Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Pix 501 VPN and Smtp

Status
Not open for further replies.
brand1068

brand1068

IS-IT--Management
Apr 9, 2003
24
GB
Hi.

Just trying to setup a new pix 501 - never done Cisco before.

I've managed to get http working from outide the network routing to "server" but smtp when you telnet to it you get 220 ************ ******************

Also Ive run the VPNclient wizard and can connect via the vpn client but cant get any traffic accross ( ie ping or get to the http locally)

I've posted the setup below
*********************************************
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name procom-it.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.2 server
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.0.96 255.255.255.240
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.0.96 255.255.255.240
access-list server permit tcp any host 213.249.146.72 eq www
access-list server permit tcp any host 213.249.146.72 eq smtp
access-list webserver permit tcp any host 213.249.146.72 eq www
access-list webserver permit tcp any host 213.249.146.72 eq smtp
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.96 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 213.249.146.72 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn 192.168.0.102-192.168.0.105
pdm location server 255.255.255.255 inside
pdm location 213.249.146.72 255.255.255.255 inside
pdm location 192.168.0.96 255.255.255.240 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface smtp server smtp netmask 255.255.255.255 0 0
access-group webserver in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.249.146.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http server 255.255.255.255 inside
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup chris address-pool vpn
vpngroup chris dns-server server
vpngroup chris default-domain procom-it.local
vpngroup chris pfs
vpngroup chris idle-time 1800
vpngroup chris password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd address 192.168.0.100-192.168.0.110 inside
dhcpd lease 3600
dhcpd ping_timeout 750
username chris password 9DgK/T8KJkq.BhX6 encrypted privilege 15
terminal width 80
Cryptochecksum:87712c37309bca69eb34f8f9f59b9f77
: end
 
Sort by date Sort by votes
Take this line out
fixup protocol smtp 25 (just put no in front of it to remove from the config) It hijacks SMTP traffic and inspects it (and this version is not compatible with MS Exchange.)

For the VPN, you will need a different subnet for the IP pool
ip address inside 192.168.0.1 255.255.255.0
ip local pool vpn 192.168.0.102-192.168.0.105 (This can't be the same network as your inside)
Change it to
ip local pool vpn 192.168.32.102-192.168.32.105 (the "32" can be any number between 1 and 255. I recommend something non-standard [32,74,...] so there won't be any conflicts with peoples home networks.)
This ACL needs to be changed so it will ignore NAT correctly for the VPN
access-list inside_outbound_nat0_acl permit ip any 192.168.0.96 255.255.255.240
access-list inside_outbound_nat0_acl permit ip interface inside 192.168.0.96 255.255.255.240
to
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.32.0 255.255.255.0

Hope this helps.



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Hi, Thanks for that. The smtp works now. I've made the changes ( i think ) as suggested but now the vpn client wont connect at all. Here's the new config.
********************************************

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name procom-it.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.2 server
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list webserver permit tcp any host 213.249.146.72 eq www
access-list webserver permit tcp any host 213.249.146.72 eq smtp
access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.96 255.255.255.240
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 213.249.146.72 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.32.102-192.168.32.112
pdm location server 255.255.255.255 inside
pdm location 213.249.146.72 255.255.255.255 inside
pdm location 192.168.0.96 255.255.255.240 outside
pdm location 192.168.32.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface smtp server smtp netmask 255.255.255.255 0 0
access-group webserver in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.249.146.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup chris address-pool vpnpool
vpngroup chris dns-server server
vpngroup chris default-domain procom-it.local
vpngroup chris pfs
vpngroup chris idle-time 1800
vpngroup chris password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd address 192.168.0.100-192.168.0.110 inside
dhcpd lease 3600
dhcpd ping_timeout 750
username chris password 9DgK/T8KJkq.BhX6 encrypted privilege 15
terminal width 80
Cryptochecksum:0ed97eb5c9d5e4bc38dc08deb76dea59
: end

Thanks again for your help.

Chris
 
Upvote 0 Downvote
Ok getting further - I noticed that this line looked wrong
"access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.96 255.255.255.240 "

So Here is the new config with me able now to connect to the vpn but still unable to get any traffic to the network.

*********************************************************
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name procom-it.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.2 server
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list webserver permit tcp any host 213.249.146.72 eq www
access-list webserver permit tcp any host 213.249.146.72 eq smtp
access-list outside_cryptomap_dyn_20 permit ip any 192.168.32.96 255.255.255.224
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 213.249.146.72 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.32.102-192.168.32.112
pdm location server 255.255.255.255 inside
pdm location 213.249.146.72 255.255.255.255 inside
pdm location 192.168.32.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface smtp server smtp netmask 255.255.255.255 0 0
access-group webserver in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.249.146.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup chris address-pool vpnpool
vpngroup chris dns-server server
vpngroup chris default-domain procom-it.local
vpngroup chris pfs
vpngroup chris idle-time 1800
vpngroup chris password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd address 192.168.0.100-192.168.0.110 inside
dhcpd lease 3600
dhcpd ping_timeout 750
username chris password 9DgK/T8KJkq.BhX6 encrypted privilege 15
terminal width 80
Cryptochecksum:d311170f0181bb0ead5298e423296898
: end

Thanks Again,

Chris
 
Upvote 0 Downvote
These two don't match
access-list outside_cryptomap_dyn_20 permit ip any 192.168.32.96 255.255.255.224
ip local pool vpnpool 192.168.32.102-192.168.32.112
make the "96" in the ACL a "0"

The do
no isakmp enable outside
isakmp enable outside
to reset the vpn connection setup


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Hi i made the changes as suggested but still nothing.

Best,

Chris

*****************************************************
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name procom-it.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.0.2 server
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.32.0 255.255.255.0
access-list webserver permit tcp any host 213.249.146.72 eq www
access-list webserver permit tcp any host 213.249.146.72 eq smtp
access-list outside_cryptomap_dyn_20 permit ip any 192.168.32.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 213.249.146.72 255.255.255.0
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.32.102-192.168.32.112
pdm location server 255.255.255.255 inside
pdm location 213.249.146.72 255.255.255.255 inside
pdm location 192.168.32.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface smtp server smtp netmask 255.255.255.255 0 0
access-group webserver in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 213.249.146.65 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.1 255.255.255.255 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp nat-traversal 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup chris address-pool vpnpool
vpngroup chris dns-server server
vpngroup chris default-domain procom-it.local
vpngroup chris pfs
vpngroup chris idle-time 1800
vpngroup chris password ********
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn enable outside
dhcpd address 192.168.0.100-192.168.0.110 inside
dhcpd lease 3600
dhcpd ping_timeout 750
username chris password 9DgK/T8KJkq.BhX6 encrypted privilege 15
terminal width 80
Cryptochecksum:975e694068b5f431d339daa5595aa1f8
: end
 
Upvote 0 Downvote
do
debug crypto isakmp
debug crypto ipsec

and try to bring up the tunnel. You will get a log of what is not connecting.


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Well have you checked your pc client? Software firewalls like symantec, windows xp builtin can stall access after you succesfully connect to vpn.

Because your vpn connects right? Or am i all wrong here!?
 
Upvote 0 Downvote
Hi Brent,

Attached are the client logs.

Cisco Systems VPN Client Version 4.8.01.0300
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client

1 11:21:09.557 10/31/06 Sev=Warning/3 GUI/0xA3B0000B
Reloaded the Certificates in all Certificate Stores successfully.

2 11:21:16.103 10/31/06 Sev=Info/4 CM/0x63100002
Begin connection process

3 11:21:16.119 10/31/06 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

4 11:21:16.119 10/31/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "213.249.146.72"

5 11:21:16.119 10/31/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 213.249.146.72.

6 11:21:16.135 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 213.249.146.72

7 11:21:16.244 10/31/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

8 11:21:16.244 10/31/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

9 11:21:16.244 10/31/06 Sev=Info/6 IPSEC/0x6370002C
Sent 69 packets, 0 were fragmented.

10 11:21:16.244 10/31/06 Sev=Info/4 IPSEC/0x6370000D
Key(s) deleted by Interface (192.168.0.10)

11 11:21:17.666 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

12 11:21:17.666 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from 213.249.146.72

13 11:21:17.666 10/31/06 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

14 11:21:17.666 10/31/06 Sev=Info/5 IKE/0x63000001
Peer supports DPD

15 11:21:17.666 10/31/06 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

16 11:21:17.666 10/31/06 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5

17 11:21:17.666 10/31/06 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

18 11:21:17.682 10/31/06 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

19 11:21:17.682 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 213.249.146.72

20 11:21:17.682 10/31/06 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4

21 11:21:17.682 10/31/06 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device

