Securing Communication Channel - never finished

[Adr3nalin]

Hi All,

I have an issues with our PIX VPN wih RADIUS (W2K)
before it works fine, but after we move this box behind the PIX525. the VPN Client after passing the authentication, it never finish the securing Communication channel stage.

below is the CLI:
aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server radius2 protocol radius

aaa-server radius2 (inside) host w2ksvr-int cisco timeout 5

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap client authentication radius2

crypto map vpnmap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpn3000 address-pool vpn-pool

vpngroup vpn3000 dns-server zzapps1-int zzapps2-int

vpngroup vpn3000 default-domain zzinc.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

 

[yizhar]

HI.

Can the pix and radius2 ping each other?

If you disable the XAUTH, does the VPN work then?

Try to reboot the pix, does it change anything?

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Adr3nalin]

Hi Yizhar, thanks for your reply.

at last the problem was solved,
it seems if we change the outside ip address, the crypto ipsec sa still using the old ip address. so i just clear it , redefine it again, and clear xlate...and then it works fine.

cheers.