Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN client to pix

Status
Not open for further replies.
Go4it03

Go4it03

MIS
Nov 18, 2003
2
DE
i'd like to establish next to my 2 existing pix-ios vpn links another link with the cisco vpn client 3.6.3b to my pix 505 (6.22), not sure if i'm on the right track, client shows

GI VPNStart callback failed "CM_IKE_ESTABLISH_FAIL" (3h).
while show crypto isakmp sa gives me

151.193.xxx.yyy 213.138.xxx.yyy QM_IDLE 0 1
216.113.xxx.yyy 213.138.xxx.yyy QM_IDLE 0 2

213.138.xxx.yyy 212.19.xxx.yyy AG_NO_STATE 0 0

Not sure at all if this will work in general with a 505,
am frustrated .... any idea ? many thanks i adv

----

crypto ipsec transform-set btbvpn esp-3des esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set btbvpn
crypto map btbvpn 10 ipsec-isakmp
crypto map btbvpn 10 match address 10
crypto map btbvpn 10 set peer 151.193.xxx.yyy
crypto map btbvpn 10 set transform-set btbvpn
crypto map btbvpn 15 ipsec-isakmp
crypto map btbvpn 15 match address 15
crypto map btbvpn 15 set peer 216.113.xxx.yyy
crypto map btbvpn 15 set transform-set btbvpn
crypto map btbvpn interface outside
crypto map btbvpn 20 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key ******** address 151.193.xxx.yyy netmask 255.255.255.255
isakmp key ******** address 216.113.xxx.yyy netmask 255.255.255.255
isakmp identity address
isakmp policy 4 authentication pre-share
isakmp policy 4 encryption 3des
isakmp policy 4 hash md5
isakmp policy 4 group 1
isakmp policy 4 lifetime 86400
vpngroup vpnclient address-pool ipvpnpool
vpngroup vpnclient dns-server 10.0.1.195
vpngroup vpnclient split-tunnel 20
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password ********
 
Sort by date Sort by votes
You need the following entries:


isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
 
Upvote 0 Downvote
I'm impressed, thats it !
But why do i need to assign the same isakmp policy again
with group 2 ?

Many thanks
 
Upvote 0 Downvote
Well the VPN client only supports Diffie-Hellman group 2, the rest of the policy is supported by the VPN client. I am glad I was able to help:)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
798
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
657
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
654
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
233
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
799
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top