Core issue
When the vpngroup group_name password preshared_key command is entered on the PIX Firewall, the LAN-to-LAN session breaks between the PIX Firewall and the VPN Concentrator. When the LAN-to-LAN connection is attempted, the concentrator displays this message: Received encrypted Oakley Main Mode packet with invalid payloads.
This is the VPN portion of the PIX Firewall configuration:
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
crypto map crymap 21 ipsec-isakmp
crypto map crymap 21 match address test
crypto map crymap 21 set peer peer_address
crypto map crymap 21 set transform-set set1
crypto map crymap interface outside
isakmp enable outside
isakmp key ******** address peer_address netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 2
isakmp policy 21 lifetime 86400
vpngroup default dns-server x.x.x.x
vpngroup default wins-server x.x.x.x
vpngroup default default-domain name.com
vpngroup default split-tunnel 110
vpngroup default idle-time 1800
vpngroup default password ********
vpngroup group idle-time 1800
Resolution
The dynamic crypto map for the new VPN Client connections is missing.
To resolve this issue, perform these steps:
- Unapply the crypto map, as shown in this example:
no crypto map crymap interface outside
2. Add these commands to complete the dynamic crypto map:
crypto map crymap 90 ipsec-isakmp dynamic dynmap
crypto dynamic-map dynamp 10 set transform-set set1
3. Reapply the crypto map to the interface, as shown in this example:
crypto map crymap interface outside