I recently took control of a device that is being used at one of our facilities. Apparently the VPN function had worked before but now it does not. I'm skeptical if it actually did work. I've gone through the config and I can't see where I'm going wrong or what I'm missing.
When I launch my VPN client I get:
'Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding'
My VPN Log shows:
235 12:58:55.146 03/12/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 209.xxx.xxx.234
236 12:59:00.217 03/12/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A6697D8BAED86D83 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
237 12:59:00.727 03/12/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A6697D8BAED86D83 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
238 12:59:00.727 03/12/09 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "209.xxx.xxx.234" because of "DEL_REASON_PEER_NOT_RESPONDING"
Here is my PIX config:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password 8uMbWTFL6di8TI2y encrypted
passwd 5FjlhU7pOWvV0gPR encrypted
hostname PIX515E
domain-name MY-Domain.COM
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.45.0 255.255.255.0 10.100.10.0 255.255.255.0
access-list 102 permit tcp any host 209.xxx.xxx.235 eq 3389
access-list 102 permit tcp any any eq https
access-list 102 permit ip 192.168.45.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap errors
logging host inside 192.168.45.3
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 209.xxx.xxx.234 255.255.255.240
ip address inside 192.168.45.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool pixpool 10.100.10.1-10.100.10.100
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm location 192.168.45.3 255.255.255.255 inside
pdm location 192.168.45.7 255.255.255.255 inside
pdm location 192.168.45.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.xxx.xxx.235 192.168.45.3 netmask 255.255.255.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.45.2 xxxxxxxx timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.45.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community goaway
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup 1 idle-time 1800
vpngroup myvpnall address-pool pixpool
vpngroup myvpnall dns-server 192.168.45.2
vpngroup myvpnall wins-server 192.168.45.2
vpngroup myvpnall default-domain my-domain.com
vpngroup myvpnall idle-time 1800
vpngroup myvpnall password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.45.0 255.255.255.0 inside
ssh timeout 45
username ciscovpn password .Mb6n837JMeV16l2 encrypted privilege 2
terminal width 80
Cryptochecksum:4141b566c2332533244b8d6fd2ec51d2
: end
I'm trying to configure the device to allow connection using a group user (ciscovpn) and password.
Any help will be greatly appreciated.
When I launch my VPN client I get:
'Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding'
My VPN Log shows:
235 12:58:55.146 03/12/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 209.xxx.xxx.234
236 12:59:00.217 03/12/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=A6697D8BAED86D83 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
237 12:59:00.727 03/12/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=A6697D8BAED86D83 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
238 12:59:00.727 03/12/09 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "209.xxx.xxx.234" because of "DEL_REASON_PEER_NOT_RESPONDING"
Here is my PIX config:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
nameif ethernet3 intf3 security15
nameif ethernet4 intf4 security20
nameif ethernet5 intf5 security25
enable password 8uMbWTFL6di8TI2y encrypted
passwd 5FjlhU7pOWvV0gPR encrypted
hostname PIX515E
domain-name MY-Domain.COM
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list 101 permit ip 192.168.45.0 255.255.255.0 10.100.10.0 255.255.255.0
access-list 102 permit tcp any host 209.xxx.xxx.235 eq 3389
access-list 102 permit tcp any any eq https
access-list 102 permit ip 192.168.45.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging trap errors
logging host inside 192.168.45.3
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside 209.xxx.xxx.234 255.255.255.240
ip address inside 192.168.45.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip address intf3 127.0.0.1 255.255.255.255
ip address intf4 127.0.0.1 255.255.255.255
ip address intf5 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool pixpool 10.100.10.1-10.100.10.100
no failover
failover timeout 0:00:00
failover poll 15
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
failover ip address intf2 0.0.0.0
failover ip address intf3 0.0.0.0
failover ip address intf4 0.0.0.0
failover ip address intf5 0.0.0.0
pdm location 192.168.45.3 255.255.255.255 inside
pdm location 192.168.45.7 255.255.255.255 inside
pdm location 192.168.45.2 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 209.xxx.xxx.235 192.168.45.3 netmask 255.255.255.255 0 0
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.45.2 xxxxxxxx timeout 10
aaa-server LOCAL protocol local
http server enable
http 192.168.45.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community goaway
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup 1 idle-time 1800
vpngroup myvpnall address-pool pixpool
vpngroup myvpnall dns-server 192.168.45.2
vpngroup myvpnall wins-server 192.168.45.2
vpngroup myvpnall default-domain my-domain.com
vpngroup myvpnall idle-time 1800
vpngroup myvpnall password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.45.0 255.255.255.0 inside
ssh timeout 45
username ciscovpn password .Mb6n837JMeV16l2 encrypted privilege 2
terminal width 80
Cryptochecksum:4141b566c2332533244b8d6fd2ec51d2
: end
I'm trying to configure the device to allow connection using a group user (ciscovpn) and password.
Any help will be greatly appreciated.
