Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515 and VPN Client 3.5

Status
Not open for further replies.
simonanscombe

simonanscombe

IS-IT--Management
Jul 22, 2002
5
0
0
US
I have configured my PIX 515 to allow Client VPN requests from a client using Cisco VPN client 3.5

However the client is getting the following error message when connecting to the PIX

"The remote peer does not support the required VPN client protocol"

Any ideas what VPN protocol this is refering

Many Thanks
 
Sort by date Sort by votes
Perhaps you are requiring a 3DES connection and the client only does DES. Posting your config may help.
-gbiello
 
Upvote 0 Downvote
Many thanks heres the config for the IPsec as requested.

Please note that the config is for both Site to Site (which is working) and VPN Client

sysopt connection permit-ipsec
no sysopt route dnat

crypto ipsec transform-set mytransform esp-des
crypto dynamic-map mydynmap 10 set transform-set mytransform
crypto map mymap 11 ipsec-isakmp
crypto map mymap 11 match address tosite1
crypto map mymap 11 set peer 1.1.1.1
crypto map mymap 11 set transform-set mytransform
crypto map mymap 12 ipsec-isakmp
crypto map mymap 12 match address pts_to_cer
crypto map mymap 12 set peer 2.2.2.2
crypto map mymap 12 set transform-set mytransform
crypto map mymap 100 ipsec-isakmp dynamic mydynmap
crypto map mymap interface outside

isakmp enable outside
isakmp key ************* address 1.1.1.1 netmask 255.255.255.255

isakmp key ************* address 2.2.2.2 netmask 255.255.255.255

isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400

vpngroup vpngrp address-pool vpnclientpool
vpngroup vpngrp dns-server 12.16.2.1 12.20.2.1
vpngroup vpngrp wins-server 12.16.2.1 12.20.2.1
vpngroup vpngrp split-tunnel vpnclient
vpngroup vpngrp idle-time 1800
vpngroup vpngrp password **********

access-list vpnclient permit ip 0.0.0.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list nonatinside permit ip 0.0.0.0 255.255.255.0 192.168.12.0 255.255.255.0

Many thanks
 
Upvote 0 Downvote
HI.

> isakmp policy 10 group 1
Try to use group 2.

If you change this to:
isakmp policy 10 group 2
You will also need to modify the site to site peers with the same.

Or instead, you can use additional isakmp policy:
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2

Bye

Yizhar Hurwitz
 
Upvote 0 Downvote
PLease HELP me
simple vpn client to pix

vnp config creeted with pdm

PIX Version 6.2(2)

access-list inside_outbound_nat0_acl permit ip any 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group acl-out in interface outside
conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 62.23.193.249 1
route inside 192.0.2.0 255.255.255.0 128.1.12.1 1

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup lutin address-pool pool_lutin
vpngroup lutin default-domain domaine
vpngroup lutin idle-time 1800
vpngroup lutin password ********


result on vpn client :

1 20:08:12.955 02/24/03 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_IKE_ESTABLISH_FAIL" (3h).

result on pix debug :


VPN Peer: ISAKMP: Added new peer: ip:62.23.132.124 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:62.23.132.124 Ref cnt incremented to:1 Total VPN Peers:1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy

tks

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
148
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
152
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
73
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
177
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
53
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top