easy vpn server problem

From: cisco monster (cisco.monster@gmail.com)
Date: Sun May 18 2008 - 07:21:53 ART

• Next message: Chris Zhang: "security track lab equipment"
• Previous message: RRC: "Error related to Core Switch Heart Beats"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

I am using pix 525 as vpn server with os 8.0. Client is cisco vpn
client version 5.0. There is err 401 at client side. Here I am giving
you the running config of pix n log messages of vpn client.

Running config

PIX Version 8.0(3)
!
hostname pixfirewall
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 100
 ip address 210.212.140.20 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system flash:/pix635.bin
boot system flash:/pix803.bin
ftp mode passive
access-list test-list extended permit ip any 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool test-pool 10.1.1.10-10.1.1.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list test-list
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set test-set esp-des esp-none
crypto dynamic-map test-dmap 1 match address test-list
crypto dynamic-map test-dmap 1 set transform-set test-set
crypto map test-map 1 ipsec-isakmp dynamic test-dmap
crypto map test-map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
username testuser password 0AKWGtPSEgAcPI9K encrypted
tunnel-group test-group type remote-access
tunnel-group test-group general-attributes
 address-pool test-pool
tunnel-group test-group ipsec-attributes
 pre-shared-key test-key
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:864b198ad3bc2b696e71a686448891aa

Log messages at client side :

Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

44 12:38:59.296 05/18/08 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 210.212.140.20.

45 12:38:59.312 05/18/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd),
VID(Frag), VID(Nat-T), VID(Unity)) to 210.212.140.20

46 12:38:59.375 05/18/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 210.212.140.20

47 12:38:59.375 05/18/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity),
VID(Xauth), VID(dpd), VID(Frag), VID(?)) from 210.212.140.20

48 12:38:59.375 05/18/08 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

49 12:38:59.375 05/18/08 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

50 12:38:59.375 05/18/08 Sev=Info/5 IKE/0x63000001
Peer supports DPD

51 12:38:59.375 05/18/08 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

52 12:38:59.375 05/18/08 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

53 12:38:59.375 05/18/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT,
VID(?), VID(Unity)) to 210.212.140.20

54 12:38:59.375 05/18/08 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0880, Remote Port = 0x01F4

55 12:38:59.375 05/18/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 210.212.140.20

56 12:38:59.375 05/18/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.212.140.20

57 12:39:03.750 05/18/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.212.140.20

58 12:39:03.750 05/18/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 210.212.140.20

59 12:39:03.750 05/18/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.212.140.20

60 12:39:03.750 05/18/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.212.140.20

61 12:39:03.765 05/18/08 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

62 12:39:03.765 05/18/08 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall,
Capability= (Centralized Protection Policy).

63 12:39:03.765 05/18/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 210.212.140.20

64 12:39:03.765 05/18/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 210.212.140.20

65 12:39:03.765 05/18/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 210.212.140.20

66 12:39:03.765 05/18/08 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.1.1.10

67 12:39:03.765 05/18/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

68 12:39:03.765 05/18/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

69 12:39:03.765 05/18/08 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco
Systems, Inc PIX-525 Version 8.0(3) built by builders on Tue 06-Nov-07
19:50

70 12:39:03.765 05/18/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute =
MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001

71 12:39:03.765 05/18/08 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.1.1.10, GW IP =
210.212.140.20, Remote IP = 0.0.0.0

72 12:39:03.765 05/18/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 210.212.140.20

73 12:39:03.781 05/18/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 210.212.140.20

74 12:39:03.781 05/18/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME)
from 210.212.140.20

75 12:39:03.781 05/18/08 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

76 12:39:03.781 05/18/08 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 4 seconds, setting expiry to 86396
seconds from now

77 12:39:03.781 05/18/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 210.212.140.20

78 12:39:03.781 05/18/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 210.212.140.20

79 12:39:03.781 05/18/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 210.212.140.20

80 12:39:03.781 05/18/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 210.212.140.20

81 12:39:03.781 05/18/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 210.212.140.20

82 12:39:03.781 05/18/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 210.212.140.20

83 12:39:03.781 05/18/08 Sev=Info/5 IKE/0x63000073
All fragments received.

84 12:39:03.781 05/18/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from
210.212.140.20

85 12:39:03.781 05/18/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 210.212.140.20

86 12:39:03.781 05/18/08 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=D5222E70

87 12:39:03.781 05/18/08 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=D77EDEA9D069E93C
R_Cookie=34E0B3C82F5106D2) reason = DEL_REASON_IKE_NEG_FAILED

88 12:39:03.781 05/18/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 210.212.140.20

89 12:39:03.781 05/18/08 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA,
I_Cookie=D77EDEA9D069E93C R_Cookie=34E0B3C82F5106D2

90 12:39:03.781 05/18/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 210.212.140.20

91 12:39:06.937 05/18/08 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=D77EDEA9D069E93C
R_Cookie=34E0B3C82F5106D2) reason = DEL_REASON_IKE_NEG_FAILED

92 12:39:06.937 05/18/08 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

So please any can help me ???

Regards

• Next message: Chris Zhang: "security track lab equipment"
• Previous message: RRC: "Error related to Core Switch Heart Beats"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jun 02 2008 - 06:59:17 ART