FSM error history (struct &0x183af38) , : AM_DONE, EV_ERROR

-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_P

ROCESS_MSG

Jun 07 17:43:35 [IKEv1 DEBUG]: Group = VPNclient, IP = 86.82.7.191, IKE SA AM:b3

981b4d terminating: flags 0x0100c001, refcnt 0, tuncnt 0

Jun 07 17:43:35 [IKEv1 DEBUG]: sending delete/delete with reason message

Something in the security proposal

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to sabrasystems

‎06-07-2007 10:01 AM

Mine looks like this...

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

isakmp policy 10

isakmp authentication pre-share

isakmp encryption 3des

isakmp hash md5

isakmp group 2

isakmp lifetime 86400

isakmp policy 30

isakmp authentication pre-share

isakmp encryption 3des

isakmp hash sha

isakmp group 2

isakmp lifetime 86400

0 Helpful

Go to solution
sabrasystems
Level 1
Level 1
In response to acomiskey

‎06-07-2007 10:30 AM

But i dont have the 3DES license, it will only do DES encryption. Could i just replace 3DES with DES ?

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to sabrasystems

‎06-07-2007 10:45 AM

Does this do the trick?

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

0 Helpful

Go to solution
sabrasystems
Level 1
Level 1
In response to acomiskey

‎06-07-2007 11:17 PM

It did, thanks! But only after updating my license to 3des/eas.

after inserting:

isakmp policy 65535 encryption 3des

The cpn client prompted me for a username and password and connected. Now the only thing is i'm not recieving anything. I cannot ping a local address on the other side of the pix? Do I have to add something to permit the traffic to the local lan?

After this thing im enrolling myself for some kind of cisco training :)

Thanks again for your help.

0 Helpful

Go to solution
sabrasystems
Level 1
Level 1
In response to sabrasystems

‎06-08-2007 01:03 AM

I could not eddit my previous post, but i found the answer in another discussion you had about some vpn troubles (acl).

Everything is working like a charm now! thanks so much for taking the time to help me out here.

Jeroen

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to sabrasystems

‎06-08-2007 04:53 AM

Good deal, glad it worked out....thought I lost you there.

0 Helpful
Customers Also Viewed These Support Documents