04-04-2003 04:49 AM - edited 02-21-2020 12:27 PM
Hi,
I'm trying to setup a VPN with the above and I'm getting IKE SA negotiation
timeouts (see below). Looking at the PIX debug output, the PIX seems to
be trying a whole load of transforms that I didn't ask for - which is why
the client times out (??).
Please can anyone point out the deliberate error ?
Many Thanks,
BTW, I built the VPN config using the VPN Wizard in PDM.
PIX Configuration
-----------------
PIX Version 6.3(1)
access-list nonatinside permit ip xx.xxx.xxx.x xxx.xxx.xxx.x xx.xxx.xxx.x xxx.xxx.xxx.x
access-list nonatinside permit ip any xx.xxx.xxx.xx xxx.xxx.xxx.xxx
access-list outside_cryptomap_dyn_20 permit tcp any XX.XXX.XXX.XX xxx.xxx.xxx.xxx
ip local pool vpn_pool1 xx.xxx.xxx.xxx-xx.xxx.xxx.xxx
nat (inside) 0 access-list nonatinside
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host zz.zzz.zzz.zz vertigo timeout 10
aaa-server LOCAL protocol local
sysopt connection permit-ipsec
crypto ipsec transform-set vpn_group1_transform esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set vpn_group1_transform
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpn_group1 address-pool vpn_pool1
vpngroup vpn_group1 dns-server aa.bbb.ccc.dd aa.bbb.ccc.dd
vpngroup vpn_group1 wins-server aa.bbb.ccc.dd
vpngroup vpn_group1 default-domain XX.XXXXXX.XXX
vpngroup vpn_group1 idle-time 1800
ca identity XXXXXXX aa.bbb.ccc.dd:/certsrv/mscep/mscep.dll
VPN ClientV3.6.4
----------------
1 13:37:16.221 04/04/03 Sev=Warning/2 IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding
2 13:37:16.271 04/04/03 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).
3 13:37:21.168 04/04/03 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from 195.224.169.98. Inbound connections are not allowed.
Pix debug output
---------------
crypto_isakmp_process_block:src:xxx.xxx.xxx.x, dest:yyy.yyy.yyy.yy spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 20 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
crypto_isakmp_process_block:src:xxx.xx.xxx.x, dest:yyy.yyy.yyy.yy spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src xxx.xx.xxx.x, dst yyy.yyy.yyy.yy
ISADB: reaper checking SA 0x11541dc, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for xxx.xx.xxx.x/500 not found - peers:0
04-04-2003 04:51 PM
Hi,
you are running into CSCdz10533, diabling NAT-T on pix should fix the issue.
Thx
Afaq
04-06-2003 10:50 AM
Hi Afaq,
Thanks for the quick resopnse
- I can't seem to find this bug # anywhere in TACs.
Being a newbie I'm going to have to ask for clarification,
by disabling NAT-T on the pix do you mean
sysopt ipsec pl-compatible
+/or
an acl to by-pass outbound NAT for the vpn_pool
Should I be increasing the isakmp timeout value using the
isakmp nat-traversal command ?
Many Thanks,
04-07-2003 04:14 AM
Hi,
do you have the following config?
LAN --> PIX --> Router --> Internet --> VPN Client
You must have a static PAT entry for the PIX on the internet gateway router. If you have a personal firewall on the vpn client system, then you must allow incomming traffic to UDP Port 500. I think that the pix response to the client is the problem that you have.
MfG
Maik
04-07-2003 05:04 AM
Hi Mfg,
I have the following test environment
LAN --> PIX <--> Router <--> Internet <--> Firewall <--> VPN Client
(ISP#1) (ISP#2)
VPN Client attempts to connect to the static public IP of the outside i/f
of the PIX.
Router (belongs to ISP#1) does straight IP routing no firewalling.
Firewall (Lucent IRX-211) is doing NAT but allows esp, ah traffic
to public IP of PIX.
(Note: I have VPN Clients connecting to a third parties VPN3000 via this
firewall using the transparent VPN option - so I don't believe the
problem is here)
My concern is :-
a) all the transforms that are being evaluated by the PIX / VPNClient
- when I have only configured one.
b) they never seem to agree +/or timeout.
or do they ? The debug output does not correspond to the examples
for a successful negoation ...
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide