Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
2
Replies

Security Appliance 7.0(4) - Problem configuring IPSec over TCP

limtohsoon
Level 1
Level 1

‎11-18-2005 01:14 AM - edited ‎02-21-2020 02:06 PM

Hi Sir,

I'm configuring a PIX 525 Firewall running Security Appliance Software version 7.0(4), to support remote access VPNs using IPSec-over-TCP (port 80).

ISAKMP is enabled and crypto map set is applied on the inside interface which terminates the VPN tunnel from VPN clients. An ACL is applied inbound on inside interface which permits "ip any any" (for troubleshooting purpose).

I also have configured these commands:

sysopt connection permit-ipsec

isakmp nat-traversal 3600

isakmp ipsec-over-tcp port 80

I used Cisco VPN Client Version 4.0.2 (A) to connect to the PIX but failed. The following is error messages on the PIX:

Nov 18 2005 16:48:14: %PIX-6-302013: Built inbound TCP connection 4 for inside:10.230.5.133/1487 (10.230.5.133/1487) to NP Identity Ifc:10.1.1.1/80 (10.1.1.1/80)

Nov 18 2005 16:48:19: %PIX-6-302014: Teardown TCP connection 4 for inside:10.230.5.133/1487 to NP Identity Ifc:10.1.1.1/80 duration 0:00:04 bytes 0 TCP Reset-I

Nov 18 2005 16:48:35: %PIX-6-106015: Deny TCP (no connection) from 10.230.5.133/1487 to 10.1.1.1/80 flags RST on interface inside

Nov 18 2005 16:48:35: %PIX-7-710005: TCP request discarded from 10.230.5.133/1487 to inside:10.1.1.1/80

Note:

10.1.1.1 - IP address of PIX

10.230.5.133 - IP address of my workstation from which I launched VPN

Attached is screenshot of my VPN client configuration settings.

Anyone please kindly tell me what's missing to make the setup work (i.e. IPSec over TCP with port 80)?

Thank you.

B.Rgds,

Lim TS

Labels:
Preview file
31 KB
0 Helpful
2 Replies 2

gluszko
Level 1
Level 1

‎11-18-2005 05:04 AM

did you configure:

crypto ipsec transform-set

crypto dynamic-map

crypto map xxx 10 ipsec-isakmp dynamic

crypto map xxx interface inside

isakmp enable inside

isakmp policy

vpngroup ???

0 Helpful

limtohsoon
Level 1
Level 1
In response to gluszko

‎11-19-2005 07:23 PM

Hi,

My VPN config was working fine before I posted this problem. FYI, the command "vpngroup" is deprecated in version 7.0 and replaced by "tunnel-group".

My problem is, there's a requirement to enable IPSec over TCP on port 80 for remote VPN clients. To the best of my knowledge, the only command needed is "isakmp ipsec-over-tcp port 80" which I configured but failed to work.

I included the PIX system error messages in my earlier post. Also, attached was screenshot of VPN client 4.0.2 (A).

Please help.

Thank you.

B.Rgds,

Lim TS

0 Helpful
Customers Also Viewed These Support Documents