no vpn access thru pix

[rbs1]

Hello:
I have a vpn client (202.10.1.2)on the outside of the PIX (e0=202.10.1.1). I have an NT4.0 machine (142.100.42.170)on the inside of the PIX( e1=142.100.42.30).
I have included the config of my test network.
I have no access thru the PIX once the encryption is enabled.
When the vpn client is not running I cannot ping thru the firewall in either direction. ( probably because the PIX is expecting encrypted data and is not getting it so drop the packets)
When the vpn client is running the transform sets never seem to match up between the vpn client and the PIX firewall.(output included). I "appear" to be able to connect to the server (PIX 202.10.1.1)but can do nothing further...no ping, no map drives. I have also included a debug output for attempting to map \\142.100.42.170\c$ drive from the vpn client. Again the log confirms the transform set do not match.
I am running Cisco VPN client 3.6.3(REL)encryption 168 bit 3des, authentication hmac-md5.

Any suggests would be appreciated.
Thanks

CONFIG
: Saved
: Written by enable_15 at 16:50:29.033 MST Thu Jan 23 2003
PIX Version 6.2(2)
nameif ethernet0 outside_vpn security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security15
nameif ethernet3 intf3 security10
nameif ethernet4 dmz_aaa security20
nameif ethernet5 dmz_corp security25
enable password Y5nnogeQjU7io1mF encrypted
passwd z4K3MiWFG/GWffhr encrypted
hostname PIX-Lan
domain-name XXX.ca
clock timezone MST -7
clock summer-time MDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list acl_out permit ip any any
access-list acl_out permit icmp any any
access-list 110 permit ip 142.100.42.0 255.255.255.0 any
access-list insidetovpn permit ip host 142.100.42.170 host 202.10.1.2
access-list insidetovpn permit ip host 202.10.1.1 host 142.100.42.190
access-list 111 permit ip 10.214.1.0 255.255.255.0 any
pager lines 24
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap debugging
interface ethernet0 10full
interface ethernet1 10baset
interface ethernet2 10baset shutdown
interface ethernet3 auto shutdown
interface ethernet4 100full
interface ethernet5 100full
mtu outside_vpn 1300
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu dmz_aaa 1500
mtu dmz_al_corp 1500
ip address outside_vpn 202.10.1.1 255.255.255.0
ip address inside 142.100.42.30 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address dmz_aaa 10.214.1.1 255.255.255.0
ip address intf5 127.0.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool test 142.100.42.190-142.100.42.200
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside_vpn 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address dmz_aaa 0.0.0.0
failover ip address dmz_corp 0.0.0.0
pdm location 142.100.42.170 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside_vpn) 1 202.10.1.10-202.10.1.30
global (outside_vpn) 2 202.10.1.31-202.10.1.39
global (outside_vpn) 1 202.10.1.8
global (outside_vpn) 2 202.10.1.9
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz_aaa) 0 access-list 111
nat (dmz_aaa) 2 0.0.0.0 0.0.0.0 0 0
static (inside,outside_vpn) 202.10.1.170 142.100.42.170 netmask 255.255.255.255 0 0
static (dmz_aaa,outside_vpn) 202.10.1.40 10.214.1.40 netmask 255.255.255.255 0 0
static (inside,dmz_aaa) 10.214.1.171 142.100.42.171 netmask 255.255.255.255 0 0
access-group acl_out in interface outside_vpn
access-group acl_out in interface dmz_aaa
route outside_vpn 0.0.0.0 0.0.0.0 202.10.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 142.100.42.170 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address insidetovpn
crypto map mymap 10 set peer 202.10.1.2
crypto map mymap 10 set transform-set myset1
crypto map mymap 10 set security-association lifetime seconds 7200 kilobytes 4608000
crypto map mymap interface outside_vpn
isakmp enable outside_vpn
isakmp key xxxxxxxx address 202.10.1.2 netmask 255.255.255.255
isakmp identity address
isakmp client configuration address-pool local test outside_vpn
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 142.100.42.170 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:c36579927dee7d7799351bc827c50e5f
: end






DEBUG OUTPUT FROM CONNECT

PIX-Lan#
crypto_isakmp_process_block: src 202.10.1.2, dest 202.10.1.1
VPN Peer: ISAKMP: Added new peer: ip:202.10.1.2 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:202.10.1.2 Ref cnt incremented to:1 Total VPN Peers:1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4
crypto_isakmp_process_block: src 202.10.1.2, dest 202.10.1.1
crypto_isakmp_process_block: src 202.10.1.2, dest 202.10.1.1
crypto_isakmp_process_block: src 202.10.1.2, dest 202.10.1.1





DEBUG OUTPUT FROM MAP DRIVE

PIX-crypto_isakmp_process_block: src 202.10.1.2, dest 202.10.1.1
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 934073291

ISAKMP : Checking IPSec proposal 1

ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2

ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3

ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4

ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5

ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6

ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 256
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 7

ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8

ISAKMP: unknown ESP transform!
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1
ISAKMP: key length is 128
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported
ISADB: reaper checking SA 0x8150c560, conn_id = 0Lan#
crypto_isakmp_process_block: src 202.10.1.2, dest 202.10.1.1
VPN Peer: ISAKMP: Added new peer: ip:202.10.1.2 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:202.10.1.2 Ref cnt incremented to:1 Total VPN Peers:1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4
crypto_isakmp_process_block: src 202.10.1.2, dest 202.10.1.1
crypto_isakmp_process_block: src 202.10.1.2, dest 202.10.1.1
crypto_isakmp_process_block: src 202.10.1.2, dest 202.10.1.1

 

[yizhar]

HI.

> ip address inside 142.100.42.30 255.255.255.0
> ip local pool test 142.100.42.190-142.100.42.200
Unlike MS VPN servers, with the Pix you must use different subnets, for example:
ip local pool test 192.168.123.1-192.168.123.99

Just to be sure, do you have the 3DES activation key (show version)?

> I am running Cisco VPN client 3.6.3(REL)encryption 168 bit 3des, authentication hmac-md5
I would also try to test with the following combinations:
DES + MD5 (atleast for the test).
3DES + SHA1

If you have an older VPN client version 3.5.x, try it also. The newer version 3.6.3 seems to have more compatiblity problems then previous versions.

Read the following article, you may find some help there:

http://www.cisco.com/en/US/products...tion_guide_chapter09186a00800bd991.html#10711

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar