09-26-2005 12:22 PM
See config and debug below. The Vpn client gets promtped for password but then appears to just hang where the PIX debug says "..initiating peer.. Also get "invalid local address"
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 68.85.173.10, peer port 62465
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:68.85.173.10/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:68.85.173.10/500 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP: peer is a remote access client
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to 68.85.173.10. ID = 1008989529 (0x3c23f559)
crypto_isakmp_process_block:src:68.85.173.10, dest:64.47.121.35 spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 68.85.173.10. message ID = 15622828
ISAKMP: Config payload CFG_REPLY
ISAKMP (0:0): initiating peer config to 68.85.173.10. ID = 761927846 (0x2d6a18a6)
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:68.85.173.10, dest:64.47.121.35 spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 68.85.173.10. message ID = 15622828
ISAKMP: Config payload CFG_ACK
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:68.85.173.10, dest:64.47.121.35 spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 68.85.173.10. message ID = 15622828
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute ALT_DEF_DOMAIN (28674)
ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute ALT_SPLITDNS_NAME (28675)
ISAKMP: attribute ALT_PFS (28679)
ISAKMP: attribute UNKNOWN (28683)
Unsupported Attr: 28683
ISAKMP: attribute ALT_BACKUP_SERVERS (28681)
ISAKMP: attribute APPLICATION_VERSION (7)
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28682)
Unsupported Attr: 28682
ISAKMP: attribute UNKNOWN (28677)
Unsupported Attr: 28677
ISAKMP (0:0): responding to peer config from 68.85.173.10. ID = 491055213
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:68.85.173.10, dest:64.47.121.35 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1006604508
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 64.47.121.35
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2
...
09-26-2005 01:51 PM
I don't see the config?
did you add the
isakmp identity address
to your config?
09-26-2005 03:12 PM
I have both a Cisco 3000 and VPN clients over the same interface- Here the config-
sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxx
passwd xxxx
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
<--- More --->
names
access-list inside_outbound_nat0_acl permit ip 192.168.35.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.35.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.35.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list splittunnel permit ip 192.168.35.0 255.255.255.0 10.1.1.0 255.255.255.0
ip address outside 64.47.121.35 255.255.255.224
ip address inside 192.168.35.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnclntpool 10.1.1.1-10.1.1.254
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 64.47.121.33 1
aaa-server LOCAL protocol local
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set clntset esp-aes esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 4 set transform-set clntset
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 195.0.130.4
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp dynamic dynmap
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 195.0.130.4 netmask 255.255.255.255 no-config-mode
isakmp identity address
isakmp log 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
<--- More --->
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup sandvik address-pool vpnclntpool
vpngroup sandvik split-tunnel splittunnel
vpngroup sandvik idle-time 1800
vpngroup sandvik password ********
vpngroup address-pool idle-time 1800
telnet 192.168.1.120 255.255.255.255 inside
telnet 192.168.1.102 255.255.255.255 inside
telnet 192.168.1.51 255.255.255.255 inside
telnet 192.168.35.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.35.51-192.168.35.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username xxxx password xxxx privilege 2
username xxxx password xxxx privilege 2
vpnclient username vpnuser10 password ********
terminal width 80
<--- More --->
Cryptochecksum:xxxx
: end
pixfirewall(config)#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide