Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Trying to get IPSEC with split tunneling to work.. totally confused!

Status
Not open for further replies.
ajinc

ajinc

MIS
Aug 7, 2004
73
US
Hello All,
I have really been going over the pix info on the cisco site, but I am at a loss with trying to get the cisco vpn client 4.0.3, or the Cosine communications SafeNet client v 9 to connect via IPSEC.
The cisco client returns this error message
403 Unable to contact security gatewy
the cisco messgae log has

Cisco Systems VPN Client Version 4.0.3 (C)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600

1 15:56:23.271 04/18/05 Sev=Warning/3 IKE/0xA3000029
No keys are available to decrypt the received ISAKMP payload

The Safenet client returns this message in the log

4-18: 16:21:46.124
4-18: 16:21:46.124 My Connections\AJINC - Initiating IKE Phase 1 (IP ADDR=199.199.199.99)
4-18: 16:21:46.124 My Connections\AJINC - SENDING>>>> ISAKMP OAK MM (SA, VID 2x)
4-18: 16:21:51.502 My Connections\AJINC - message not received! Retransmitting!
4-18: 16:21:51.502 My Connections\AJINC - SENDING>>>> ISAKMP OAK MM (Retransmission)
4-18: 16:21:56.510 My Connections\AJINC - message not received! Retransmitting!
4-18: 16:21:56.510 My Connections\AJINC - SENDING>>>> ISAKMP OAK MM (Retransmission)
4-18: 16:22:01.518 My Connections\AJINC - Exceeded 2 IKE SA negotiation attempts

The safenet website says the most common cause of this error is that packets are not routing back to the client from the pix

Below is my pix cfg I would grately appreciate it if some one could take a look to see if I have some routing / access list problem.

My LAN is 193.168.2.0
My VPN is 10.10.10.0


PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
names
access-list inside_outbound_nat0_acl permit ip 193.168.2.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list OUTSIDE_IN permit icmp any any
access-list OUTSIDE_IN permit ip any any
access-list outside_cryptomap_dyn_10 permit ip 193.168.2.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe
ip address inside 193.168.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool kgcpa 10.10.10.1-10.10.10.10
pdm location 10.10.10.0 255.255.255.0 outside
pdm location 193.168.2.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 193.168.2.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 193.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set pfs group2
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup kgcpaipsec address-pool kgcpa
vpngroup kgcpaipsec dns-server 193.168.2.2 151.196.0.38
vpngroup kgcpaipsec default-domain ajinc.local
vpngroup kgcpaipsec split-tunnel outside_cryptomap_dyn_10
vpngroup kgcpaipsec pfs
vpngroup kgcpaipsec idle-time 1800
vpngroup kgcpaipsec max-time 86400
vpngroup kgcpaipsec password ********
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname vze2q563
vpdn group pppoe_group ppp authentication pap
vpdn username admin password *********
dhcpd address 193.168.2.10-193.168.2.41 inside
dhcpd dns 193.168.2.2 151.196.0.38
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ajinc.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
 
Sort by date Sort by votes
Ok, something is fundamentally wrong in your basic config.

ip address inside 193.168.2.1 255.255.255.0 ? is this supposed to be 192.168.2.1 ? or are you just using public adresses on your inside ?

Also your route to the internet is wrong :

route outside 0.0.0.0 0.0.0.0 193.168.2.1 1

the gateway can't be the pix itself and shouldn't be using the inside interface to route internet traffic. You need to know the adress of you pppoe connection gatewate for this route.



Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
He may have reason to use 193.168.x.x instead of 192.168.x.x , but having :
route outside 0.0.0.0 0.0.0.0 193.168.2.1 1
would sure give problem bcos pointing to pix itself means no traffic would able to route out. Since you're using pppoe, i guess u need :

ip address outside pppoe setroute
(the "setroute" is to make the pix to use the default route entry learn from pppoe)
 
Upvote 0 Downvote
first off.. another one.. are you using IPSec or PPTP to check to see if split tunneling is working?

