Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2505
Views
0
Helpful
6
Replies

Ipsec Tunnel (dyn.) Cisco <- > Binteq (stat.)

Go to solution
MichaelBreuker
Level 1
Level 1

‎01-09-2011 02:24 AM - edited ‎02-21-2020 05:04 PM

I try to config a Cisco VPN connection to the following destination

http://www.funkwerk-ec.com/prod_bintec_vpn_ipsec_test_access_de,14690,194.html



Since the "Pre-Shared Key Identity" is required, I'm looking for a suitable function.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to MichaelBreuker

‎01-10-2011 09:14 PM

Base on the document: VPN in 5 Minuten - VPN Gateway (page 24) PDF document from the URL given, it seems that they are using phase 2 with PFS set to group 2, so try to add that in your phase 2 policy in the router.

"set pfs group2" under the dynamic crypto map configuration.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎01-09-2011 03:26 AM

Don't think you can use Cisco VPN Client to connect. Unfortunately I don't read German, but VPN Access 100 is not a Cisco VPN server product.

There is a VPN Client link at the bottom of the page, ie: Bintec Secure IPSec VPN Client that you might have to use to connect to the VPN Access 100 server.

Here is the link FYI:

http://www.funkwerk-ec.com/download/de/products/vpn_in_5min_client.pdf

Hope that helps.

0 Helpful

Go to solution
MichaelBreuker
Level 1
Level 1
In response to Jennifer Halim

‎01-09-2011 05:57 AM

No, this is not the problem
I would like to connect with to a Cisco router, and can not realise the "Pre-Shared Key Identity" function.

??

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to MichaelBreuker

‎01-09-2011 11:00 PM

It's the hostname of the vpn peer server. It should really be "vpn-test.bintec.de" not "vpn-test@bintec.de".

"vpn-test.bintec.de" resolves to 212.14.95.38 which is the ipsec gateway.

On Cisco router, it would be specified as follows:

crypto isakmp identity [address | hostname]

"address" would be when the peer is identified by ip address (212.14.95.38)

"hostname" would be when the peer is identified by hostname (vpn-test.bintec.de)

Here is the command reference for your information:

http://www.cisco.com/en/US/partner/docs/ios/security/command/reference/sec_c4.html#wp1060149

Hope that helps.

0 Helpful

Go to solution
MichaelBreuker
Level 1
Level 1
In response to Jennifer Halim

‎01-10-2011 11:17 AM

On debug is shown, that the phase 1  is now ok.

But Phase 2 still contains an error.

*Jan 10 18:40:33.907: SA has outstanding requests  (local    IP   port 500, remote   IP   port 500)
*Jan 10 18:40:33.907: ISAKMP:(2031): sitting IDLE. Starting QM immediately (QM_IDLE      )
*Jan 10 18:40:33.907: ISAKMP:(2031):beginning Quick Mode exchange, M-ID of 638886014
*Jan 10 18:40:33.907: ISAKMP:(2031):QM Initiator gets spi
*Jan 10 18:40:33.907: ISAKMP:(2031): sending packet to   IP   my_port 500 peer_port 500 (I) QM_IDLE
*Jan 10 18:40:33.907: ISAKMP:(2031):Sending an IKE IPv4 Packet.
*Jan 10 18:40:33.907: ISAKMP:(2031):Node 638886014, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jan 10 18:40:33.907: ISAKMP:(2031):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Jan 10 18:40:34.003: ISAKMP (2031): received packet from   IP   dport 500 sport 500 Global (I) QM_IDLE
*Jan 10 18:40:34.003: ISAKMP: set new node -660547041 to QM_IDLE
*Jan 10 18:40:34.003: ISAKMP:(2031
Router#): processing HASH payload. message ID = -660547041
*Jan 10 18:40:34.003: ISAKMP:(2031): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 210632566, message ID = -660547041, sa = 0x866C79CC
*Jan 10 18:40:34.003: ISAKMP:(2031): deleting spi 210632566 message ID = 638886014
*Jan 10 18:40:34.003: ISAKMP:(2031):deleting node 638886014 error TRUE reason "Delete Larval"
*Jan 10 18:40:34.003: ISAKMP:(2031):deleting node -660547041 error FALSE reason "Informational (in) state 1"
*Jan 10 18:40:34.003: ISAKMP:(2031):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jan 10 18:40:34.003: ISAKMP:(2031):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

The error message is the line: *Jan 10 18:40:34.003: ISAKMP:(2031): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

The Bintec expected:    Phase 2 Proposal   ESP, 3DES/md5

My transform-set isRouter(config)#crypto ipsec transform-set Test esp-3des esp-md5-hmac

What's the mistake?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to MichaelBreuker

‎01-10-2011 09:14 PM

Base on the document: VPN in 5 Minuten - VPN Gateway (page 24) PDF document from the URL given, it seems that they are using phase 2 with PFS set to group 2, so try to add that in your phase 2 policy in the router.

"set pfs group2" under the dynamic crypto map configuration.

0 Helpful

Go to solution
MichaelBreuker
Level 1
Level 1
In response to Jennifer Halim

‎01-11-2011 11:07 PM

Thanks Jennifer Halim.

Great,
this was my problem.
Many thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents