Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
0
Helpful
2
Replies

VPN client 4.x and pix 506 can get tunnel up-

michael murphy
Level 1
Level 1

‎09-26-2005 12:22 PM

See config and debug below. The Vpn client gets promtped for password but then appears to just hang where the PIX debug says "..initiating peer.. Also get "invalid local address"

ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer struct for 68.85.173.10, peer port 62465

return status is IKMP_NO_ERROR

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:68.85.173.10/500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:68.85.173.10/500 Ref cnt incremented to:1 Total VPN Peers:1

ISAKMP: peer is a remote access client

ISAKMP/xauth: request attribute XAUTH_TYPE

ISAKMP/xauth: request attribute XAUTH_USER_NAME

ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD

ISAKMP (0:0): initiating peer config to 68.85.173.10. ID = 1008989529 (0x3c23f559)

crypto_isakmp_process_block:src:68.85.173.10, dest:64.47.121.35 spt:500 dpt:500

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 68.85.173.10. message ID = 15622828

ISAKMP: Config payload CFG_REPLY

ISAKMP (0:0): initiating peer config to 68.85.173.10. ID = 761927846 (0x2d6a18a6)

return status is IKMP_ERR_NO_RETRANS

crypto_isakmp_process_block:src:68.85.173.10, dest:64.47.121.35 spt:500 dpt:500

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 68.85.173.10. message ID = 15622828

ISAKMP: Config payload CFG_ACK

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:68.85.173.10, dest:64.47.121.35 spt:500 dpt:500

ISAKMP_TRANSACTION exchange

ISAKMP (0:0): processing transaction payload from 68.85.173.10. message ID = 15622828

ISAKMP: Config payload CFG_REQUEST

ISAKMP (0:0): checking request:

ISAKMP: attribute IP4_ADDRESS (1)

ISAKMP: attribute IP4_NETMASK (2)

ISAKMP: attribute IP4_DNS (3)

ISAKMP: attribute IP4_NBNS (4)

ISAKMP: attribute ADDRESS_EXPIRY (5)

Unsupported Attr: 5

ISAKMP: attribute UNKNOWN (28672)

Unsupported Attr: 28672

ISAKMP: attribute UNKNOWN (28673)

Unsupported Attr: 28673

ISAKMP: attribute ALT_DEF_DOMAIN (28674)

ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)

ISAKMP: attribute ALT_SPLITDNS_NAME (28675)

ISAKMP: attribute ALT_PFS (28679)

ISAKMP: attribute UNKNOWN (28683)

Unsupported Attr: 28683

ISAKMP: attribute ALT_BACKUP_SERVERS (28681)

ISAKMP: attribute APPLICATION_VERSION (7)

ISAKMP: attribute UNKNOWN (28680)

Unsupported Attr: 28680

ISAKMP: attribute UNKNOWN (28682)

Unsupported Attr: 28682

ISAKMP: attribute UNKNOWN (28677)

Unsupported Attr: 28677

ISAKMP (0:0): responding to peer config from 68.85.173.10. ID = 491055213

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:68.85.173.10, dest:64.47.121.35 spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1006604508

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: key length is 256

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 64.47.121.35

ISAKMP (0): atts not acceptable. Next payload is 0

ISAKMP (0): skipping next ANDed proposal (1)

ISAKMP : Checking IPSec proposal 2

...

Labels:
0 Helpful
2 Replies 2

winchell
Level 1
Level 1

‎09-26-2005 01:51 PM

I don't see the config?

did you add the

isakmp identity address

to your config?

0 Helpful

michael murphy
Level 1
Level 1
In response to winchell

‎09-26-2005 03:12 PM

I have both a Cisco 3000 and VPN clients over the same interface- Here the config-

sh run

: Saved

:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname pixfirewall

domain-name ciscopix.com

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

<--- More --->

names

access-list inside_outbound_nat0_acl permit ip 192.168.35.0 255.255.255.0 192.168.31.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.35.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.35.0 255.255.255.0 192.168.31.0 255.255.255.0

access-list splittunnel permit ip 192.168.35.0 255.255.255.0 10.1.1.0 255.255.255.0

ip address outside 64.47.121.35 255.255.255.224

ip address inside 192.168.35.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpnclntpool 10.1.1.1-10.1.1.254

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 64.47.121.33 1

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set clntset esp-aes esp-sha-hmac

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 4 set transform-set clntset

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 195.0.130.4

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 40 ipsec-isakmp dynamic dynmap

crypto map outside_map client configuration address initiate

crypto map outside_map client configuration address respond

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 195.0.130.4 netmask 255.255.255.255 no-config-mode

isakmp identity address

isakmp log 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

<--- More --->

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

vpngroup sandvik address-pool vpnclntpool

vpngroup sandvik split-tunnel splittunnel

vpngroup sandvik idle-time 1800

vpngroup sandvik password ********

vpngroup address-pool idle-time 1800

telnet 192.168.1.120 255.255.255.255 inside

telnet 192.168.1.102 255.255.255.255 inside

telnet 192.168.1.51 255.255.255.255 inside

telnet 192.168.35.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.35.51-192.168.35.254 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

username xxxx password xxxx privilege 2

username xxxx password xxxx privilege 2

vpnclient username vpnuser10 password ********

terminal width 80

<--- More --->

Cryptochecksum:xxxx

: end

pixfirewall(config)#

0 Helpful
Customers Also Viewed These Support Documents