Badly need help VPN XP->PIX506E

[mawhitecap]

I'm totally new to CISCO and I desperatly tried to establish a VPN between a Windows XP Pro and a CISCO 506E running v6.3. Considering my lack of knowledge in VPN and CISCO as well, I did all configuration using the graphical wizards on the CISCO side.


What I succeed to do:

* build a PPTP link. It works perfectly well without doing much (some static route to define on the 506E but easy to figure out).

What I can't do despite many hours (I must be missing something ridiculously obvious for someone who is used to do that...frustrating)

* build a L2TP/IPSEC between my client Windows XP Pro (every Microsoft patch applied..but tried as well from a fresh installed XP with just SP1 and no other patches) and the PIX. It fails with an 792 error (basically telling me there's a timeout in the negociation). I activated the oakley logging on the window side and I can roughly understand there's a failure in the phase 2 negociation. Here is the log extract where it faults:

11-12: 18:43:56:397:904 Sending: SA = 0x000CBDC0 to 100.100.101.1:Type 2

11-12: 18:43:56:397:904 ISAKMP Header: (V1.0), len = 1108

11-12: 18:43:56:397:904 I-COOKIE 624553ba66655290

11-12: 18:43:56:397:904 R-COOKIE c52f29a414cc969c

11-12: 18:43:56:397:904 exchange: Oakley Quick Mode

11-12: 18:43:56:397:904 flags: 1 ( encrypted )

11-12: 18:43:56:397:904 next payload: HASH

11-12: 18:43:56:397:904 message ID: 3a1adbec

11-12: 18:43:56:397:904

11-12: 18:43:56:397:904 Receive: (get) SA = 0x000cbdc0 from 100.100.101.1

11-12: 18:43:56:397:904 ISAKMP Header: (V1.0), len = 84

11-12: 18:43:56:397:904 I-COOKIE 624553ba66655290

11-12: 18:43:56:397:904 R-COOKIE c52f29a414cc969c

11-12: 18:43:56:397:904 exchange: ISAKMP Informational Exchange

11-12: 18:43:56:397:904 flags: 1 ( encrypted )

11-12: 18:43:56:397:904 next payload: HASH

11-12: 18:43:56:397:904 message ID: 28edb3c4

11-12: 18:43:56:397:904 processing HASH (Notify/Delete)

11-12: 18:43:56:397:904 processing payload NOTIFY

11-12: 18:43:56:397:904 Unknown Notify Message 24578



11-12: 18:43:56:397:904

11-12: 18:43:56:397:904 Receive: (get) SA = 0x000cbdc0 from 100.100.101.1

11-12: 18:43:56:397:904 ISAKMP Header: (V1.0), len = 92

11-12: 18:43:56:397:904 I-COOKIE 624553ba66655290

11-12: 18:43:56:397:904 R-COOKIE c52f29a414cc969c

11-12: 18:43:56:397:904 exchange: ISAKMP Informational Exchange

11-12: 18:43:56:397:904 flags: 1 ( encrypted )

11-12: 18:43:56:397:904 next payload: HASH

11-12: 18:43:56:397:904 message ID: 54741276

11-12: 18:43:56:397:904 processing HASH (Notify/Delete)

11-12: 18:43:56:397:904 processing payload NOTIFY

11-12: 18:43:56:397:9e8

11-12: 18:43:56:397:9e8 Receive: (get) SA = 0x000cbdc0 from 100.100.101.1

11-12: 18:43:56:397:9e8 ISAKMP Header: (V1.0), len = 1084

11-12: 18:43:56:397:9e8 I-COOKIE 624553ba66655290

11-12: 18:43:56:397:9e8 R-COOKIE c52f29a414cc969c

11-12: 18:43:56:397:9e8 exchange: ISAKMP Informational Exchange

11-12: 18:43:56:397:9e8 flags: 1 ( encrypted )

11-12: 18:43:56:397:9e8 next payload: HASH

11-12: 18:43:56:397:9e8 message ID: 2ece2eec

11-12: 18:43:56:397:9e8 processing HASH (Notify/Delete)

11-12: 18:43:56:397:9e8 processing payload NOTIFY

11-12: 18:43:56:397:9e8 notify: NO-PROPOSAL-CHOSEN

11-12: 18:43:56:397:9e8 isadb_set_status sa:000CBDC0 centry:00000000 status 35ea

11-12: 18:43:57:399:1a0 retransmit: sa = 000CBDC0 centry 000BEDC8 , count = 1

11-12: 18:43:57:399:1a0

11-12: 18:43:57:399:1a0 Sending: SA = 0x000CBDC0 to 100.100.101.1:Type 2

11-12: 18:43:57:399:1a0 ISAKMP Header: (V1.0), len = 1108

11-12: 18:43:57:399:1a0 I-COOKIE 624553ba66655290

11-12: 18:43:57:399:1a0 R-COOKIE c52f29a414cc969c

11-12: 18:43:57:399:1a0 exchange: Oakley Quick Mode

11-12: 18:43:57:399:1a0 flags: 1 ( encrypted )

11-12: 18:43:57:399:1a0 next payload: HASH

11-12: 18:43:57:399:1a0 message ID: 3a1adbec

11-12: 18:43:59:401:1a0 retransmit: sa = 000CBDC0 centry 000BEDC8 , count = 2

And it goes to 6 retry and fails.

And at this time I haven't the possibility to use the CISCO Client so it's not an option. I can still use PPTP but it seriously upset me to not find how to make the whole thing working.

As a bonus question:
I'll link two site to a third: one with the Windows XP Pro (native client, PPTP or L2TP/IPsEC) and one with a PIX501, both linked to a 506E PIX. So basically one remote access VPN and a LAN to LAN VPN at the same time on the 506E. Can I do that ? And how ?... Starting from the configurations the wizard is doing automatically.
Just to make you understand my unpleasant situation, I'm totally unable to test the whole picture before beeing on site to do the install.........

 

[yizhar]

HI.

> And at this time I haven't the possibility to use the CISCO Client so it's not an option.
Why?
I think that using Cisco VPN client is the best way.

Try posting your pix config (or part of it).
See the FAQ of this forum for safe posting.

You'll find more info and tips by simply browsing the history of this forum, and some links from here:

http://teachers.sivan.co.il/yizhar/files/pixlinks.htm

Yizhar Hurwitz

http://teachers.sivan.co.il/yizhar