Microsoft L2TP/IPSEC to PIX515 connection failure

jsanjuan · ‎12-26-2003

Hi!

I try to connect through a dial-up vpn connection a Windows 2000 PC to the PIX 515 (ver 6.3) using L2TP over IPSEC. I create the security policy in the windows terminal and the crypto map in the pix.

When I try to connect I get de following error in the client: error 678: there was no answer.

In the PIX I get:

crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:gandalf/500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:gandalf/500 Ref cnt incremented to:1 Total VPN Peers:1

crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 1809116666

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 2

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 192.168.111.1, src= gandalf,

dest_proxy= 192.168.111.1/255.255.255.255/0/0 (type=1),

src_proxy= gandalf/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200

ISAKMP (0): processing NONCE payload. message ID = 1809116666

ISAKMP (0): processing ID payload. message ID = 1809116666

ISAKMP (0): ID_IPV4_ADDR src gandalf prot 0 port 0

ISAKMP (0): processing ID payload. message ID = 1809116666

ISAKMP (0): ID_IPV4_ADDR dst 192.168.111.1 prot 0 port 0IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x38f8d870(955832432) for SA

from gandalf to 192.168.111.1 for prot 3

return status is IKMP_NO_ERROR

ISAKMP (0): sending NOTIFY message 11 protocol 3

crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_AUTH_AWAITmap_alloc_entry: allocating entry 7

map_alloc_entry: allocating entry 8

ISAKMP (0): Creating IPSec SAs

inbound SA from gandalf to 192.168.111.1 (proxy gandalf to 192.168.111.1)

has spi 955832432 and conn_id 7 and flags 0

outbound SA from 192.168.111.1 to gandalf (proxy 192.168.111.1 to gandalf)

has spi 3827610160 and conn_id 8 and flags 0IPSEC(key_engine): got a queue event...

IPSEC(initialize_sas): ,

(key eng. msg.) dest= 192.168.111.1, src= gandalf,

dest_proxy= 192.168.111.1/0.0.0.0/0/0 (type=1),

src_proxy= gandalf/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x38f8d870(955832432), conn_id= 7, keysize= 0, flags= 0x0

IPSEC(initialize_sas): ,

(key eng. msg.) src= 192.168.111.1, dest= gandalf,

src_proxy= 192.168.111.1/0.0.0.0/0/0 (type=1),

dest_proxy= gandalf/0.0.0.0/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0xe424b230(3827610160), conn_id= 8, keysize= 0, flags= 0x0

VPN Peer: IPSEC: Peer ip:gandalf/500 Ref cnt incremented to:2 Total VPN Peers:1

VPN Peer: IPSEC: Peer ip:gandalf/500 Ref cnt incremented to:3 Total VPN Peers:1

return status is IKMP_NO_ERRORIPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.

IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.

Why is it discarding the packets? Any idea?

Regards,

Nuria

nikhil_m · ‎01-02-2004

any update on this one?

jsanjuan · ‎01-08-2004

Hi,

i don´t get this to work. I get the same error. The sa is created but after receiving the error, it is deleted.

IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.

map_free_entry: freeing entry 3

CRYPTO(epa_release_conn): released conn 3

VPN Peer: IPSEC: Peer ip:gandalf/500 Decrementing Ref cnt to:1 Total VPN Peers:1map_free_entry: freeing entry 4

CRYPTO(epa_release_conn): released conn 4

VPN Peer: IPSEC: Peer ip:gandalf/500 Decrementing Ref cnt to:0 Total VPN Peers:1

VPN Peer: IPSEC: Deleted peer: Peer ip:gandalf/500 Total VPN Peers:0

Any suggestion? I need new ideas.

Nuria