04-13-2005 07:18 AM
dear all
We have a pix 515E with VPN rsa-sig authentication configured. the conf is running, but we have still the same problem which is :
the vpn client receive an ip address from a local pool (vpn_ip_pool) but no DNS address and no domain name.
We have a second conf with pre share authentication which is good.
the pix config :
access-list acl_no_nat_inside permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
ip local pool vpn_ip_pool 192.168.10.1-192.168.10.10
nat (inside) 0 access-list acl_no_nat_inside
sysopt connection permit-ipsec
crypto ipsec transform-set toto_transform esp-aes-256 esp-sha-hmac
crypto dynamic-map toto_dyn_map 10 set transform-set toto_transform
crypto map toto_map 10 ipsec-isakmp dynamic toto_dyn_map
crypto map toto_map interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local vpn_ip_pool outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
vpngroup vpntoto address-pool vpn_ip_pool
vpngroup vpntoto dns-server 10.1.1.41 10.1.1.42
vpngroup vpntoto default-domain toto.tata
vpngroup vpntoto idle-time 1800
vpngroup vpntoto password *************
ca identity certtoto 10.1.1.54:/certsrv/mscep/mscep.dll
ca configure certtoto ra 1 20 crloptional
and the debug is
48 17:17:33.994 04/13/05 Sev=Info/4 CM/0x63100034
The Virtual Adapter was enabled:
IP=192.168.10.1/255.255.255.0
DNS=0.0.0.0,0.0.0.0
WINS=0.0.0.0,0.0.0.0
Domain=
papaye
04-13-2005 02:52 PM
Hello,
Try removing:
isakmp client configuration address-pool local vpn_ip_pool outside
see if that helps
Regards,
Mustafa
04-13-2005 10:47 PM
Hello,
We have already removed this command but the connection is not established and we have this log :
37 08:36:28.791 04/14/05 Sev=Warning/2
No private IP address was assigned by the peer
38 08:36:28.791 04/14/05 Sev=Warning/2
Failed to process ModeCfg Reply (NavigatorTM:175)
Maybe there is an other command to change this error but we don't find it. An idea?
Thanks!
Bye.
04-14-2005 10:48 PM
Not sure what to make of this, the pix config looks good, but it seems the client is not processing "IKE Mode Config" parameters. I am guessing that one of the mode-config settings is causing the problem.
For testing purposes, I'd suggest reducing the vpngroup parameters to a minimum and shortening the password to say 8 characters, e.g:
vpngroup vpntoto address-pool vpn_ip_pool
vpngroup vpntoto password ******** (8 characters password)
# remove the rest of the vpngroup statements
# keep "isakmp client configuration address-pool local vpn_ip_pool outside" disabled while testing.
If this works, then start adding the rest of the vpngroup parameters. Otherwise, check the vpn client version for bugs.
Please keep us posted.
04-20-2005 09:28 PM
After upgrading to PIXv7 last night mine started doing the same thing--none of the below attributes get passed to the client:
group-policy vpn1000 attributes
wins-server value 10.5.1.2
dns-server value 10.5.1.2
vpn-idle-timeout 600
split-tunnel-policy tunnelall
default-domain value company.corp
I upgraded the client to 4.6.02.0011 but same thing.
Did you guys get yours working?
06-14-2005 03:38 AM
Hi,
I am hitting this problem too, with PIX 515e and OS 7.0, no attributes get passed to the client.
Did you manage to get this resolved??
If so, then I'd be gratefull if you could let me know what you had to do!
Cheers
LR
06-14-2005 04:28 AM
Lee,
Have you read the following URL:
Hope this helps,
Jay
06-14-2005 07:07 AM
Jay,
Thanks very much, I suspected that this would be some kind of bug.
I did a bug search but came up with no hits, before I posted my request - which annoys me even more!
Thanks again,
LR
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide