04-11-2009 07:28 AM
Hi,
I got a PIX in which I have successfully configured remote VPN with pre-shared key authentication. Now, due to security concerns, I need to implement the remote VPN with certificate authentication.
I installed a Windows 2003 CA server and configured the PIX accordingly. Even I got the certificate enrolled in my PIX. Now, I generated a certificate for a user and when I try to connect after importing the certicate to the vpn client, I see the following error:
ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt
:500
VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0
ISAKMP: larval sa found
crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt
:500
VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0
ISAKMP: larval sa found
Please guide me in this. I am not sure whether this is an error in my PIX configuration or in my Certificate server.
04-14-2009 10:35 AM
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500
OAK_MM exchange
04-14-2009 10:35 AM
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
ISAKMP (0): processing a CT_X509_SIGNATURE cert
ISAKMP (0): cert approved with warning
ISAKMP (0): processing CERT_REQ payload. message ID = 0
ISAKMP (0): peer wants a CT_X509_SIGNATURE cert
ISAKMP (0): processing SIG payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with xx.yy.zz196
ISADB: reaper checking SA 0x93b934, conn_id = 0
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from xx.yy.zz196. message ID = 11219492
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:xx.yy.zz196/2400 Total VPN Peers:1
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x8c1582b1
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
pixfirewall(config)#
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
pixfirewall(config)#
sh cry isak sa
Total : 1
Embryonic : 0
dst src state pending created
xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0
pixfirewall(config)#
ISAKMP: Deleting peer node for xx.yy.zz196
ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x8c1582b1
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 2150370680
ISAMKP (0): received DPD_R_U_THERE from peer xx.yy.zz196
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 1102687326, spi size = 4IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
return status is IKMP_NO_ERR_NO_TRANS
pixfirewall(config)# sh cry isak sa
Total : 1
Embryonic : 0
dst src state pending created
xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0
pixfirewall(config)#
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x8c1582b1
pixfirewall(config)#
pixfirewall(config)# sh cry isak sa
Total : 1
Embryonic : 0
dst src state pending created
xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0
pixfirewall(config)# sh cry isak sa
Total : 1
Embryonic : 0
dst src state pending created
xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0
pixfirewall(config)#
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x8c1582b1
ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x8c1582b1
These are the debug outputs. I did change the transform set to 3des.
04-14-2009 10:38 AM
QM_IDLE will be there during the time vpn client tries to connect. But when the vpn client stops connecting, the status also vanishes.
04-14-2009 10:40 AM
OK, go ahead and set this isakmp identity hostname and try again the connection and get the client and pix debugs, it is odd are you getting an ip address now, on the vpn client?
04-14-2009 10:55 AM
Tried that too...Still the same :( ..
Cisco Systems VPN Client Version 5.0.04.0300
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
594 00:28:01.182 04/15/09 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
595 00:28:01.182 04/15/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
596 00:28:01.197 04/15/09 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
597 00:28:01.197 04/15/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
598 00:28:01.213 04/15/09 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
599 00:28:01.213 04/15/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
600 00:28:01.385 04/15/09 Sev=Info/4 CM/0x63100002
Begin connection process
601 00:28:01.369 04/15/09 Sev=Info/4 CERT/0x63600015
Cert (e=ribin.jones@revenuemed.com,cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.
602 00:28:01.401 04/15/09 Sev=Info/4 CM/0x63100004
Establish secure connection
603 00:28:01.401 04/15/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "xx.yy.zz210"
604 00:28:01.401 04/15/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xx.yy.zz210.
605 00:28:01.416 04/15/09 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
606 00:28:01.416 04/15/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
607 00:28:01.604 04/15/09 Sev=Info/4 CERT/0x63600015
Cert (e=ribin.jones@revenuemed.com,cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.
608 00:28:01.604 04/15/09 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
609 00:28:01.604 04/15/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.yy.zz210
610 00:28:01.635 04/15/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
611 00:28:01.635 04/15/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
612 00:28:02.151 04/15/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.yy.zz210
613 00:28:02.151 04/15/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA) from xx.yy.zz210
614 00:28:02.151 04/15/09 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
615 00:28:02.151 04/15/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to xx.yy.zz210
616 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.yy.zz210
617 00:28:02.760 04/15/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from xx.yy.zz210
618 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
619 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000001
Peer supports DPD
620 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
621 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025
622 00:28:02.963 04/15/09 Sev=Info/6 CERT/0x63600034
Attempting to sign the hash for Windows XP or higher.
04-14-2009 10:57 AM
623 00:28:03.323 04/15/09 Sev=Info/6 CERT/0x63600035
Done with the hash signing with signature length of 128.
624 00:28:03.323 04/15/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to xx.yy.zz210
625 00:28:03.760 04/15/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.yy.zz210
642 00:28:03.979 04/15/09 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.26.101, GW IP = xx.yy.zz210, Remote IP = 0.0.0.0
643 00:28:03.995 04/15/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xx.yy.zz210
644 00:28:04.010 04/15/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.yy.zz210
645 00:28:04.010 04/15/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from xx.yy.zz210
646 00:28:04.010 04/15/09 Sev=Warning/3 IKE/0xA300004B
Received a NOTIFY message with an invalid protocol id (0)
647 00:28:04.135 04/15/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.yy.zz210
648 00:28:04.135 04/15/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xx.yy.zz210
649 00:28:04.135 04/15/09 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
650 00:28:04.135 04/15/09 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now
651 00:28:04.729 04/15/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
652 00:28:09.229 04/15/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
653 00:28:09.229 04/15/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to xx.yy.zz210
654 00:28:14.230 04/15/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
655 00:28:14.230 04/15/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to xx.yy.zz210
656 00:28:19.230 04/15/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
657 00:28:19.230 04/15/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to xx.yy.zz210
658 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=5351C90A
659 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.yy.zz210
660 00:28:24.230 04/15/09 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.yy.zz210, our seq# = 3357021916
661 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xx.yy.zz210
662 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=5351C90A
663 00:28:24.230 04/15/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.yy.zz210
664 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from xx.yy.zz210
665 00:28:24.230 04/15/09 Sev=Info/5 IKE/0x63000040
Received DPD ACK from xx.yy.zz210, seq# received = 3357021916, seq# expected = 3357021916
04-14-2009 10:59 AM
Here's the PIX debug:
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:xx.yy.zz.196/2424 Total VPN Peers:1
crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 279173772
ISAMKP (0): received DPD_R_U_THERE from peer xx.yy.zz.196
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x5351c90a
crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3360745975, spi size = 4IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
return status is IKMP_NO_ERR_NO_TRANS
ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x5351c90a
ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x5351c90a
ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x5351c90a
04-14-2009 11:01 AM
OK retransmitting phase 2 at some point we have a problem with that, can you post the updated config?
04-14-2009 11:04 AM
Here it is:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password muey1LSLfnm8Zvwy encrypted
passwd NuLKvvWGg.x9HEKO encrypted
hostname pixfirewall
domain-name example.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xx.yy.zz.210 255.255.255.224
ip address inside 192.168.26.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool testpool 192.168.26.101-192.168.26.103
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
route outside 0.0.0.0 0.0.0.0 xx.yy.zz.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 :00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup MIS address-pool testpool
vpngroup MIS dns-server 192.168.25.5
vpngroup MIS split-tunnel 101
vpngroup MIS idle-time 1800
ca identity corpit 192.168.26.70:/certsrv/mscep/mscep.dll
ca configure corpit ra 1 20 crloptional
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:21774c7ce193983f02afee4a827674da
: end
04-14-2009 11:06 AM
Lol, we are missing the crypto to the interface:
crypto map mymap interface outside
add it and try again.
04-14-2009 11:09 AM
Hey Martino,
It worked......... :)
Thankssssss....I was behind this headache for a while now.....Its sorted...A big big thanks.....Can I have your contact details please....
My mail id is ribin.jones@revenuemed.com
04-14-2009 11:13 AM
Martino,
When I am connected to this VPN, though we have given split tunneling, my internet is not working. Any thoughts?
04-14-2009 12:09 PM
Mhhh once you are connected, can you right click on the vpn client icon and select statistics, then go to route details, what do you see on secure routes?
04-16-2009 07:25 AM
Hi Ivan,
I applied split tunnelling again, and I get internet access now. But though my VPN client is connected, I can't ping or access any internal network.
In "Route details" of vpn client tab, I see 192.168.0.0 under "secured routes" tab.
04-16-2009 07:59 AM
Hi,
I was missing the nat inside. Its fine now.
Thanks,
Ribin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: