From: Craig Columbus (Craig.Columbus@xxxxxxxxxxxxxxxxxxxxxx)
Date: Thu Apr 18 2002 - 10:40:24 GMT-3
Here's the deal:
I've got a PIX that serves as a security gateway for a Cisco VPN Client
3.1. Settings are basically DES/MD5/ESP with pre-shared key. Part of the
VPN3.1 client requires vpngroup name, as defined in the configuration on
the PIX.
I just bought one of the Linksys BEFVP41 VPN routers to test connectivity
to the PIX. The Linksys doesn't understand vpngroup associations, so I
need to configure the PIX to also allow the connection based solely on
pre-shared key.
I think I've got it configured properly, and VPN Client-to-PIX connections
work fine, but negotiations break down at phase 2 when connecting with the
Linksys. It's probably something simple that I'm missing because I've been
staring at it too long. Anyone have any ideas?
PIX relevant config (sanitized):
access-list bypassingnat permit ip 10.0.0.0 255.0.0.0 192.168.100.0
255.255.255.0
ip local pool mypool 192.168.100.1-192.168.100.254
nat (inside) 0 access-list bypassingnat
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto dynamic-map users 11 set transform-set strong
crypto map remote 11 ipsec-isakmp dynamic users
crypto map remote client configuration address initiate
crypto map remote client configuration address respond
crypto map remote interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local mypool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn3000 address-pool mypool
vpngroup vpn3000 dns-server 10.x.x.x
vpngroup vpn3000 default-domain xxxxxxxx
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
Debug from PIX (sanitized....y.y.69.129 is the Linksys, x.x.67.2 is the
public interface of the PIX):
crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 1
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2
OAK_QM exchange
ISAKMP (0:0): Need config/address
ISAKMP (0:0): initiating peer config to y.y.69.129. ID = 3267015605 (0xc2bab3b
5)
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2
ISAKMP (0): retransmitting phase 2...
crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2
ISAKMP (0): retransmitting phase 2...
crypto_isakmp_process_block: src y.y.69.129, dest x.x.67.2
Finally it just times out trying to retransmit phase 2.
Thanks in advance!
Craig
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:58:12 GMT-3