22 11:21:17.682 10/31/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

23 11:21:17.682 10/31/06 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

24 11:21:17.682 10/31/06 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

25 11:21:17.682 10/31/06 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

26 11:21:17.697 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 213.249.146.72

27 11:21:17.963 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

28 11:21:17.963 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 213.249.146.72

29 11:21:17.963 10/31/06 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

30 11:21:17.963 10/31/06 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

31 11:21:18.072 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

32 11:21:18.072 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 213.249.146.72

33 11:21:18.072 10/31/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.32.102

34 11:21:18.072 10/31/06 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.0.2

35 11:21:18.072 10/31/06 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = procom-it.local

36 11:21:18.072 10/31/06 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000001

37 11:21:18.072 10/31/06 Sev=Info/4 CM/0x63100019
Mode Config data received

38 11:21:18.291 10/31/06 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.32.102, GW IP = 213.249.146.72, Remote IP = 0.0.0.0

39 11:21:18.307 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID, ID) to 213.249.146.72

40 11:21:18.307 10/31/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

41 11:21:20.103 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

42 11:21:20.103 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, KE, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 213.249.146.72

43 11:21:20.103 10/31/06 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds

44 11:21:20.103 10/31/06 Sev=Info/5 IKE/0x63000046
RESPONDER-LIFETIME notify has value of 4608000 kb

45 11:21:20.119 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 213.249.146.72

46 11:21:20.119 10/31/06 Sev=Info/5 IKE/0x63000059
Loading IPsec SA (MsgID=EE4E7640 OUTBOUND SPI = 0x0FB550BE INBOUND SPI = 0xE3898A27)

47 11:21:20.119 10/31/06 Sev=Info/5 IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x0FB550BE

48 11:21:20.119 10/31/06 Sev=Info/5 IKE/0x63000026
Loaded INBOUND ESP SPI: 0xE3898A27

49 11:21:20.182 10/31/06 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 213.130.141.120 213.130.141.120 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
213.130.141.120 255.255.255.255 127.0.0.1 127.0.0.1 50
213.130.141.255 255.255.255.255 213.130.141.120 213.130.141.120 50
213.130.146.202 255.255.255.255 213.130.141.120 213.130.141.120 1
224.0.0.0 240.0.0.0 213.130.141.120 213.130.141.120 1
255.255.255.255 255.255.255.255 213.130.141.120 0.0.0.0 1
255.255.255.255 255.255.255.255 213.130.141.120 213.130.141.120 1
255.255.255.255 255.255.255.255 213.130.141.120 0.0.0.0 1


50 11:21:21.260 10/31/06 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.32.102/255.255.255.0
DNS=192.168.0.2,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=procom-it.local
Split DNS Names=

51 11:21:21.260 10/31/06 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.32.102 192.168.32.102 1
0.0.0.0 0.0.0.0 213.130.141.120 213.130.141.120 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.32.0 255.255.255.0 192.168.32.102 192.168.32.102 50
192.168.32.102 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.32.255 255.255.255.255 192.168.32.102 192.168.32.102 50
213.130.141.120 255.255.255.255 127.0.0.1 127.0.0.1 50
213.130.141.255 255.255.255.255 213.130.141.120 213.130.141.120 50
213.130.146.202 255.255.255.255 213.130.141.120 213.130.141.120 1
224.0.0.0 240.0.0.0 192.168.32.102 192.168.32.102 50
224.0.0.0 240.0.0.0 213.130.141.120 213.130.141.120 1
255.255.255.255 255.255.255.255 192.168.32.102 192.168.32.102 1
255.255.255.255 255.255.255.255 213.130.141.120 0.0.0.0 1
255.255.255.255 255.255.255.255 213.130.141.120 213.130.141.120 1
255.255.255.255 255.255.255.255 213.130.141.120 0.0.0.0 1


52 11:21:21.260 10/31/06 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 213.130.141.255
Netmask 255.255.255.255
Gateway 192.168.32.102
Interface 192.168.32.102

53 11:21:21.260 10/31/06 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: d5828dff, Netmask: ffffffff, Interface: c0a82066, Gateway: c0a82066.

54 11:21:21.541 10/31/06 Sev=Info/4 CM/0x63100038
Successfully saved route changes to file.

55 11:21:21.603 10/31/06 Sev=Info/5 CVPND/0x63400013
Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.32.102 192.168.32.102 1
0.0.0.0 0.0.0.0 213.130.141.120 213.130.141.120 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.32.0 255.255.255.0 192.168.32.102 192.168.32.102 50
192.168.32.102 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.32.255 255.255.255.255 192.168.32.102 192.168.32.102 50
213.130.141.120 255.255.255.255 127.0.0.1 127.0.0.1 50
213.130.141.255 255.255.255.255 213.130.141.120 213.130.141.120 50
213.130.146.202 255.255.255.255 192.168.32.102 192.168.32.102 50
213.130.146.202 255.255.255.255 213.130.141.120 213.130.141.120 1
213.249.146.72 255.255.255.255 213.130.141.120 213.130.141.120 1
224.0.0.0 240.0.0.0 192.168.32.102 192.168.32.102 50
224.0.0.0 240.0.0.0 213.130.141.120 213.130.141.120 1
255.255.255.255 255.255.255.255 192.168.32.102 192.168.32.102 1
255.255.255.255 255.255.255.255 213.130.141.120 0.0.0.0 1
255.255.255.255 255.255.255.255 213.130.141.120 213.130.141.120 1
255.255.255.255 255.255.255.255 213.130.141.120 0.0.0.0 1


56 11:21:21.603 10/31/06 Sev=Info/6 CM/0x63100036
The routing table was updated for the Virtual Adapter

57 11:21:21.947 10/31/06 Sev=Info/4 CM/0x6310001A
One secure connection established

58 11:21:22.135 10/31/06 Sev=Info/4 CM/0x6310003B
Address watch added for 213.130.141.120. Current hostname: chris01, Current address(es): 192.168.32.102, 213.130.141.120.

59 11:21:22.135 10/31/06 Sev=Info/4 CM/0x6310003B
Address watch added for 192.168.32.102. Current hostname: chris01, Current address(es): 192.168.32.102, 213.130.141.120.

60 11:21:22.135 10/31/06 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

61 11:21:22.135 10/31/06 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0xbe50b50f into key list

62 11:21:22.135 10/31/06 Sev=Info/4 IPSEC/0x63700010
Created a new key structure

63 11:21:22.135 10/31/06 Sev=Info/4 IPSEC/0x6370000F
Added key with SPI=0x278a89e3 into key list

64 11:21:22.135 10/31/06 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 192.168.32.102

65 11:21:22.135 10/31/06 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 1.

66 11:21:27.775 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 213.249.146.72

67 11:21:27.775 10/31/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 213.249.146.72, our seq# = 2929168645

68 11:21:28.041 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

69 11:21:28.041 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 213.249.146.72

70 11:21:28.041 10/31/06 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 213.249.146.72, seq# received = 2929168645, seq# expected = 2929168645

71 11:21:38.275 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 213.249.146.72

72 11:21:38.275 10/31/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 213.249.146.72, our seq# = 2929168646

73 11:21:38.619 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

74 11:21:38.619 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 213.249.146.72

75 11:21:38.619 10/31/06 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 213.249.146.72, seq# received = 2929168646, seq# expected = 2929168646

76 11:21:48.775 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 213.249.146.72

77 11:21:48.775 10/31/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 213.249.146.72, our seq# = 2929168647

78 11:21:49.041 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

79 11:21:49.041 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 213.249.146.72

80 11:21:49.041 10/31/06 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 213.249.146.72, seq# received = 2929168647, seq# expected = 2929168647

81 11:21:59.275 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 213.249.146.72

82 11:21:59.275 10/31/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 213.249.146.72, our seq# = 2929168648

83 11:22:01.228 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

84 11:22:01.228 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 213.249.146.72

85 11:22:01.228 10/31/06 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 213.249.146.72, seq# received = 2929168648, seq# expected = 2929168648

86 11:22:16.275 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 213.249.146.72

87 11:22:16.275 10/31/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 213.249.146.72, our seq# = 2929168649

88 11:22:16.541 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

89 11:22:16.541 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 213.249.146.72

90 11:22:16.541 10/31/06 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 213.249.146.72, seq# received = 2929168649, seq# expected = 2929168649

91 11:22:31.775 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 213.249.146.72

92 11:22:31.775 10/31/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 213.249.146.72, our seq# = 2929168650

93 11:22:32.041 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

94 11:22:32.041 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 213.249.146.72

95 11:22:32.041 10/31/06 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 213.249.146.72, seq# received = 2929168650, seq# expected = 2929168650

96 11:22:42.275 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 213.249.146.72

97 11:22:42.275 10/31/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 213.249.146.72, our seq# = 2929168651

98 11:22:42.541 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

99 11:22:42.541 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 213.249.146.72

100 11:22:42.541 10/31/06 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 213.249.146.72, seq# received = 2929168651, seq# expected = 2929168651

101 11:22:52.775 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 213.249.146.72

102 11:22:52.775 10/31/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 213.249.146.72, our seq# = 2929168652

103 11:22:53.041 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

104 11:22:53.041 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 213.249.146.72

105 11:22:53.041 10/31/06 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 213.249.146.72, seq# received = 2929168652, seq# expected = 2929168652

106 11:23:03.275 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 213.249.146.72

107 11:23:03.275 10/31/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 213.249.146.72, our seq# = 2929168653

108 11:23:03.541 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

109 11:23:03.541 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 213.249.146.72

110 11:23:03.541 10/31/06 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 213.249.146.72, seq# received = 2929168653, seq# expected = 2929168653

111 11:23:13.775 10/31/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 213.249.146.72

112 11:23:13.775 10/31/06 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 213.249.146.72, our seq# = 2929168654

113 11:23:14.041 10/31/06 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 213.249.146.72

114 11:23:14.041 10/31/06 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 213.249.146.72

115 11:23:14.041 10/31/06 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 213.249.146.72, seq# received = 2929168654, seq# expected = 2929168654
 
Upvote 0 Downvote
All the negotiation looks good. Is the network that you are trying to connect from the same as the destination network?
192.168.0.0/24 and 192.168.0/24
These tend to be the default networks and cause lots of problems. It is the same idea as the VPN pool. You need different networks. If it is not a gigantic hassle, change the pix local network to something else (192.168.247.0/24)
You will have to change your ACLs and statics to match
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.32.0 255.255.255.0
static (inside,outside) tcp interface 255.255.255.255 0 0
static (inside,outside) tcp interface smtp server smtp netmask 255.255.255.255 0 0
name 192.168.0.2 server



Can you also send the degugs from the pix itself?


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
This this log file. from the pix.

Best,

Chris

***************************************************
rypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 20 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even
t...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
crypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 213.130.141.181. message ID =
11234588
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
crypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1900123874

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: group is 2
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_AES
crypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound SA from 213.130.141.181 to 213.249.146.72 (proxy 192.168.32.10
2 to 0.0.0.0)
has spi 3820603581 and conn_id 1 and flags 25
lifetime of 2147483 seconds
outbound SA from 213.249.146.72 to 213.130.141.181 (proxy 0.0.0
.0 to 192.168.32.102)
has spi 2294270460 and conn_id 2 and flags 25
crypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 1570363065
ISAMKP (0): received DPD_R_U_THERE from peer 213.130.141.181
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 607871550
ISAMKP (0): received DPD_R_U_THERE from peer 213.130.141.181
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 3930077243
ISAMKP (0): received DPD_R_U_THERE from peer 213.130.141.181
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 734422038
ISAMKP (0): received DPD_R_U_THERE from peer 213.130.141.181
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 99666178
ISAMKP (0): received DPD_R_U_THERE from peer 213.130.141.181
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 2403345503
ISAMKP (0): received DPD_R_U_THERE from peer 213.130.141.181
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:213.130.141.181, dest:213.249.146.72 spt:500 dpt
:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 4270167207
ISAMKP (0): received DPD_R_U_THERE from peer 213.130.141.181
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
 
Upvote 0 Downvote
Hi,

No normally when i'm trying to VPN in I close down my network connection and use a dialup its normally on a 213. range.

Best,

Chris
 
Upvote 0 Downvote
Hi Brent,

Did you manage to look at this ?

Best,

Chris
 
Upvote 0 Downvote
I noticed this in the client log
52 11:21:21.260 10/31/06 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 213.130.141.255
Netmask 255.255.255.255
Gateway 192.168.32.102
Interface 192.168.32.102

Does this happen all the time?


Here are a few things to try. I have had people change the vpn pool to include the whole subnet rather than just a small subset and that seemed to fix similar problems. I haven't had that work/not work before but it is worth a try. The other thing you can do is disable the pfs setting in the VPN.

You can also delete these lines, they aren't doing anything
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport



Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
297
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
365
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
88
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top