Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN (IPSEC stop working)

Status
Not open for further replies.
Adr3nalin

Adr3nalin

MIS
Aug 4, 2002
57
NZ
Hi guys,

need your help/advise how do i trace/debug what is going wrong with my config, suddenly the PIX VPN-IPSEC is stop working.

i have checked using port scanner... the pptp port (1723) seems not working. i use Win2K radius server. and use cisco client 3.x

thanks for your help, cheers.


 
Sort by date Sort by votes
HI.

PPTP is not related to IPSec nor to the Cisco VPN client.

Here are some troubleshooting tips:
* Use syslog messages.
* Use "show crypto ..." commands
* Use debug commands.
You'll find here some sample commands and debug output:

* Try to disable XAUTH (use only group name/password).
* Try to connect a VPN client using dial-up modem, or directly to the pix outside network.

Please describe the exact errors and test you have made.

You'll find some links here:

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hi Yizhar, thanks you always be there when we need you...

sh crypto ipsec transform-set

Transform set vpnset: { esp-des esp-md5-hmac }
will negotiate = { Tunnel, },


the debug show this when the client is trying to loggin:

crypto_isakmp_process_block: src 202.135.85.245, dest pix1out-ext
VPN Peer: ISAKMP: Added new peer: ip:202.135.85.245 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:202.135.85.245 Ref cnt incremented to:1 Total VPN Peers:1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP: Created a peer node for 202.135.85.245
ISAKMP (0): ID payload
next-payload : 10
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 202.135.85.245, dest pix1out-ext
ISAKMP (0): deleting SA: src 202.135.85.245, dst pix1out-ext
ISADB: reaper checking SA 0x80e042b0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:202.135.85.245 Ref cnt decremented to:0 Total VPN Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:202.135.85.245 Total VPN peers:0


from Clients:
Contacting the security gateway at...
Failed to establish a secure connection to the security gateway

Sorry for this dumb questions, how do i disable XAUTH ?




 
Upvote 0 Downvote
HI.

Try also "debug crypto ipsec ..."
And try to debug at the client (play with the log viewer) in addition to the pix debug.

Post your config here, and info about versions in use (pix OS, VPN client version, PDM ver, etc).

How did you create the VPN configuration?
Are you using XAUTH (RADIUS authentication) or not?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Hi Yizhar,

i use RADIUS.

i did remove the crypto map vpnmap client authentication radius2

the IPSEC log viewer in client gave me this msg:

1 12:09:02.598 12/13/02 Sev=Warning/3 IKE/0xE3000055
The received HASH payload cannot be verified

2 12:09:02.598 12/13/02 Sev=Warning/2 IKE/0xE300007C
Hash verification failed... may be configured with invalid group password.

3 12:09:02.638 12/13/02 Sev=Warning/3 DIALER/0xE3300015
GI VPN start callback failed "CM_IKE_ESTABLISH_FAIL" (3h).


Cisco PIX Firewall Version 6.1(3)
Cisco PIX Device Manager Version 1.1(2)
Cisco VPN Client 3.5.1

the config, i will post it to your email address.

thanks.
 
Upvote 0 Downvote
HI.

> Hash verification failed... may be configured with invalid group password.
This is trivial, but you should reenter and verify the group passwords at the pix and at the client.

I've looked at the config you sent to me, and the VPN configuration seems ok.

The problem could be related to the connection type.
What is the connection type at the main office (FR,ADSL,T1,etc)
What is the connection type at the client?
Is the client behind any filtering or NAT device?
Any software firewall on the client itself (including XP built in ICF on the Internet connection)?

Try to lower the MTU at the client (start - programs - cisco vpn ...)
Try to use modem dial-up connection at the client.
Try to connect a test client directly with Ethernet to the pix outside network.
Try with a different client computer at different place.
Try a newer VPN client software 3.6.x

What is the client OS version and SP?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Shalom Yizhar....

yes you are right.... after change the vpn group password... it works again !.

i think i did accidentally replacing the password with ******* when copy and pasting from the script files.

cheers
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
605
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
213
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
746
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
163
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
144
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top