https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003094#M916457 <P>Hi,</P><P></P><P>I have setup a PIX 515 running v803 for remote access from a VPN client. I cyrrently have site-to-site VPN's which have been setup and work fine. Currently, when i connect using the VPN client (v5), although Phase 1 completes Phase 2 does not, I just get IKE negotiation failed.</P><P></P><P>crypto dynamic-map vpnmap_dynmap 5 set transform-set TRANS_ESP_3DES_MD5</P><P>crypto dynamic-map vpnmap_dynmap 15 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map vpnmap_dynmap 30 set transform-set ESP-DES-MD5</P><P>crypto dynamic-map vpnmap_dynmap 40 set transform-set ESP-DES-SHA</P><P>crypto dynamic-map vpnmap_dynmap 50 set pfs</P><P>crypto dynamic-map vpnmap_dynmap 50 set transform-set ESP-3DES-SHA</P><P>crypto map vpnmap 65535 ipsec-isakmp dynamic vpnmap_dynmap</P><P></P><P>crypto isakmp enable outside</P><P>crypto map vpnmap interface outside</P><P></P><P>group-policy client_vpn_access internal</P><P>group-policy client_vpn_access attributes</P><P> vpn-tunnel-protocol IPSec</P><P> dns-server value 10.1.1.1</P><P></P><P>tunnel-group client_vpn_access type remote-access</P><P></P><P>tunnel-group client_vpn_access general-attributes</P><P> default-group-policy client_vpn_access</P><P> address-pool client_vpn_access</P><P></P><P>tunnel-group client_vpn_access ipsec-attributes</P><P> pre-shared-key presharedkey</P><P></P><P></P><P>#### Log from Cisco VPN Client v5 ####</P><P></P><P>445 21:12:12.686 07/18/08 Sev=Info/4 CM/0x6310000E</P><P>Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system</P><P></P><P>467 21:12:12.766 07/18/08 Sev=Info/4 IKE/0x63000014</P><P>RECEIVING &lt;&lt;&lt; ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from x.x.x.x</P><P></P><P>470 21:12:12.766 07/18/08 Sev=Info/4 IKE/0x63000017</P><P>Marking IKE SA for deletion (I_Cookie=29790EF2FE6728A8 R_Cookie=D4C90BEBCF7838BE) reason = DEL_REASON_IKE_NEG_FAILED</P><P></P><P>545 21:46:40.379 07/18/08 Sev=Info/4 CM/0x63100012</P><P>Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system</P><P></P><P>Please can you help.</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 13:16:43 GMT alyasrazzaq 2019-03-11T13:16:43Z https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003094#M916457 <P>Hi,</P><P></P><P>I have setup a PIX 515 running v803 for remote access from a VPN client. I cyrrently have site-to-site VPN's which have been setup and work fine. Currently, when i connect using the VPN client (v5), although Phase 1 completes Phase 2 does not, I just get IKE negotiation failed.</P><P></P><P>crypto dynamic-map vpnmap_dynmap 5 set transform-set TRANS_ESP_3DES_MD5</P><P>crypto dynamic-map vpnmap_dynmap 15 set transform-set ESP-3DES-SHA</P><P>crypto dynamic-map vpnmap_dynmap 30 set transform-set ESP-DES-MD5</P><P>crypto dynamic-map vpnmap_dynmap 40 set transform-set ESP-DES-SHA</P><P>crypto dynamic-map vpnmap_dynmap 50 set pfs</P><P>crypto dynamic-map vpnmap_dynmap 50 set transform-set ESP-3DES-SHA</P><P>crypto map vpnmap 65535 ipsec-isakmp dynamic vpnmap_dynmap</P><P></P><P>crypto isakmp enable outside</P><P>crypto map vpnmap interface outside</P><P></P><P>group-policy client_vpn_access internal</P><P>group-policy client_vpn_access attributes</P><P> vpn-tunnel-protocol IPSec</P><P> dns-server value 10.1.1.1</P><P></P><P>tunnel-group client_vpn_access type remote-access</P><P></P><P>tunnel-group client_vpn_access general-attributes</P><P> default-group-policy client_vpn_access</P><P> address-pool client_vpn_access</P><P></P><P>tunnel-group client_vpn_access ipsec-attributes</P><P> pre-shared-key presharedkey</P><P></P><P></P><P>#### Log from Cisco VPN Client v5 ####</P><P></P><P>445 21:12:12.686 07/18/08 Sev=Info/4 CM/0x6310000E</P><P>Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system</P><P></P><P>467 21:12:12.766 07/18/08 Sev=Info/4 IKE/0x63000014</P><P>RECEIVING &lt;&lt;&lt; ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from x.x.x.x</P><P></P><P>470 21:12:12.766 07/18/08 Sev=Info/4 IKE/0x63000017</P><P>Marking IKE SA for deletion (I_Cookie=29790EF2FE6728A8 R_Cookie=D4C90BEBCF7838BE) reason = DEL_REASON_IKE_NEG_FAILED</P><P></P><P>545 21:46:40.379 07/18/08 Sev=Info/4 CM/0x63100012</P><P>Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system</P><P></P><P>Please can you help.</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 13:16:43 GMT https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003094#M916457 alyasrazzaq 2019-03-11T13:16:43Z https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003095#M916458 <HTML><HEAD></HEAD><BODY><P>deb crypto isakmp 10</P><P>deb crypto ipsec 10</P><P></P></BODY></HTML> Fri, 18 Jul 2008 20:01:14 GMT https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003095#M916458 a.alekseev 2008-07-18T20:01:14Z https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003096#M916463 <HTML><HEAD></HEAD><BODY><P>please post your isakmp policies</P><P></P><P>sh run all isakmp</P></BODY></HTML> Sat, 19 Jul 2008 02:02:22 GMT https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003096#M916463 srue 2008-07-19T02:02:22Z https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003097#M916471 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Please find the debugs attached.</P><P></P><P>Thanks</P><P></P><P> </P><P></P></BODY></HTML> Sat, 19 Jul 2008 09:01:40 GMT https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003097#M916471 bjssccouser 2008-07-19T09:01:40Z https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003098#M916479 <HTML><HEAD></HEAD><BODY><P>crypto isakmp identity address</P><P>crypto isakmp enable outside</P><P>crypto isakmp policy 5</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash md5</P><P> group 2</P><P> lifetime 86400</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption des</P><P> hash md5</P><P> group 1</P><P> lifetime 86400</P><P>crypto isakmp policy 30</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 28800</P><P>crypto isakmp policy 40</P><P> authentication pre-share</P><P> encryption des</P><P> hash md5</P><P> group 2</P><P> lifetime 86400</P><P>crypto isakmp policy 60</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash md5</P><P> group 1</P><P> lifetime 86400</P><P>crypto isakmp policy 80</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto isakmp policy 65535</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P></P></BODY></HTML> Sat, 19 Jul 2008 09:02:38 GMT https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003098#M916479 bjssccouser 2008-07-19T09:02:38Z https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003099#M916486 <HTML><HEAD></HEAD><BODY><P>no crypto dynamic-map vpnmap_dynmap 5 set transform-set TRANS_ESP_3DES_MD5 </P><P>no crypto dynamic-map vpnmap_dynmap 15 set transform-set ESP-3DES-SHA </P><P>no crypto dynamic-map vpnmap_dynmap 30 set transform-set ESP-DES-MD5 </P><P>no crypto dynamic-map vpnmap_dynmap 40 set transform-set ESP-DES-SHA </P><P>crypto dynamic-map vpnmap_dynmap 50 set pfs </P><P>crypto dynamic-map vpnmap_dynmap 50 set transform-set ESP-3DES-SHA</P><P></P><P>and show me your transform-set ESP-3DES-SHA</P><P></P></BODY></HTML> Sat, 19 Jul 2008 13:39:47 GMT https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003099#M916486 a.alekseev 2008-07-19T13:39:47Z https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003100#M916494 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have removed the dynamic crypto maps as above, which has resulted in the Cisco VPN client now connecting. </P><P></P><P>However, I had to also remove pfs as I am also using the PIX for L2TP/IPSEC VPN from a Windows client. </P><P></P><P>Could you explain why this wasn't working before? Shouldn't the VPN client have been presented with all the SA options and picked the one that suited it?</P><P></P><P>Thanks</P></BODY></HTML> Sat, 19 Jul 2008 18:28:50 GMT https://community.cisco.com/t5/network-security/pix-remote-access-vpn/m-p/1003100#M916494 bjssccouser 2008-07-19T18:28:50Z