Computer/Network Technician
CCNA
 
Upvote 0 Downvote
Thanks to all for the responses.
I am using IpSec for the tunneling with 2 different clients
cicso vpn client 4.6
Cosine Safenet Softremote client v9
As fas as the 193 ip address, I can change that to a 192 range. If I do these things does the basic setup for my ipsec / split tunnelling look sound?
I will be trying to access an exchg server, & use remote desktop on a server bihind the pix.
Thanks again for you time
 
Upvote 0 Downvote
P.S.
When I use the setroute option the pix pdm shows me the ip address assigned by my isp is that the address i shouls use in the route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1?

Thanks
 
Upvote 0 Downvote
If you use the setroute you don't have to set a default route yourself, the pix will do that itself.


Network Systems Engineer
CCNA/CQS/CCSP/Infosec
 
Upvote 0 Downvote
Thanks for the info.
Does the gist of my cfg seem workable?
Again thanks for your ideas & help!
 
Upvote 0 Downvote
Hello All.
First and foremost many thanks to all who gave ideas, and help, it is really appreciated. And please forgive this long post, but I wanted to give as much info as I could. If you can bear with me I have some slight success, so a little extra help may get me to the "Holy Grail!!!"

Using the Cisco client I get connected, but the vpn client statistics show bytes sent incrementing but byte recieved is 0. I can ping the 192.169.2.1 ip assigned to the pix, but I can't ping anything internal. The split tunell seems to be working, I can surf the net while the cisco client is connected HOORAH!!!

The safenet softremote client now connects the "phase 1", but somethis is preventing the phase 2 link up
safenet log below

4-21: 09:25:41.856
4-21: 09:25:41.866 My Connections\AJINC - Initiating IKE Phase 1 (IP ADDR=199.199.199.99)
4-21: 09:25:41.926 My Connections\AJINC - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 5x)
4-21: 09:25:43.238 My Connections\AJINC - RECEIVED<<< ISAKMP OAK AG (SA, VID 4x, KE, ID, NON, HASH)
4-21: 09:25:43.268 My Connections\AJINC - SENDING>>>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT)
4-21: 09:25:43.268 My Connections\AJINC - Established IKE SA
4-21: 09:25:43.268 MY COOKIE 88 1f f8 e2 52 92 c8 1b
4-21: 09:25:43.268 HIS COOKIE 73 a1 db 17 4d fb f1 ff
4-21: 09:25:43.328 My Connections\AJINC - Initiating IKE Phase 2 with Client IDs (message id: 6E939FE7)
4-21: 09:25:43.328 Initiator = IP ADDR=199.199.173.10, prot = 0 port = 0
4-21: 09:25:43.328 Responder = IP SUBNET/MASK=192.169.2.0/255.255.255.0, prot = 0 port = 0
4-21: 09:25:43.328 My Connections\AJINC - SENDING>>>> ISAKMP OAK QM *(HASH, SA, NON, KE, ID 2x)
4-21: 09:25:43.619 My Connections\AJINC - RECEIVED<<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
4-21: 09:25:43.619 My Connections\AJINC - Discarding IPSec SA negotiation (message id: 6E939FE7)
4-21: 09:25:43.619 My Connections\AJINC - Discarding IKE SA negotiation
4-21: 09:25:43.649 My Connections\AJINC - Deleting IKE SA (IP ADDR=199.199.199.99)
4-21: 09:25:43.649 MY COOKIE 88 1f f8 e2 52 92 c8 1b
4-21: 09:25:43.649 HIS COOKIE 73 a1 db 17 4d fb f1 ff
4-21: 09:25:43.649 My Connections\AJINC - SENDING>>>> ISAKMP OAK INFO *(HASH, DEL)
end

One other issue is that a pc that has the safenet client setup to connect to another vpn can't connect when the pix is on the network. When it's off the net the client connects to it' endpoint just fine. I guess I have an ACL problem with passing IPSec traffic outbound.

Below is my new Pix cfg if someone could critique me further as to where I may be going afoul I am forever indebted.


Again Many Thanks to all

P.S. I tried the ACL from another post, and changed

access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip any 10.10.10.0 255.255.255.0
access-list split permit ip any 10.10.10.0 255.255.255.0

to

access-list inside_outbound_nat0_acl permit ip 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip ip 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list split permit ip ip 192.169.2.0 255.255.255.0 10.10.10.0 255.255.255.0

but then the cisco client stops connecting and says "no valid key found"

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name ajinc.local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.0
access-list OUTSIDE_IN permit icmp any any
access-list OUTSIDE_IN deny ip any any
access-list icmp permit icmp any any echo-reply
access-list outside_cryptomap_dyn_10 permit ip any 10.10.10.0 255.255.255.0
access-list split permit ip any 10.10.10.0 255.255.255.0
pager lines 24
logging on
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.169.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool kgcpa 10.10.10.1-10.10.10.10
pdm location 10.10.10.0 255.255.255.0 outside
pdm location 192.169.2.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group OUTSIDE_IN in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 10.10.10.0 255.255.255.255 outside
http 192.169.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set pfs group2
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup kgcpaipsec address-pool kgcpa
vpngroup kgcpaipsec dns-server 192.169.2.2
vpngroup kgcpaipsec default-domain ajinc.local
vpngroup kgcpaipsec split-tunnel split
vpngroup kgcpaipsec pfs
vpngroup kgcpaipsec idle-time 1800
vpngroup kgcpaipsec max-time 86400
vpngroup kgcpaipsec password ********
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname vze2q563
vpdn group pppoe_group ppp authentication pap
vpdn username vze2q563 password *********
dhcpd address 192.169.2.10-192.169.2.41 inside
dhcpd dns 192.169.2.2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ajinc.local
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
 
Upvote 0 Downvote
Hello All

NEWS Flash !!!
I added

route inside 10.10.10.0 255.255.255.0 192.169.2.0 1

and now I can ping my internal lan, and even map drives.
Unfortunately I was incorrect when I stated that the split tunnelling worked. It does not.
IP addresses resolve, but no page loads. I can ping IP address names, and they resolve to numbers, but no reply

Thanks
 
Upvote 0 Downvote
P.P.S.
When the cisco client disconnects the pix still shows an active IKE SA. How can I stop this session, and any ideas why the sessin did not terminate on it's own when the client disconects?
TIA
 
Upvote 0 Downvote
Hello All,

This is my present config I have cisco client working, no split tunnel yet. I can ping LAN addreses. and domain names resolve (internal & external) to ip addreses, but I can't get web pages to load.
Hoping someone sees something with my config

Thanks in advance

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 15BdjuJICLedu0HO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ajinc.local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 10.10.10.0 255.255.255.0
access-list OUTSIDE_IN permit icmp any any
access-list OUTSIDE_IN deny ip any any
access-list icmp permit icmp any any echo-reply
access-list outside_cryptomap_dyn_10 permit ip any 10.10.10.0 255.255.255.0
access-list split permit ip any 10.10.10.0 255.255.255.0
pager lines 24
logging on
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 192.169.2.1 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool kgcpa 10.10.10.1-10.10.10.10
pdm location 192.169.2.0 255.255.255.0 inside
pdm location 10.10.10.0 255.255.255.0 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group OUTSIDE_IN in interface outside
route inside 10.10.10.0 255.255.255.0 192.169.2.0 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.169.2.0 255.255.255.0 inside
http 10.10.10.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set pfs group2
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.169.2.0 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup kgcpaipsec address-pool kgcpa
vpngroup kgcpaipsec dns-server 192.169.2.2 151.196.0.38
vpngroup kgcpaipsec default-domain ajinc.local
vpngroup kgcpaipsec split-tunnel outside_cryptomap_dyn_10
vpngroup kgcpaipsec pfs
vpngroup kgcpaipsec idle-time 1800
vpngroup kgcpaipsec max-time 86400
vpngroup kgcpaipsec password ********
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname vze2q563
vpdn group pppoe_group ppp authentication pap
vpdn username vze2q563 password *********
dhcpd address 192.169.2.10-192.169.2.41 inside
dhcpd dns 192.169.2.2 151.196.0.38
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain ajinc.local
dhcpd auto_config outside
dhcpd enable inside
privilege 15
terminal width 80
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
255
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
272
Johnkite
Johnkite
ISDPCMAN
  • Locked
  • Question
Cannot connect to TZ-215 Sonicwall appliance with web browser!
Replies
0
Views
73
ISDPCMAN
ISDPCMAN
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
220
nnaarrnn
nnaarrnn
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
83
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top