12-26-2003 03:24 AM - edited 02-21-2020 12:58 PM
Hi!
I try to connect through a dial-up vpn connection a Windows 2000 PC to the PIX 515 (ver 6.3) using L2TP over IPSEC. I create the security policy in the windows terminal and the crypto map in the pix.
When I try to connect I get de following error in the client: error 678: there was no answer.
In the PIX I get:
crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a MSWIN2K client
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:gandalf/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:gandalf/500 Ref cnt incremented to:1 Total VPN Peers:1
crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1809116666
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 2
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 192.168.111.1, src= gandalf,
dest_proxy= 192.168.111.1/255.255.255.255/0/0 (type=1),
src_proxy= gandalf/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x200
ISAKMP (0): processing NONCE payload. message ID = 1809116666
ISAKMP (0): processing ID payload. message ID = 1809116666
ISAKMP (0): ID_IPV4_ADDR src gandalf prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 1809116666
ISAKMP (0): ID_IPV4_ADDR dst 192.168.111.1 prot 0 port 0IPSEC(key_engine): got a queue event...
IPSEC(spi_response): getting spi 0x38f8d870(955832432) for SA
from gandalf to 192.168.111.1 for prot 3
return status is IKMP_NO_ERROR
ISAKMP (0): sending NOTIFY message 11 protocol 3
crypto_isakmp_process_block:src:gandalf, dest:192.168.111.1 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAITmap_alloc_entry: allocating entry 7
map_alloc_entry: allocating entry 8
ISAKMP (0): Creating IPSec SAs
inbound SA from gandalf to 192.168.111.1 (proxy gandalf to 192.168.111.1)
has spi 955832432 and conn_id 7 and flags 0
outbound SA from 192.168.111.1 to gandalf (proxy 192.168.111.1 to gandalf)
has spi 3827610160 and conn_id 8 and flags 0IPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 192.168.111.1, src= gandalf,
dest_proxy= 192.168.111.1/0.0.0.0/0/0 (type=1),
src_proxy= gandalf/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x38f8d870(955832432), conn_id= 7, keysize= 0, flags= 0x0
IPSEC(initialize_sas): ,
(key eng. msg.) src= 192.168.111.1, dest= gandalf,
src_proxy= 192.168.111.1/0.0.0.0/0/0 (type=1),
dest_proxy= gandalf/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0xe424b230(3827610160), conn_id= 8, keysize= 0, flags= 0x0
VPN Peer: IPSEC: Peer ip:gandalf/500 Ref cnt incremented to:2 Total VPN Peers:1
VPN Peer: IPSEC: Peer ip:gandalf/500 Ref cnt incremented to:3 Total VPN Peers:1
return status is IKMP_NO_ERRORIPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.
IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.
Why is it discarding the packets? Any idea?
Regards,
Nuria
01-02-2004 05:38 AM
any update on this one?
01-08-2004 02:18 AM
Hi,
i don´t get this to work. I get the same error. The sa is created but after receiving the error, it is deleted.
IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.
IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.
IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.
IPSEC(ahespd_receive): Discarding transport mode packet from gandalf with protocol 0.
map_free_entry: freeing entry 3
CRYPTO(epa_release_conn): released conn 3
VPN Peer: IPSEC: Peer ip:gandalf/500 Decrementing Ref cnt to:1 Total VPN Peers:1map_free_entry: freeing entry 4
CRYPTO(epa_release_conn): released conn 4
VPN Peer: IPSEC: Peer ip:gandalf/500 Decrementing Ref cnt to:0 Total VPN Peers:1
VPN Peer: IPSEC: Deleted peer: Peer ip:gandalf/500 Total VPN Peers:0
Any suggestion? I need new ideas.
Nuria
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide