Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 6.3 VPN group issues

Status
Not open for further replies.

labgrl76

IS-IT--Management
Dec 2, 2005
40
US
Hello all. I've been trying to set up a VPN group using pix 6.3. I have included both the pix config and the debug while attempting to test the client connection. The pix is sitting from behing a router which is nat'd. I've allowed UDP 4500 and 500 to pass through. It looks like it is making it to phase II but I'm unsure what is causing it to fail.

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxx encrypted
hostname xxxxxxxx
domain-name xxxxxxx
clock timezone EST -5
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list ACL_OUT permit ip any any
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list LAB2 permit ip 10.0.0.0 255.255.255.248 192.168.100.0 255.255.255.0
access-list ACL_IN permit icmp any any
access-list ACL_IN permit tcp any host 10.0.100.3 eq 3389
access-list ACL_IN permit udp any host 10.0.100.3 eq tftp
access-list ACL_IN permit tcp any host 10.0.100.3 eq 22293
access-list ACL_IN permit udp any any eq 5060
access-list ACL_IN permit tcp any any eq h323
access-list NONAT permit ip 10.0.0.0 255.255.255.248 172.17.30.16 255.255.255.24

access-list NONAT permit ip 10.0.0.0 255.255.255.248 192.168.100.0 255.255.255.0

access-list LAB permit ip 10.0.0.0 255.255.255.248 172.17.30.16 255.255.255.240
access-list CVPN permit ip 10.0.0.0 255.255.255.0 172.18.1.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console informational
logging monitor informational
logging buffered informational
logging trap errors
logging history informational
logging facility 23
mtu outside 1500
mtu inside 1500
ip address outside 10.0.100.3 255.255.255.0
ip address inside 10.0.0.1 255.255.255.0
ip audit name attacking attack action alarm drop reset
ip audit interface outside attacking
ip audit info action alarm
ip audit attack action alarm
ip audit signature 2001 disable
ip audit signature 2004 disable
ip local pool VPN 172.18.1.0-172.18.1.254
pdm location 146.145.65.12 255.255.255.255 outside
pdm location 10.0.100.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 10.0.100.3 3389 10.0.0.2 3389 netmask 255.255.255.25
5 0 0
static (inside,outside) udp 10.0.100.3 tftp 10.0.0.2 tftp netmask 255.255.255.25
5 0 0
static (inside,outside) tcp 10.0.100.3 22293 10.0.0.2 22293 netmask 255.255.255.
255 0 0
static (inside,outside) udp 10.0.100.3 5060 10.0.0.4 5060 netmask 255.255.255.25
5 0 0
access-group ACL_IN in interface outside
access-group ACL_OUT in interface inside
route outside 0.0.0.0 0.0.0.0 10.0.100.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 129.6.15.28 source outside
http server enable
http 146.145.65.0 255.255.255.0 outside
http 146.145.36.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
http 172.17.10.0 255.255.255.0 inside
http 172.17.10.20 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set NORMAL esp-des esp-md5-hmac
crypto map MANAGED 10 ipsec-isakmp
crypto map MANAGED 10 match address LAB2
crypto map MANAGED 10 set peer 72.44.165.94
crypto map MANAGED 10 set transform-set NORMAL
crypto map MANAGED 20 ipsec-isakmp
crypto map MANAGED 20 match address LAB
crypto map MANAGED 20 set peer 71.123.35.30
crypto map MANAGED 20 set transform-set NORMAL
crypto map MANAGED 30 ipsec-isakmp
isakmp enable outside
isakmp key ******** address 72.44.165.94 netmask 255.255.255.255
isakmp key ******** address 71.123.35.30 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 20 5
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup ARUN address-pool VPN
vpngroup ARUN split-tunnel CVPN
vpngroup ARUN idle-time 86400
vpngroup ARUN password ********
telnet xxxxxxx 255.255.255.0 outside
telnet xxxxxx 255.255.255.0 inside
telnet timeout 30
ssh xxxxxxxxxx 255.255.255.255 outside
ssh timeout 30
console timeout 0
dhcpd address 10.0.0.2-10.0.0.20 inside
dhcpd dns 68.87.64.146 68.87.60.144
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80

Now the debug....

crypto_isakmp_process_block:src:146.145.36.41, dest:10.0.100.3 spt:19554 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_block:src:146.145.36.41, dest:10.0.100.3 spt:19555 dpt:450
0
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACT
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc my hash for NAT-D
ISAKMP (0:0): NAT does not match MINE hash
hash received: 46 8b 74 86 ec 44 6c e5 ce ab 4a 2f 80 2a 21 4b
my nat hash : ee 9b f0 a2 62 f8 cd ee 25 fc 18 27 54 2a be 8b
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc his hash for NAT-D
ISAKMP (0:0): NAT does not match HIS hash
hash received: 1c 5f e3 d 74 83 1f 99 70 72 ac b4 78 3f 12 bc
his nat hash : f b9 1e 22 e9 72 35 3c 49 f3 a5 b9 52 75 91 84
ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 146.145.36.41, peer port 25420
ISAKMP: Locking UDP_ENC struct 0x9ea7ac from crypto_ikmp_udp_enc_ike_init, count
1
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:146.145.36.41/19555 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:146.145.36.41/19555 Ref cnt incremented to:1 Total VPN
Peers:1
ISAKMP: peer is a remote access client
crypto_isakmp_process_block:src:146.145.36.41, dest:10.0.100.3 spt:19555 dpt:450
0
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 146.145.36.41. message ID = 10
978604
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute ALT_DEF_DOMAIN (28674)
ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute ALT_SPLITDNS_NAME (28675)
ISAKMP: attribute ALT_PFS (28679)
ISAKMP: attribute UNKNOWN (28683)
Unsupported Attr: 28683
ISAKMP: attribute ALT_BACKUP_SERVERS (28681)
ISAKMP: attribute APPLICATION_VERSION (7)
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28682)
Unsupported Attr: 28682
ISAKMP (0:0): responding to peer config from 146.145.36.41. ID = 2910398972
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:146.145.36.41, dest:10.0.100.3 spt:19555 dpt:450
0
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2024985019

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): invalid local address 10.0.100.3

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): invalid local address 10.0.100.3

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): invalid local address 10.0.100.3

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): invalid local address 10.0.100.3

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): invalid local address 10.0.100.3

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): invalid local address 10.0.100.3

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 7

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): invalid local address 10.0.100.3

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8

ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): invalid local address 10.0.100.3
crypto_isakmp_process_block:src:146.145.36.41, dest:10.0.100.3 spt:19555 dpt:450
0
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:146.145.36.41, dest:10.0.100.3 spt:19555 dpt:450
0
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:146.145.36.41, dest:10.0.100.3 spt:19555 dpt:450
0
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:146.145.36.41, dest:10.0.100.3 spt:19555 dpt:450
0
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 3860966394
ISAMKP (0): received DPD_R_U_THERE from peer 146.145.36.41
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:146.145.36.41, dest:10.0.100.3 spt:19555 dpt:450
0
ISAKMP (0): processing DELETE payload. message ID = 1279265289, spi size = 16
ISAKMP (0): deleting SA: src 146.145.36.41, dst 10.0.100.3
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xa98d0c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:146.145.36.41/19555 Ref cnt decremented to:0 Total VPN
Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:146.145.36.41/19555 Total VPN peers:0IPSEC(ke
y_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 146.145.36.41

ISAKMP: Unlocking UDP ENC struct 0x9ea7ac from isadb_free_isakmp_sa, count 0

 
What does your router config like?

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Hi thanks for taking the time to check this out. Here is a brief but pertinent part of my config....

interface FastEthernet1/0
description link to ISP
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no keepalive
no cdp enable
service-policy output policy1
!
interface FastEthernet2/0
description SITE_A_LAN
ip address 10.0.100.1 255.255.255.0
ip access-group QoSmap in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!

!
no ip http server
!
!
ip nat inside source list 1 interface FastEthernet1/0 overload
ip nat inside source static udp 10.0.100.1 5060 interface FastEthernet1/0 5060
ip nat inside source static tcp 10.0.100.3 500 interface FastEthernet1/0 500
ip nat inside source static udp 10.0.100.3 4500 interface FastEthernet1/0 4500
ip nat inside source static tcp 10.0.100.3 3389 interface FastEthernet1/0 3389
ip nat inside source static esp 10.0.100.3 interface FastEthernet1/0
ip nat inside source static tcp 10.0.100.3 1723 interface FastEthernet1/0 1723
ip nat inside source static tcp 10.0.100.3 22 interface FastEthernet1/0 22
ip nat inside source static tcp 10.0.100.1 23 interface FastEthernet1/0 23
ip nat inside source static tcp 10.0.100.3 22293 interface FastEthernet1/0 22293
ip nat inside source static udp 10.0.100.3 500 interface FastEthernet1/0 500
!
ip access-list extended QoSmap
permit udp any any eq 5004
permit udp any any eq 5060
permit udp any any eq 2427
permit udp any any eq 2727
permit udp any any range 5440 5446
permit ip any any dscp cs3
permit ip any any dscp af31
permit ip any any dscp cs4
permit ip any any dscp af41
permit ip any any dscp cs5
permit ip any any dscp ef
permit ip any any dscp cs6
permit ip any any dscp cs7
permit ip any any
access-list 1 permit any
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top