VPN IPSec on PIX Cisco 515 (v6.2) with Win2k pro client

[adruet]

hello, i'm sorry if there is so much reading, but i think that many people may find some interesting thoughts in these lines
we already have VPNs configured on our PIX, but we only use VPN between several remote sites linked through PIXes as well.
What I would like to do is being able to connect to our VPN through our cisco PIX 515 with a windows 2000 client using my DSL connection (changes of ip address every 24h).
I've been doing some readings on the subject but i'm not sure if what i'm going for is right.
First of all, i would like to use pre-shared key authentification, as it is already what we use in our current VPNs. From what i've read i have to use L2TP to build the tunnel with the PIX. Here are some articles i found very interesting on the subject:

http://www.cisco.com/warp/public/70...1&qry=Q240262&src=DHCS_MSPSS_gn_SRCH&SPR=CHS&

http://www.cisco.com/warp/public/110/l2tp-ipsec.html

So, what i'm going for is using a custom ipsec policy using pre-shared key authentification, MD5 and ESP.
Then i have to create a new connection with the win2k wizard, and i indicate it is for VPN. I pay good attention to choosing the L2TP protocol as well as CHAP and MS-CHAP for the authentification.

Now here is a sample of a PIX configuration for VPN:
Building configuration...
: Saved
:
PIX Version 6.0(0)216
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname PIX-506-2
domain-name sjvpn.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names

!--- Do not NAT the l2tp IP pool.

access-list nonat permit ip 20.1.1.0 255.255.255.0 50.1.1.0 255.255.255.0

!--- Permit l2tp traffic.

access-list l2tp permit udp host 171.68.9.57 any eq 1701
no pager
logging on
logging console debugging
logging buffered debugging
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 171.68.9.57 255.255.255.0
ip address inside 20.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm

!--- Pool for l2tp address assignment.

ip local pool l2tp 50.1.1.1-50.1.1.5
pdm history enable
arp timeout 14400

!--- Do not NAT the l2tp IP pool.

nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 171.68.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

!--- Authenticate with RADIUS.

aaa-server RADIUS (inside) host 20.1.1.2 cisco timeout 5
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

!--- Permit l2tp connections.

sysopt connection permit-l2tp
no sysopt route dnat

!--- IPSec configuration.

crypto ipsec transform-set l2tp esp-des esp-md5-hmac

!--- Only transport mode is supported.

crypto ipsec transform-set l2tp mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 20 match address l2tp
crypto dynamic-map dyna 20 set transform-set l2tp
crypto map mymap 10 ipsec-isakmp dynamic dyna
crypto map mymap client authentication RADIUS
crypto map mymap interface outside

!--- IKE configuration.

isakmp enable outside
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
ca identity sjvpn 171.68.9.149:/certsrv/mscep/mscep.dll
ca configure sjvpn ra 1 20 crloptional
telnet 171.68.9.0 255.255.255.0 inside
telnet 20.1.1.2 255.255.255.255 inside
telnet timeout 60
ssh timeout 5

!--- l2tp configuration.

vpdn group l2tpipsec accept dialin l2tp
vpdn group l2tpipsec ppp authentication chap
vpdn group l2tpipsec ppp authentication mschap
vpdn group l2tpipsec client configuration address local l2tp
vpdn group l2tpipsec client configuration dns 20.1.1.250 20.1.1.251
vpdn group l2tpipsec client configuration wins 20.1.1.250
vpdn group l2tpipsec client authentication aaa RADIUS
vpdn group l2tpipsec client accounting RADIUS
vpdn group l2tpipsec l2tp tunnel hello 60
vpdn enable outside
terminal width 80
Cryptochecksum:06a53009d1e9f04740256d9f0fb82837
: end
[OK]

so as you can see, it uses RADIUS for authentification, not pre-shared key, so here are my modifications:

ip local pool test1 10.250.64.210-10.250.64.212
access-list nonat permit ip 10.250.64.11 255.255.255.0
access-list l2tp permit udp host xx.xx.xx.xx any eq 1701
nat (inside) 0 access-list nonat
sysopt connection permit-l2tp
crypto ipsec transform-set l2tp esp-des esp-md5-hmac
crypto ipsec transform-set l2tp mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 22 match address l2tp
crypto dynamic-map dyna 22 set transform-set l2tp
crypto map mymap 10 ipsec-isakmp dynamic dyna
crypto map mymap interface outside
isakmp enable outside
isakmp key xxxxxxxxxxx address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local test1 outside
isakmp policy 22 authentication pre-share
isakmp policy 22 encryption des
isakmp policy 22 hash md5
isakmp policy 22 group 1
isakmp policy 22 lifetime 86400
vpdn group l2tpipsec accept dialin l2tp
vpdn group l2tpipsec ppp authentication chap
vpdn group l2tpipsec ppp authentication mschap
vpdn group l2tpipsec client configuration address local test1
vpdn group l2tpipsec client authentification local
vpdn username XXXX password xxxx
vpdn group l2tpipsec l2tp tunnel hello 60
vpdn enable outside


so, in the VPN connection in Win2k i'll put XXXX as username, and xxxx as password

Has anybody tried this before and could tell me if i'm doing anything wrong ?

 

[gman10]

Hi,

Quick question.. what is "isakmp policy 22 hash md5" do.. I know I'm replying with a question to your question but I'm learning VPN's as I go as well.. haven't read about hash md5 yet??

thanks

GT

 

[adruet]

isakmp policy 22 authentication pre-share
isakmp policy 22 encryption des
isakmp policy 22 hash md5
isakmp policy 22 group 1
isakmp policy 22 lifetime 86400

these lines describe the IKE policy which will be used between the two hosts. So here we use DES encryption, and md5 hashing. Group 1 is for the diffie hellman in 768 bit i think , and the the lifetime is for the duration of the policy of course

 

[adruet]

I've tested this configuration, it works fine between the different PIX, but i cannot connect to it from my DSL line with a windows 2000 pro.

 

[jweir]

I modified your config a little and tried it, my win2k client will connect and create the tunnel but I cannot get any traffic to flow between. Using ipsecmon (windows) shows an active connection.

output from sh crypto map:
#########################################################

Crypto Map: "mymap" interfaces: { outside }

Crypto Map "mymap" 10 ipsec-isakmp
Dynamic map template tag: dyna

Crypto Map "mymap" 20 ipsec-isakmp
Peer = 216.170.181.4
access-list dynacl9; 1 elements
access-list dynacl9 line 1 permit udp host 66.31.255.173 host 216.170.1
81.4 eq 1701 (hitcnt=0)

dynamic (created from dynamic map dyna/1)
Current peer: 216.170.181.4
Security association lifetime: 4608000 kilobytes/3600 secs
PFS (Y/N): N
Transform sets={ l2tp, }

##########################################################

output from sh crypto isakmp sa
##########################################################

Total : 1
Embryonic : 0

dst src state pending created
66.31.255.173 216.170.181.4 QM_IDLE 0 1

##########################################################

I still cannot get any data to pass through, any ideas.

Here is my pix 6.3 config

access-list nonat permit ip host 192.168.100.1 any
access-list nonat permit ip host 192.168.100.2 any
access-list nonat permit ip host 192.168.100.3 any
access-list nonat permit ip host 192.168.100.4 any
access-list nonat permit ip host 192.168.100.5 any
access-list l2tp permit udp any any eq 1701
ip local pool vpnpool 192.168.100.1-192.168.100.5
nat (inside) 0 access-list nonat
crypto ipsec transform-set l2tp esp-des esp-md5-hmac
crypto ipsec transform-set l2tp mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 1 set transform-set l2tp
crypto map mymap 10 ipsec-isakmp dynamic dyna
crypto map mymap interface outside
isakmp enable outside
isakmp key ZZZZZZZZZZ address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local vpnpool outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
vpdn group l2tpipsec accept dialin l2tp
vpdn group l2tpipsec ppp authentication chap
vpdn group l2tpipsec ppp authentication mschap
vpdn group l2tpipsec client configuration address local vpnpool
vpdn group l2tpipsec client authentication local
vpdn group l2tpipsec l2tp tunnel hello 60
vpdn username XXXXXX password YYYYYY
vpdn enable outside

Jason Weir

 

[jweir]

I've got some additional info.

It seems theis is a NAT\ACL problem. When trying to ping across the tunnel I get #305005 messages in syslog.

This info is from Cisco

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/pixemsgs.htm#1054511

305005
Error Message IREFOB J:24101%PIX-3-305005: No translation group found for protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port

Explanation A packet does not match any of the outbound nat rules.

Recommended Action This message signals a configuration error. If dynamic NAT is desired for the source host, ensure that the nat command matches the source IP address. If static NAT is desired for the source host, ensure that the local IP address of the static command matches. If no NAT is desired for the source host, check the ACL bound to the nat 0 ACL.

anyone a pix gurus out there that can tell us which acl\nat comand we are missing

inside 192.168.0.0
tunnel pool 10.1.1.0


Thanks
Jason Weir

 

[adruet]

If you want to disable NAT on a pool of address, you type in these lines:
Here is the pool of address you do not want to NAT:
access-list nonat permit ip 20.1.1.0 255.255.255.0 50.1.1.0 255.255.255.0
Now with the nat 0 command, you specify that you don't want to NAT this access list:
nat (inside) 0 access-list nonat
But besides that, i don't know what more we can do.

I get an error <hen I input this line:
vpdn group l2tpipsec client authentication local
does it work with you ?

Would you mind explaining me how you configure your win2k client, just to be sure we use the same things.

 

[jweir]

I got it to work, my problem was with one of the ACLs

here is my full config (pix 501 version 6.3)

: Saved
: Written by enable_15 at 21:39:08.573 UTC Sat Apr 26 2003
PIX Version 6.3(1)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxx
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list MyOutbound deny tcp any any range 135 netbios-ssn
access-list MyOutbound deny udp any any range 135 139
access-list MyOutbound permit tcp any any range 1 134
access-list MyOutbound permit tcp any any range 140 65535
access-list MyOutbound permit udp any any range 140 65535
access-list MyOutbound permit udp any any range 1 134
access-list l2tp permit udp any any eq 1701
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.1.7
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.100.1-192.168.100.254
pdm location 192.168.1.7 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxxxxxxxxxxxxxxxxxx
no snmp-server enable traps
tftp-server inside 192.168.1.7 repository
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set l2tp esp-des esp-md5-hmac
crypto ipsec transform-set l2tp mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 1 set transform-set l2tp
crypto map mymap 1 ipsec-isakmp dynamic dyna
crypto map mymap interface outside
isakmp enable outside
isakmp key xxxxxxxx address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local vpnpool outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet 192.168.1.7 255.255.255.255 inside
telnet timeout 5
ssh 192.168.1.7 255.255.255.255 inside
ssh timeout 5
console timeout 0
vpdn group l2tpipsec accept dialin l2tp
vpdn group l2tpipsec ppp authentication chap
vpdn group l2tpipsec ppp authentication mschap
vpdn group l2tpipsec client configuration address local vpnpool
vpdn group l2tpipsec client authentication local
vpdn group l2tpipsec l2tp tunnel hello 60
vpdn username xxxxxxx password xxxxxxx
vpdn enable outside
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

my windows config (Windows 2K Pro w\SP3 and all patches)

in local security policy editor

1. Create new IP Security Policy
2. Uncheck &quot;Activate the default response rule&quot;
3. Add new IP Security Rule
4. Select &quot;This rule does not specify a tunnel&quot;
5. Select &quot;All network connections&quot;
6. Select &quot;Use this string to protect the key exchange&quot;
7. Specify your pre-shared key
8. Create new ip filter list
9. Source &quot;My IP Address&quot;
10. Destination &quot;Any IP Address&quot;
11. Protocol &quot;UDP&quot;
12. From port 1701


Create New Network Connection

1. Create &quot;Connect to a private network&quot;
2. Edit its properites
3. Under the security tab
4. Choose &quot;Advanced (custom settings)&quot;
5. Click &quot;Settings&quot;
6. Choose &quot;Allow these protocols&quot;
7. Select CHAP and MSCHAP
8. Under networking tab
9. Choose L2TP

That should be it

Good Luck, Let me know how it works out.

Jason Weir

 

[adruet]

That's great you succeeded !!!
I'm still having trouble with my configuration, it still doesn't work, and for some reason i cannot input this line in my PIX:
vpdn group l2tpipsec client authentication local
Maybe it's because my IOS version is 6.2 and yours is 6.3, i'll check this out.
And thanks a lot for detailling your win2k configuration, i was using an endpoint tunnel in the ipsec configuration, now i know it's useless
I'll let you know how it works out

 

[jweir]

I took a look at the command references for IOS 6.2 and 6.3. It doesnt look to me that the command has changed

6.2 Command Reference

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/tz.htm#1026716

6.3 Command Reference

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#1083965

 

[jweir]

Not sure if this could be your problem but, if you look at the sample code you posted in your original message you had authentication spelled wrong. This is what you posted

vpdn group l2tpipsec client authentification local

notice the spelling error - I copied your config when I first started and it didnt like the extra leters

good luck

Jason

 

[adruet]

yes, thank you, you were right about the spelling mistake lol
no my win2k client will connect to the pix (the VPN connection succeeds), but i cannot ping any machine in the remote local network. I'll work on it today, and i'll let you know how it works out.

 

[adruet]

My VPN connection to the PIX does work, but when i try to ping anything on the remote network i get the message: &quot;Negotiating IP strategy&quot; 4 times and then it fails.
This is pretty weird because in my PIX configuration I use the same IPSEC policy for both the L2TP protocol and the others.
Let me know if you have further information.