Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
0
Helpful
6
Replies

VPN Client - PIX connection unsuccessful

gses
Level 1
Level 1

‎10-27-2004 01:48 AM

Hi,

I am facing problem while initiating a remote access VPN connection from a VPN client ver 4.0.5 to a PIX firewall running PIX OS 6.3.The client throws an error saying no response from PIX.I did run a 'debug ipsec isakmp' on the pix and i am getting this error.

I have connected the client directly to the outside interface of the PIX. Client's IP is 202.54.138.245 and the PIX's outside interface IP is 202.54.138.194.

crypto_isakmp_process_block:src:202.54.138.245, dest:202.54.138.194 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 202.54.138.245/500 not found - peers:0

ISAKMP: larval sa found

crypto_isakmp_process_block:src:202.54.138.245, dest:202.54.138.194 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 202.54.138.245/500 not found - peers:0

ISAKMP: larval sa found

crypto_isakmp_process_block:src:202.54.138.245, dest:202.54.138.194 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 202.54.138.245/500 not found - peers:0

I have attached the relevant config of the PIX.

Kindly let me what could be the problem.

Rgds

NSG.

Labels:
0 Helpful
6 Replies 6

gses
Level 1
Level 1

‎10-27-2004 01:57 AM

The PIX config is attached herewith.

Rgds

NSG

Preview file
2 KB
0 Helpful

danishdawood
Level 1
Level 1
In response to gses

‎10-27-2004 03:11 AM

hello

Is there any access-list configured on the outside interface of the PIX ? if so, please allow IPSEC traffic to talk to the outside interface.

Try these configurations for the crypto map:

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication LOCAL

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

username abc password xyz

also try putting group2 instead of the default group 1..

do let us know..

0 Helpful

jmia
Level 7
Level 7
In response to gses

‎10-27-2004 03:46 AM

The first thing I would do on a problem like this is to check if you have L3 connectivity between both peers, a simple ping from PIX_A to PIX_B should confirm if both peers can reach each other. Make sure you don't have icmp denied on both peers.

Your config looks ok at first glance.

Let me know the result of the above.

Jay

0 Helpful

gses
Level 1
Level 1
In response to jmia

‎10-27-2004 03:54 AM

Hi Jay,

Its a VPN client to PIX connection.The client is sitting on the same switch connecting the outside interface, i.e, its on the same segment.Client IP is 202.54.138.245 and PIX outside IP is 202.54.138.194 and they can ping each other.

G.

0 Helpful

jmia
Level 7
Level 7
In response to gses

‎10-27-2004 04:25 AM

Sorry, am having one of those days and did not read your original question fully.

Can you try dialing up via PSTN from a laptop with the vpn client and see if you get the same error and let me know.

Jay

0 Helpful

e-mourad
Level 1
Level 1
In response to jmia

‎12-02-2004 01:19 AM

Hello,

Can you help me please.

I have the same problem with vpn client 4.0.x to pix 6.3(4) . The pix didn't accept any proposal from client depite the pix 3DES and AES are enabled. This the log :

----------------------------------------------------

pixnouvelair#

crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1

ISAKMP: larval sa found

crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1

ISAKMP: larval sa found

crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1

ISAKMP: larval sa found

-----------------------------------------------------

I use RSA sig with certificate on a standalone ca server.

Thanks

0 Helpful
Customers Also Viewed These Support Documents