11-10-2005 03:28 AM - edited 02-21-2020 02:05 PM
dear sir:
i am using pix (525) with ios 6.1 , i configured vpn tunnel between it and another firewall and it work good , and i also configure it as client vpn server and it also work , but when configure Xauthentication (crypto map client authentication ) as to use multi user account for vpn clients, the vpn client is work good but the vpn client doesnt work i made a debug and i have the following:
ixfirewall(config)#
VPN Peer: ISAKMP: Added new peer: ip:213.244.119.253 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:X.X.X.253 Ref cnt incremented to:1 Total VPN Peers:1
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src X.X.X.253, dest X.X.X.2
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src X.X.X.253, dest X.X.X.2
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 213.244.119.253, dest X.X.X.2
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0:0): Need XAUTH
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to 213.244.119.253. ID = 2737760968 (0xa32eeac8)modecfg: sa: 83346ad0, new mess id= a32eeac8
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...
11-10-2005 04:25 AM
there is a typo with your original post, "to use multi user account for vpn clients, the vpn client is work good but the vpn client doesnt work".
just wondering which one doesn't work, the lan-lan vpn or the remote vpn.
11-10-2005 05:40 AM
the peer to peer tunnel is not working
regards
11-10-2005 06:06 AM
after configuring remote vpn access with xauth, the pix runs into issue as it tries to authenticate all vpn (i.e. both lan-lan vpn and remote vpn access) with xauth.
to resolve the issue, you can specify the lan-lan vpn doesn't require xauth. to configure, add the key word "no-xauth" and "no-config-mode" to the existing isakmp key.
e.g.
isakmp key cisco123 address
11-12-2005 10:22 PM
its work
thank you very much
11-12-2005 10:26 PM
it's good to learn that your issue has been resolved. please feel free to discuss any other issue.
according to cisco:
Why should I rate posts?
If you see a post that you think deserves recognition, please take a moment to rate it.
You'll be helping yourself and others to quickly identify useful content -- as determined by members. And you'll be ensuring that people who generously share their expertise are properly acknowledged. As posts are rated, the value of those ratings are accumulated as "points" and summarized on the Member Profile page and on each member's Preferences page
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide