Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Part 2

Status
Not open for further replies.

iiiiss

Technical User
Oct 28, 2002
63
AT
Greetings,

After palying a bit with my PIX it seems that I´m really close to the solution of my problem but I can´t find it.

Could somebody help me ?

As i wrote befor I´m using the Cisco VPN 5000 Client Version 5.2.3 and a PIX 515e to establish a VPN connection. I´m testing my configs in a simple Workstation--PIX--Workstation for practising but later on it should work in a Workstation--router--internet--router--pix--lan.

Should I use another VPN client ?? My config seems correct to me but I must have done something wrong.

My config :



PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password bJ720n9.K/1QbBt5 encrypted
passwd 4OYLvXDaekNQjFEp encrypted
hostname Firewall
domain-name **************
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside permit ip any any
access-list inside permit icmp any any
access-list inside deny tcp any host ***.***.***..203 neq ftp
access-list inside deny tcp any host ***.***.***..203 neq www
access-list outside permit icmp any any
access-list outside permit ip any any
access-list outside permit tcp any any
access-list dmz permit tcp any any
access-list dmz permit ip any any
access-list dmz permit icmp any any
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
pager lines 22
logging on
logging buffered informational
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any outside
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside ***.***.***.204 255.255.255.248
ip address inside 10.1.1.1 255.255.255.0
ip address dmz ***.***.***.8 255.0.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm history enable
arp timeout 14400
global (outside) 1 ***.***.***.205 netmask 255.255.255.248
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface dmz
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address ***.***.***..203 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
vpngroup vpn5000 address-pool ippool
vpngroup vpn5000 dns-server 10.1.1.2
vpngroup vpn5000 wins-server 10.1.1.2
vpngroup vpn5000 default-domain **************
vpngroup vpn5000 split-tunnel 101
vpngroup vpn5000 password ********
vpngroup vpn3000 idle-time 1800
telnet timeout 5
ssh timeout 5
terminal width 80


It seems that the PIX accepts the connection but then it closes the connnection:







ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): ID payload
next-payload : 10
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src ***.***.***..203, dest ***.***.***..204
ISAKMP (0): retransmitting phase 1...
crypto_isakmp_process_block: src ***.***.***..203, dest ***.***.***..204
ISAKMP (0): retransmitting phase 1...
crypto_isakmp_process_block: src ***.***.***..203, dest ***.***.***..204
ISAKMP (0): deleting SA: src ***.***.***..203, dst ***.***.***..204
ISADB: reaper checking SA 0x80d9dba0, conn_id = 0
ISADB: reaper checking SA 0x80d9e298, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:***.***.***..203 Ref cnt decremented to:1 Total VPN Peers
:1
ISADB: reaper checking SA 0x80d9dba0, conn_id = 0
ISADB: reaper checking SA 0x80d9e298, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:***.***.***..203 Ref cnt decremented to:1 Total VPN Peers
:1
ISADB: reaper checking SA 0x80d9dba0, conn_id = 0
ISAKMP (0): retransmitting phase 1...
crypto_isakmp_process_block: src ***.***.***..203, dest ***.***.***..204
ISAKMP (0): deleting SA: src ***.***.***..203, dst ***.***.***..204
ISADB: reaper checking SA 0x80d9dba0, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:***.***.***..203 Ref cnt decremented to:0 Total VPN Peers
:1
VPN Peer: ISAKMP: Deleted peer: ip:***.***.***..203 Total VPN peers:0




I really don´t know what I could do to solve the problem and I really would appreciate any help..Thanks







 
THX for the response. I found out that i have the wrong VPN client (supporting only tribble-des) but I don´t want to use an old client version so I´m trying to enable 3-Des on my pix.... but I have a problem !

I set up a tftp server to load the new IOS so I can enable the 3-DES feature but when I try to load the image the PIX says "bad magic number ******* ".

Could anybody tell me what does that mean ?!??!

Thanks
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top