10-27-2004 01:48 AM
Hi,
I am facing problem while initiating a remote access VPN connection from a VPN client ver 4.0.5 to a PIX firewall running PIX OS 6.3.The client throws an error saying no response from PIX.I did run a 'debug ipsec isakmp' on the pix and i am getting this error.
I have connected the client directly to the outside interface of the PIX. Client's IP is 202.54.138.245 and the PIX's outside interface IP is 202.54.138.194.
crypto_isakmp_process_block:src:202.54.138.245, dest:202.54.138.194 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 202.54.138.245/500 not found - peers:0
ISAKMP: larval sa found
crypto_isakmp_process_block:src:202.54.138.245, dest:202.54.138.194 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 202.54.138.245/500 not found - peers:0
ISAKMP: larval sa found
crypto_isakmp_process_block:src:202.54.138.245, dest:202.54.138.194 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 202.54.138.245/500 not found - peers:0
I have attached the relevant config of the PIX.
Kindly let me what could be the problem.
Rgds
NSG.
10-27-2004 01:57 AM
10-27-2004 03:11 AM
hello
Is there any access-list configured on the outside interface of the PIX ? if so, please allow IPSEC traffic to talk to the outside interface.
Try these configurations for the crypto map:
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
username abc password xyz
also try putting group2 instead of the default group 1..
do let us know..
10-27-2004 03:46 AM
The first thing I would do on a problem like this is to check if you have L3 connectivity between both peers, a simple ping from PIX_A to PIX_B should confirm if both peers can reach each other. Make sure you don't have icmp denied on both peers.
Your config looks ok at first glance.
Let me know the result of the above.
Jay
10-27-2004 03:54 AM
Hi Jay,
Its a VPN client to PIX connection.The client is sitting on the same switch connecting the outside interface, i.e, its on the same segment.Client IP is 202.54.138.245 and PIX outside IP is 202.54.138.194 and they can ping each other.
G.
10-27-2004 04:25 AM
Sorry, am having one of those days and did not read your original question fully.
Can you try dialing up via PSTN from a laptop with the vpn client and see if you get the same error and let me know.
Jay
12-02-2004 01:19 AM
Hello,
Can you help me please.
I have the same problem with vpn client 4.0.x to pix 6.3(4) . The pix didn't accept any proposal from client depite the pix 3DES and AES are enabled. This the log :
----------------------------------------------------
pixnouvelair#
crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1
ISAKMP: larval sa found
crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1
ISAKMP: larval sa found
crypto_isakmp_process_block:src:193.95.55.183, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.183/500 not found - peers:1
ISAKMP: larval sa found
-----------------------------------------------------
I use RSA sig with certificate on a standalone ca server.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide