Re: PIX VPN rsa-sig client DNS assignement problem

d.baba · ‎04-13-2005

dear all

We have a pix 515E with VPN rsa-sig authentication configured. the conf is running, but we have still the same problem which is :

the vpn client receive an ip address from a local pool (vpn_ip_pool) but no DNS address and no domain name.

We have a second conf with pre share authentication which is good.

the pix config :

access-list acl_no_nat_inside permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0

ip local pool vpn_ip_pool 192.168.10.1-192.168.10.10

nat (inside) 0 access-list acl_no_nat_inside

sysopt connection permit-ipsec

crypto ipsec transform-set toto_transform esp-aes-256 esp-sha-hmac

crypto dynamic-map toto_dyn_map 10 set transform-set toto_transform

crypto map toto_map 10 ipsec-isakmp dynamic toto_dyn_map

crypto map toto_map interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local vpn_ip_pool outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 5

isakmp policy 10 lifetime 86400

vpngroup vpntoto address-pool vpn_ip_pool

vpngroup vpntoto dns-server 10.1.1.41 10.1.1.42

vpngroup vpntoto default-domain toto.tata

vpngroup vpntoto idle-time 1800

vpngroup vpntoto password *************

ca identity certtoto 10.1.1.54:/certsrv/mscep/mscep.dll

ca configure certtoto ra 1 20 crloptional

and the debug is

48 17:17:33.994 04/13/05 Sev=Info/4 CM/0x63100034

The Virtual Adapter was enabled:

IP=192.168.10.1/255.255.255.0

DNS=0.0.0.0,0.0.0.0

WINS=0.0.0.0,0.0.0.0

Domain=

papaye

mhussein · ‎04-13-2005

Hello,

Try removing:

isakmp client configuration address-pool local vpn_ip_pool outside

see if that helps

Regards,

Mustafa

d.baba · ‎04-13-2005

Hello,

We have already removed this command but the connection is not established and we have this log :

37 08:36:28.791 04/14/05 Sev=Warning/2

No private IP address was assigned by the peer

38 08:36:28.791 04/14/05 Sev=Warning/2

Failed to process ModeCfg Reply (NavigatorTM:175)

Maybe there is an other command to change this error but we don't find it. An idea?

Thanks!

Bye.

mhussein · ‎04-14-2005

Not sure what to make of this, the pix config looks good, but it seems the client is not processing "IKE Mode Config" parameters. I am guessing that one of the mode-config settings is causing the problem.

For testing purposes, I'd suggest reducing the vpngroup parameters to a minimum and shortening the password to say 8 characters, e.g:

vpngroup vpntoto address-pool vpn_ip_pool

vpngroup vpntoto password ******** (8 characters password)

# remove the rest of the vpngroup statements

# keep "isakmp client configuration address-pool local vpn_ip_pool outside" disabled while testing.

If this works, then start adding the rest of the vpngroup parameters. Otherwise, check the vpn client version for bugs.

Please keep us posted.

zwc94 · ‎04-20-2005

After upgrading to PIXv7 last night mine started doing the same thing--none of the below attributes get passed to the client:

group-policy vpn1000 attributes

wins-server value 10.5.1.2

dns-server value 10.5.1.2

vpn-idle-timeout 600

split-tunnel-policy tunnelall

default-domain value company.corp

I upgraded the client to 4.6.02.0011 but same thing.

Did you guys get yours working?

lee.reade · ‎06-14-2005

Hi,

I am hitting this problem too, with PIX 515e and OS 7.0, no attributes get passed to the client.

Did you manage to get this resolved??

If so, then I'd be gratefull if you could let me know what you had to do!

Cheers

LR

jmia · ‎06-14-2005

Lee,

Have you read the following URL:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

Hope this helps,

Jay

lee.reade · ‎06-14-2005

Jay,

Thanks very much, I suspected that this would be some kind of bug.

I did a bug search but came up with no hits, before I posted my request - which annoys me even more!

Thanks again,

LR