Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
986
Views
0
Helpful
0
Comments

User has problems connecting LAN-to-LAN VPN between the PIX Firewall and VPN 3000 Concentrator and setting up a new VPN Client connection

TCC_2
Level 10
Level 10

on ‎06-18-2009 03:58 PM

Core issue

When the vpngroup group_name password preshared_key command is entered on the PIX Firewall, the LAN-to-LAN session breaks between the PIX Firewall and the VPN Concentrator. When the LAN-to-LAN connection is attempted, the concentrator displays this message: Received encrypted Oakley Main Mode packet with invalid payloads.

This is the VPN portion of the PIX Firewall configuration:

crypto ipsec transform-set set1 esp-3des esp-md5-hmac
crypto map crymap 21 ipsec-isakmp
crypto map crymap 21 match address test
crypto map crymap 21 set peer peer_address
crypto map crymap 21 set transform-set set1
crypto map crymap interface outside
isakmp enable outside
isakmp key ******** address peer_address netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
vpngroup default dns-server x.x.x.x
vpngroup default wins-server x.x.x.x
vpngroup default default-domain name.com
vpngroup default split-tunnel 110
vpngroup default idle-time 1800
vpngroup default password ********
vpngroup group idle-time 1800
Resolution
The dynamic crypto map for the new VPN Client connections is missing.
To resolve this issue, perform these steps:
  1. Unapply the crypto map, as shown in this example: 
      no crypto map crymap interface outside
2.  Add these commands to complete the dynamic crypto map:
    crypto map crymap 90 ipsec-isakmp dynamic dynmap
    crypto dynamic-map dynamp 10 set transform-set set1

3.  Reapply the crypto map to the interface, as shown in this example:
    crypto map crymap interface outside

					
				
			
			
			
				
			
			
			
			
			
			
		

		
		
	

	
	


	

		
			
					
	

		
			
				
						
							Labels:
						
						
		

			
		

	
					
			
		
	


	

	

	

				
		
			
    
	

		
			
					
			
		
				
		
			
		
			
		
	
	


		

	

		

			

	
		
			
					

	
			

				
		
			
		
			
				

					
						
	
			0
		

	Helpful

					
				

			
			
		

	
		
    	
		

			
				
					
				
				
			
		

	
    
			

		

	

	

	

    

	

	


				
		
	
	


		

			

	
		

			
		
			
            
        
		
			
		
			
					
		

	
			
		


	
				
		
	
		

	
	


		

	

		

			

	
		
			
					
		
	
				
		
			
					
		
	
				
		
	
	


		

	



		

	

	

	




		
		
			
			
		
		
			
             
            
			
            
		
		
	
	


		

			

	
		

			
		
			
 
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:


 

		
	
		

	
	

	
		
				

        

	


		
			
 
 

		
			
		
			

		
			



  

    

      

        

          
Customers Also Viewed These Support Documents