cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1669
Views
0
Helpful
31
Replies

Remote VPN with certificate authentication

ribin.jones
Level 1
Level 1

Hi,

I got a PIX in which I have successfully configured remote VPN with pre-shared key authentication. Now, due to security concerns, I need to implement the remote VPN with certificate authentication.

I installed a Windows 2003 CA server and configured the PIX accordingly. Even I got the certificate enrolled in my PIX. Now, I generated a certificate for a user and when I try to connect after importing the certicate to the vpn client, I see the following error:

ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt

:500

VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0

ISAKMP: larval sa found

crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt

:500

VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0

ISAKMP: larval sa found

Please guide me in this. I am not sure whether this is an error in my PIX configuration or in my Certificate server.

31 Replies 31

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): cert approved with warning

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

ISAKMP (0): processing SIG payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with xx.yy.zz196

ISADB: reaper checking SA 0x93b934, conn_id = 0

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from xx.yy.zz196. message ID = 11219492

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:xx.yy.zz196/2400 Total VPN Peers:1

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x8c1582b1

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

pixfirewall(config)#

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

pixfirewall(config)#

sh cry isak sa

Total : 1

Embryonic : 0

dst src state pending created

xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0

pixfirewall(config)#

ISAKMP: Deleting peer node for xx.yy.zz196

ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x8c1582b1

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 2150370680

ISAMKP (0): received DPD_R_U_THERE from peer xx.yy.zz196

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:2400 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 1102687326, spi size = 4IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

return status is IKMP_NO_ERR_NO_TRANS

pixfirewall(config)# sh cry isak sa

Total : 1

Embryonic : 0

dst src state pending created

xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0

pixfirewall(config)#

ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x8c1582b1

pixfirewall(config)#

pixfirewall(config)# sh cry isak sa

Total : 1

Embryonic : 0

dst src state pending created

xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0

pixfirewall(config)# sh cry isak sa

Total : 1

Embryonic : 0

dst src state pending created

xx.yy.zz210 xx.yy.zz196 QM_IDLE 0 0

pixfirewall(config)#

ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x8c1582b1

ISAKMP (0): retransmitting phase 2 (4/0)... mess_id 0x8c1582b1

These are the debug outputs. I did change the transform set to 3des.

QM_IDLE will be there during the time vpn client tries to connect. But when the vpn client stops connecting, the status also vanishes.

OK, go ahead and set this isakmp identity hostname and try again the connection and get the client and pix debugs, it is odd are you getting an ip address now, on the vpn client?

Tried that too...Still the same :( ..

Cisco Systems VPN Client Version 5.0.04.0300

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3

594 00:28:01.182 04/15/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

595 00:28:01.182 04/15/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

596 00:28:01.197 04/15/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

597 00:28:01.197 04/15/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

598 00:28:01.213 04/15/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

599 00:28:01.213 04/15/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

600 00:28:01.385 04/15/09 Sev=Info/4 CM/0x63100002

Begin connection process

601 00:28:01.369 04/15/09 Sev=Info/4 CERT/0x63600015

Cert (e=ribin.jones@revenuemed.com,cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.

602 00:28:01.401 04/15/09 Sev=Info/4 CM/0x63100004

Establish secure connection

603 00:28:01.401 04/15/09 Sev=Info/4 CM/0x63100024

Attempt connection with server "xx.yy.zz210"

604 00:28:01.401 04/15/09 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with xx.yy.zz210.

605 00:28:01.416 04/15/09 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

606 00:28:01.416 04/15/09 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

607 00:28:01.604 04/15/09 Sev=Info/4 CERT/0x63600015

Cert (e=ribin.jones@revenuemed.com,cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.

608 00:28:01.604 04/15/09 Sev=Info/4 IKE/0x63000001

Starting IKE Phase 1 Negotiation

609 00:28:01.604 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.yy.zz210

610 00:28:01.635 04/15/09 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

611 00:28:01.635 04/15/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

612 00:28:02.151 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210

613 00:28:02.151 04/15/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (SA) from xx.yy.zz210

614 00:28:02.151 04/15/09 Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful

615 00:28:02.151 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to xx.yy.zz210

616 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210

617 00:28:02.760 04/15/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from xx.yy.zz210

618 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

619 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000001

Peer supports DPD

620 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

621 00:28:02.760 04/15/09 Sev=Info/5 IKE/0x63000082

Received IOS Vendor ID with unknown capabilities flag 0x00000025

622 00:28:02.963 04/15/09 Sev=Info/6 CERT/0x63600034

Attempting to sign the hash for Windows XP or higher.

623 00:28:03.323 04/15/09 Sev=Info/6 CERT/0x63600035

Done with the hash signing with signature length of 128.

624 00:28:03.323 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to xx.yy.zz210

625 00:28:03.760 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210

642 00:28:03.979 04/15/09 Sev=Info/4 IKE/0x63000056

Received a key request from Driver: Local IP = 192.168.26.101, GW IP = xx.yy.zz210, Remote IP = 0.0.0.0

643 00:28:03.995 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to xx.yy.zz210

644 00:28:04.010 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210

645 00:28:04.010 04/15/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from xx.yy.zz210

646 00:28:04.010 04/15/09 Sev=Warning/3 IKE/0xA300004B

Received a NOTIFY message with an invalid protocol id (0)

647 00:28:04.135 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210

648 00:28:04.135 04/15/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xx.yy.zz210

649 00:28:04.135 04/15/09 Sev=Info/5 IKE/0x63000045

RESPONDER-LIFETIME notify has value of 86400 seconds

650 00:28:04.135 04/15/09 Sev=Info/5 IKE/0x63000047

This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now

651 00:28:04.729 04/15/09 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

652 00:28:09.229 04/15/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

653 00:28:09.229 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to xx.yy.zz210

654 00:28:14.230 04/15/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

655 00:28:14.230 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to xx.yy.zz210

656 00:28:19.230 04/15/09 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

657 00:28:19.230 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK QM *(Retransmission) to xx.yy.zz210

658 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x6300002D

Phase-2 retransmission count exceeded: MsgID=5351C90A

659 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.yy.zz210

660 00:28:24.230 04/15/09 Sev=Info/6 IKE/0x6300003D

Sending DPD request to xx.yy.zz210, our seq# = 3357021916

661 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xx.yy.zz210

662 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000049

Discarding IPsec SA negotiation, MsgID=5351C90A

663 00:28:24.230 04/15/09 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xx.yy.zz210

664 00:28:24.230 04/15/09 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from xx.yy.zz210

665 00:28:24.230 04/15/09 Sev=Info/5 IKE/0x63000040

Received DPD ACK from xx.yy.zz210, seq# received = 3357021916, seq# expected = 3357021916

Here's the PIX debug:

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:xx.yy.zz.196/2424 Total VPN Peers:1

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP: phase 2 packet is a duplicate of a previous packet

ISAKMP: resending last response

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP (0): processing NOTIFY payload 36136 protocol 1

spi 0, message ID = 279173772

ISAMKP (0): received DPD_R_U_THERE from peer xx.yy.zz.196

ISAKMP (0): sending NOTIFY message 36137 protocol 1

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0x5351c90a

crypto_isakmp_process_block:src:xx.yy.zz.196, dest:xx.yy.zz.210 spt:2424 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 3360745975, spi size = 4IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): retransmitting phase 2 (1/0)... mess_id 0x5351c90a

ISAKMP (0): retransmitting phase 2 (2/0)... mess_id 0x5351c90a

ISAKMP (0): retransmitting phase 2 (3/0)... mess_id 0x5351c90a

OK retransmitting phase 2 at some point we have a problem with that, can you post the updated config?

Here it is:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password muey1LSLfnm8Zvwy encrypted

passwd NuLKvvWGg.x9HEKO encrypted

hostname pixfirewall

domain-name example.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside xx.yy.zz.210 255.255.255.224

ip address inside 192.168.26.100 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool testpool 192.168.26.101-192.168.26.103

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 101

route outside 0.0.0.0 0.0.0.0 xx.yy.zz.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 :00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

isakmp enable outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup MIS address-pool testpool

vpngroup MIS dns-server 192.168.25.5

vpngroup MIS split-tunnel 101

vpngroup MIS idle-time 1800

ca identity corpit 192.168.26.70:/certsrv/mscep/mscep.dll

ca configure corpit ra 1 20 crloptional

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:21774c7ce193983f02afee4a827674da

: end

Lol, we are missing the crypto to the interface:

crypto map mymap interface outside

add it and try again.

Hey Martino,

It worked......... :)

Thankssssss....I was behind this headache for a while now.....Its sorted...A big big thanks.....Can I have your contact details please....

My mail id is ribin.jones@revenuemed.com

Martino,

When I am connected to this VPN, though we have given split tunneling, my internet is not working. Any thoughts?

imartino@cisco.com :)

Mhhh once you are connected, can you right click on the vpn client icon and select statistics, then go to route details, what do you see on secure routes?

Hi Ivan,

I applied split tunnelling again, and I get internet access now. But though my VPN client is connected, I can't ping or access any internal network.

In "Route details" of vpn client tab, I see 192.168.0.0 under "secured routes" tab.

Hi,

I was missing the nat inside. Its fine now.

Thanks,

Ribin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: