cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1880
Views
0
Helpful
7
Replies

VPN issues

g.leonard
Level 1
Level 1

I am trying to allow a remote VPN client to connect to our head-end PIX. They are unable to do so and the following debug messages are appearing on the firewall:

"VPN Peer:ISAKMP: Peer Info for X.X.X.X/643 not found - peers:0

ISADB: reaper checking SA 0xb2c14c, conn_id = 0

ISADB: reaper checking SA 0xb2c8d4, conn_id = 0

ISADB: reaper checking SA 0xb2d7e4, conn_id = 0

ISADB: reaper checking SA 0xb2df6c, conn_id = 0

ISADB: reaper checking SA 0xb2d05c, conn_id = 0

crypto_isakmp_process_block:src:X.X.X.X, dest:X.X.X.X spt:643 dpt:

500"

Please see my config below. Can anybody help?

interface ethernet0 10full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password

passwd

hostname XXXX

domain-name XXXXX

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

object-group network VPN_POOL

network-object host X.X.X.X

network-object host X.X.X.X

network-object host X.X.X.X

network-object host X.X.X.X

network-object host X.X.X.X

network-object host X.X.X.X

access-list 101 permit ip host ((SERVER1)) object-group VPN_POOL

access-list 101 permit ip host ((SERVER2)) object-group VPN_POOL

pager lines 24

logging on

logging console warnings

icmp deny any echo-reply outside

icmp permit any unreachable outside

mtu outside 1500

mtu inside 1500

ip address outside X.X.X.X 255.255.255.252

ip address inside X.X.X.X 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN ((ABOVE IPs FROM VPN_POOL))

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 101

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server MYTACACS protocol tacacs+

aaa-server MYTACACS (inside) host X.X.X.X ((SECRETKEY)) timeout 5

aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACAC

S

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS1 esp-aes-256 esp-sha-hmac

crypto dynamic-map DYNOMAP 10 set transform-set TRANS1

crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP

crypto map VPNPEER client authentication MYTACACS

crypto map VPNPEER interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 5

isakmp policy 10 lifetime 86400

vpngroup GROUP1 address-pool VPN

vpngroup GROUP1 default-domain XXXXXXX

vpngroup GROUP1 idle-time 1800

vpngroup GROUP1 password ********

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

1 Accepted Solution

Accepted Solutions

To troubleshoot, I will suggest making the changes below and if it doesn't resolve u can revert back to your old config

isakmp policy 10 encryption 3des

isakmp policy 10 group 2

cryto ipsec transform-set TRANS1 esp-3des esp-sha-hmac

Lets know how u get on.

Cheers

View solution in original post

7 Replies 7

lfabricio
Level 1
Level 1

Which client version you this using?

Client: 4.0.1

PIX: 6.3(1)

Client gets the following message:

"Secure VPN connection terminated locally by the client. Reason: The remote peer is no longer responding"

More errors from debug on the PIX:

"ISAKMP (0): Proposed key length does not match policy

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4

crypto_isakmp_process_block:src:X.X.X.X, dest:X.X.X.X spt:636 dpt:

500

VPN Peer:ISAKMP: Peer Info for X.X.X.X/500 not found - peers:0

crypto_isakmp_process_block:src:X.X.X.X, dest:X.X.X.X spt:636 dpt:

500

VPN Peer:ISAKMP: Peer Info for X.X.X.X/500 not found - peers:0

crypto_isakmp_process_block:src:X.X.X.X, dest:X.X.X.X spt:636 dpt:

500

VPN Peer:ISAKMP: Peer Info for X.X.X.X/500 not found - peers:0

ISAKMP (0): deleting SA: src X.X.X.X, dst X.X.X.X

ISADB: reaper checking SA 0xb2c14c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for X.X.X.X/636 not found - peers:0"

To troubleshoot, I will suggest making the changes below and if it doesn't resolve u can revert back to your old config

isakmp policy 10 encryption 3des

isakmp policy 10 group 2

cryto ipsec transform-set TRANS1 esp-3des esp-sha-hmac

Lets know how u get on.

Cheers

Lekan

I changed the transform set and the isakmp policy and it now works. I'm using a 501 and I don't think it supports 256-bit AES? Probably because of the absense of a VAC card and its minimal RAM. I think it does support 3DES and 128-bit AES. Anyway it works now - awesome. Thanks alot for your help.

Gary

doliver
Level 1
Level 1

In your config, you have specified in your isakmp policy 10 that you are using pre-shared keys, however I do not see where you have the key defined.

i.e

isakmp key address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

Hope this helps.

He does not have to do that if he does not want to use the same pre share key for all groups.

vpngroup GROUP1 password ******** enables him to use a different key (per group) if he decides to create another group in the future.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: