Re: PIX515 V6.3 to W2K/VPNClient V3.6.4 VPN problem

jeff_green · ‎04-04-2003

Hi,

I'm trying to setup a VPN with the above and I'm getting IKE SA negotiation

timeouts (see below). Looking at the PIX debug output, the PIX seems to

be trying a whole load of transforms that I didn't ask for - which is why

the client times out (??).

Please can anyone point out the deliberate error ?

Many Thanks,

BTW, I built the VPN config using the VPN Wizard in PDM.

PIX Configuration

-----------------

PIX Version 6.3(1)

access-list nonatinside permit ip xx.xxx.xxx.x xxx.xxx.xxx.x xx.xxx.xxx.x xxx.xxx.xxx.x

access-list nonatinside permit ip any xx.xxx.xxx.xx xxx.xxx.xxx.xxx

access-list outside_cryptomap_dyn_20 permit tcp any XX.XXX.XXX.XX xxx.xxx.xxx.xxx

ip local pool vpn_pool1 xx.xxx.xxx.xxx-xx.xxx.xxx.xxx

nat (inside) 0 access-list nonatinside

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host zz.zzz.zzz.zz vertigo timeout 10

aaa-server LOCAL protocol local

sysopt connection permit-ipsec

crypto ipsec transform-set vpn_group1_transform esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set vpn_group1_transform

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpn_group1 address-pool vpn_pool1

vpngroup vpn_group1 dns-server aa.bbb.ccc.dd aa.bbb.ccc.dd

vpngroup vpn_group1 wins-server aa.bbb.ccc.dd

vpngroup vpn_group1 default-domain XX.XXXXXX.XXX

vpngroup vpn_group1 idle-time 1800

ca identity XXXXXXX aa.bbb.ccc.dd:/certsrv/mscep/mscep.dll

VPN ClientV3.6.4

----------------

1 13:37:16.221 04/04/03 Sev=Warning/2 IKE/0xE300007C

Exceeded 3 IKE SA negotiation retransmits... peer is not responding

2 13:37:16.271 04/04/03 Sev=Warning/3 DIALER/0xE3300008

GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).

3 13:37:21.168 04/04/03 Sev=Warning/2 IKE/0xA3000062

Attempted incoming connection from 195.224.169.98. Inbound connections are not allowed.

Pix debug output

---------------

crypto_isakmp_process_block:src:xxx.xxx.xxx.x, dest:yyy.yyy.yyy.yy spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 20 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 20 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 20 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 20 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 20 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 20 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 20 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 20 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:xxx.xx.xxx.x, dest:yyy.yyy.yyy.yy spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src xxx.xx.xxx.x, dst yyy.yyy.yyy.yy

ISADB: reaper checking SA 0x11541dc, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for xxx.xx.xxx.x/500 not found - peers:0

afakhan · ‎04-04-2003

Hi,

you are running into CSCdz10533, diabling NAT-T on pix should fix the issue.

Thx

Afaq

jeff_green · ‎04-06-2003

Hi Afaq,

Thanks for the quick resopnse

- I can't seem to find this bug # anywhere in TACs.

Being a newbie I'm going to have to ask for clarification,

by disabling NAT-T on the pix do you mean

sysopt ipsec pl-compatible

+/or

an acl to by-pass outbound NAT for the vpn_pool

Should I be increasing the isakmp timeout value using the

isakmp nat-traversal command ?

Many Thanks,

maik.behley · ‎04-07-2003

Hi,

do you have the following config?

LAN --> PIX --> Router --> Internet --> VPN Client

You must have a static PAT entry for the PIX on the internet gateway router. If you have a personal firewall on the vpn client system, then you must allow incomming traffic to UDP Port 500. I think that the pix response to the client is the problem that you have.

MfG

Maik

jeff_green · ‎04-07-2003

Hi Mfg,

I have the following test environment

LAN --> PIX <--> Router <--> Internet <--> Firewall <--> VPN Client

(ISP#1) (ISP#2)

VPN Client attempts to connect to the static public IP of the outside i/f

of the PIX.

Router (belongs to ISP#1) does straight IP routing no firewalling.

Firewall (Lucent IRX-211) is doing NAT but allows esp, ah traffic

to public IP of PIX.

(Note: I have VPN Clients connecting to a third parties VPN3000 via this

firewall using the transparent VPN option - so I don't believe the

problem is here)

My concern is :-

a) all the transforms that are being evaluated by the PIX / VPNClient

- when I have only configured one.

b) they never seem to agree +/or timeout.

or do they ? The debug output does not correspond to the examples

for a successful negoation ...

Regards