Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
0
Helpful
4
Replies

VPN Client with PIX with auth from Microsoft CA

yatinder10
Level 1
Level 1

‎09-20-2004 08:47 AM

Hi

I am trying to setup VPN using Microsoft CA with eToken. The process http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml has been followed.

Now when I try to connect to firewall via VPN client 4.x, I get following error

1 14:16:41.140 09/20/04 Sev=Ifo/4 CERT/0x63600014

Cert (cn=xxx,ou=IT,o=xxxx LLC,l=Los Angeles,st=California,c=US,e=xxxxxxx) verification succeeded.

7 14:16:44.734 09/20/04 Sev=Info/4 CERT/0x63600014

Cert (cn=xxxer,ou=IT,o=xxxxx LLC,l=Los Angeles,st=California,c=US,e=xxxxxxx) verification succeeded.

Received ISAKMP packet: peer = 63.209.80.2

13 14:16:47.343 09/20/04 Sev=Info/4 IKE/0xE30000A4

Invalid payload: Stated payload length, 1032, is not sufficient for Notification:(PayloadList:148)

Received malformed message or negotiation no longer active (message id: 0x00000000)

18 14:16:52.703 09/20/04 Sev=Warning/2 IKE/0xA3000062

Attempted incoming connection from 63.209.80.2. Inbound connections are not allowed.

29 14:17:05.328 09/20/04 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"

IPSec driver successfully stopped

On the firewall I could trap this on debug crypto isakmp

ISAKMP (0): sending NOTIFY message 36136 protocol 1

crypto_isakmp_process_block:src:210.18.98.247, dest:63.209.80.2 spt:500 dpt:500 OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

crypto_isakmp_process_block:src:210.18.98.247, dest:x.x.x.x spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 210.18.98.247/500 not found - peers:7

Firewall Conf

sysopt connection permit-ipsec

crypto ipsec transform-set vpn esp-3des esp-md5-hmac

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set vpn

crypto dynamic-map dynmap 20 set transform-set vpn1

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 14 authentication rsa-sig

isakmp policy 14 encryption 3des

isakmp policy 14 hash md5

isakmp policy 14 group 2

isakmp policy 14 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 1000

isakmp policy 40 authentication rsa-sig

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup IT address-pool vpnusers

vpngroup IT default-domain www.xxxx.com

vpngroup IT split-tunnel 100

vpngroup IT idle-time 1800

ca identity mat 192.168.100.X:/certsrv/mscep/mscep.dll

ca configure mat ra 1 20 crloptional

Can u solve this

Labels:
0 Helpful
4 Replies 4

owillins
Level 6
Level 6

‎09-24-2004 12:10 PM

This could be due to a misconfiguration orcould be due to the VPN client first initiating a Phase 2 negotiation with it's IP address then later negotiating Phase 2 with the assigned private IP address. There are some bugs documented for this behavior too.

0 Helpful

amjad
Level 1
Level 1

‎09-26-2004 06:38 PM

I was just wondering after looking at debug: ISAKMP policy specified 3DES for encryption. But your client is only negotiating AES-CBC. I have a similar problem in our setup. May be try a policy that specifid AES-256 as encryption?

I dont know why the client is trying AES and not 3DES. Any thoughts about this?

0 Helpful

yatinder10
Level 1
Level 1
In response to amjad

‎09-27-2004 03:28 AM

I too noticed the same, already tried with aes, aes 192 & aes 256 but results are the same.

0 Helpful

d.baba
Level 1
Level 1
In response to yatinder10

‎04-11-2005 07:14 AM

I had the same problem. You don't use the good encryption type and the effect is that you can't associate the tunnel (invalide SPI) use 3 DES and it will be ok.

fx

0 Helpful
Customers Also Viewed These Support Documents