- Cisco Community
- Technology and Support
- Security
- VPN
- Netlock VPN client for Mac to PIX firewall
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Netlock VPN client for Mac to PIX firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2002 06:15 AM - edited 02-21-2020 11:45 AM
I have successfully configured the PIX firewall for Cisco VPN client. However, when I could not let Netlock VPN client for Mac connect to it. I will appreicate if anyone could help me out. Following is the Log from PIX Firewall, it seems phase 1 is successful:
crypto_isakmp_process_block: src 65.230.89.61, dest 67.32.141.226
VPN Peer: ISAKMP: Added new peer: ip:65.230.89.61 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:65.230.89.61 Ref cnt incremented to:1 Total VPN Peers:
1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: extended auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: extended auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
ISAKMP: Created a peer node for 65.230.89.61
ISAKMP (0): ID payload
next-payload : 10
type : 2
protocol : 17
port : 500
length : 16
ISAKMP (0): Total payload length: 20
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src 65.230.89.61, dst 67.32.141.226
ISAKMP (0): deleting IPSEC SAs with peer at 65.230.89.61IPSEC(key_engine): got a
queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 65.230.89.61
ISADB: reaper checking SA 0x809dea68, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:65.230.89.61 Ref cnt decremented to:0 Total VPN Peers:
1
VPN Peer: ISAKMP: Deleted peer: ip:65.230.89.61 Total VPN peers:0
ISAKMP: Deleting peer node for 65.230.89.61
- Labels:
-
Other VPN Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2002 10:53 AM
Well, I upgraded the PIX to 6.2.1... It seems let me getting further. However the connection is killed in Phase 2, with "return Status is IKMP_NO_ERR_NO_TRANS". Following is the full log:
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
VPN Peer: ISAKMP: Added new peer: ip:63.11.28.147 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:63.11.28.147 Ref cnt incremented to:1 Total VPN Peers:
1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: extended auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: extended auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
ISAKMP: Created a peer node for 63.11.28.147
ISAKMP (0): ID payload
next-payload : 10
type : 2
protocol : 17
port : 500
length : 16
ISAKMP (0): Total payload length: 20
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even
t...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 63.11.28.147
ISAKMP (0): SA has been authenticated
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3752133894
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-SHA
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80 IPSEC(validate_propos
al): transform proposal (prot 3, trans 3, hmac_alg 2) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 2
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-MD5
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
(key eng. msg.) dest= 67.32.141.226, src= 63.11.28.147,
dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
src_proxy= 63.11.28.147/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
ISAKMP (0): processing NONCE payload. message ID = 3752133894
ISAKMP (0): processing ID payload. message ID = 3752133894
ISAKMP (0): ID_IPV4_ADDR src 63.11.28.147 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 3752133894
ISAKMP (0): ID_IPV4_ADDR_RANGE dst 0.0.0.0/0.0.0.0 prot 0 port 0IPSEC(key_engine
): got a queue event...
IPSEC(spi_response): getting spi 0xbc74b5c1(3161765313) for SA
from 63.11.28.147 to 67.32.141.226 for prot 3
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound SA from 63.11.28.147 to 67.32.141.226 (proxy 63.11.28.14
7 to 0.0.0.0)
has spi 3161765313 and conn_id 1 and flags 4
lifetime of 31536000 seconds
outbound SA from 67.32.141.226 to 63.11.28.147 (proxy 0.0.0
.0 to 63.11.28.147)
has spi 1668866929 and conn_id 2 and flags 4
lifetime of 31536000 secondsIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 67.32.141.226, src= 63.11.28.147,
dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
src_proxy= 63.11.28.147/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 31536000s and 0kb,
spi= 0xbc74b5c1(3161765313), conn_id= 1, keysize= 0, flags= 0x4
IPSEC(initialize_sas): ,
(key eng. msg.)
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
ISAKMP (0): processing DELETE payload. message ID = 296222340IPSEC(key_engine):
got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
VPN Peer: IPSEC: Peer ip:63.11.28.147 Decrementing Ref cnt to:2 Total VPN Peers:
1
VPN Peer: IPSEC: Peer ip:63.11.28.147 Decrementing Ref cnt to:1 Total VPN Peers:
1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
ISAKMP (0): processing DELETE payload. message ID = 2257656427
ISAKMP (0): deleting SA: src 63.11.28.147, dst 67.32.141.226
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x80a4ba88, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:63.11.28.147 Ref cnt decremented to:0 Total VPN Peers:
1
VPN Peer: ISAKMP: Deleted peer: ip:63.11.28.147 Total VPN peers:0IPSEC(key_engin
e): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 63.11.28.147
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
VPN Peer: ISAKMP: Added new peer: ip:63.11.28.147 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:63.11.28.147 Ref cnt incremented to:1 Total VPN Peers:
1
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: extended auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: extended auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
ISAKMP (0): ID payload
next-payload : 10
type : 2
protocol : 17
port : 500
length : 16
ISAKMP (0): Total payload length: 20
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even
t...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 63.11.28.147
ISAKMP (0): SA has been authenticated
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1608224600
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-SHA
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80 IPSEC(validate_propos
al): transform proposal (prot 3, trans 3, hmac_alg 2) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 2
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: authenticator is HMAC-MD5
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x1 0xe1 0x33 0x80
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,
(key eng. msg.) dest= 67.32.141.226, src= 63.11.28.147,
dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
src_proxy= 63.11.28.147/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
ISAKMP (0): processing NONCE payload. message ID = 1608224600
ISAKMP (0): processing ID payload. message ID = 1608224600
ISAKMP (0): ID_IPV4_ADDR src 63.11.28.147 prot 0 port 0
ISAKMP (0): processing ID payload. message ID = 1608224600
ISAKMP (0): ID_IPV4_ADDR_RANGE dst 0.0.0.0/0.0.0.0 prot 0 port 0IPSEC(key_engine
): got a queue event...
IPSEC(spi_response): getting spi 0xd817b45a(3625432154) for SA
from 63.11.28.147 to 67.32.141.226 for prot 3
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
ISAKMP (0): Creating IPSec SAs
inbound SA from 63.11.28.147 to 67.32.141.226 (proxy 63.11.28.14
7 to 0.0.0.0)
has spi 3625432154 and conn_id 2 and flags 4
lifetime of 31536000 seconds
outbound SA from 67.32.141.226 to 63.11.28.147 (proxy 0.0.0
.0 to 63.11.28.147)
has spi 2101326708 and conn_id 1 and flags 4
lifetime of 31536000 secondsIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 67.32.141.226, src= 63.11.28.147,
dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
src_proxy= 63.11.28.147/0.0.0.0/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 31536000s and 0kb,
spi= 0xd817b45a(3625432154), conn_id= 2, keysize= 0, flags= 0x4
IPSEC(initialize_sas):
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
ISAKMP (0): processing DELETE payload. message ID = 2972009236IPSEC(key_engine):
got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
VPN Peer: IPSEC: Peer ip:63.11.28.147 Decrementing Ref cnt to:2 Total VPN Peers:
1
VPN Peer: IPSEC: Peer ip:63.11.28.147 Decrementing Ref cnt to:1 Total VPN Peers:
1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block: src 63.11.28.147, dest 67.32.141.226
ISAKMP (0): processing DELETE payload. message ID = 3336293860
ISAKMP (0): deleting SA: src 63.11.28.147, dst 67.32.141.226
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x80a4ba88, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:63.11.28.147 Ref cnt decremented to:0 Total VPN Peers:
1
VPN Peer: ISAKMP: Deleted peer: ip:63.11.28.147 Total VPN peers:0IPSEC(key_engin
e): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 63.11.28.147
ISAKMP: Deleting peer node for 63.11.28.147
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-22-2002 02:35 PM
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue even
t...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
that means that Pix firewall is getting a delete message from the other IPSec peer. Check the logs on the other device and see what it complains about
Jazib
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide