Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
2
Replies

Identity errors with remote 501 to 515 VPN

dlatvala
Level 1
Level 1

‎02-09-2004 07:08 AM

Hello,

We are setting up PIX 501s for several of our remote users so they can stop using the software client when working from home. Using the Easy VPN capabilities of the PIX (we have a 515 at the corporate office), we are able to connect and establish the IKE and IPSEC tunnels.

We are also using a split-tunnel so the remote users can have internet access. The internet access works fine when the VPN tunnels are established.

The problem is that when we try to access internal resources on the corporate network (10.0.10.X), the connections time out and we get this message in the PDM log:

402103: identity doesn't match negotiated identity (ip) dest_addr=10.0.11.87, prot= udp, (ident) local=192.168.2.101 remote= 209.XXX.XXX.34, local proxy=192.168.2.101/255.255.255.255/0/0, remote_proxy=10.0.10.06

The software client still works fine and allows internal access to the network (and also internet access).

Thanks for any suggestions,

Dan

Labels:
0 Helpful
2 Replies 2

umedryk
Level 5
Level 5

‎02-13-2004 08:47 AM

Hi Dan,

An unencapsulated IPSec packet does not match the negotiated identity. The peer is sending other traffic through this security association. It may be due to an security association selection error by the peer. This may be a hostile event. Better to contact the peer's administrator to compare policy settings The problem seems largely due to the fact that the systems that are accessing the vpn tunnel are infected.Therefore, any traffic that is permitted through the vpn tunnel will be causing the problems because of the viruses on the systems. Since the vpn on pix requires to use the nat 0 statement to bypass nat therefore any traffic on any port is permitted through the vpn tunnel. Better to check the infected systems. By default the pix will block any incoming traffic not originated by the host on the inside interface.Therefore an express permission of access-list for any inbound traffic is required. Since the security association implies a trust relationship therefore taking care of the infected systems will be the resolution of the issue.

0 Helpful

dlatvala
Level 1
Level 1
In response to umedryk

‎02-13-2004 09:40 AM

Thanks, Ursula. So you suspect that the laptop we are using through the PIX 501 might be infected and sending bad packets?

Dan

0 Helpful
Customers Also Viewed These Support Documents