Re: VPN IPSec/UDP on 501+827

mindinformatica · ‎04-12-2006

Hi,

that's the PIX 501 configuration:

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname PIX-501-10

domain-name mvi.local

clock timezone CET 1

clock summer-time CET recurring last Sun Mar 3:00 last Sun Oct 3:00

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list out2in remark *** ICMP ***

access-list out2in deny icmp any any unreachable

access-list out2in deny icmp any any redirect

access-list out2in permit icmp any any

pager lines 20

mtu outside 1500

mtu inside 1500

ip address outside 83.x.x.x.255.255.248

ip address inside 192.168.0.254 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool VPNCLIENT 192.168.10.1-192.168.10.20 mask 255.255.255.0

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-group out2in in interface outside

route outside 0.0.0.0 0.0.0.0 83.211.116.124 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set myset esp-aes esp-sha-hmac

crypto dynamic-map dynmap 65000 set transform-set myset

crypto map vpn 65000 ipsec-isakmp dynamic dynmap

crypto map vpn client authentication LOCAL

crypto map vpn interface outside

isakmp enable outside

isakmp identity address

isakmp keepalive 300

isakmp nat-traversal 30

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

vpngroup VPN-CLIENT address-pool VPNCLIENT

vpngroup VPN-CLIENT idle-time 600

vpngroup VPN-CLIENT password ********

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh 88.36.x.x.x.255.240 outside

ssh 88.34.x.x.x.255.224 outside

ssh 85.44.127.120 255.255.255.248 inside

ssh 192.168.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd ping_timeout 750

username xxxx password xxxx privilege 5

terminal width 80

Cryptochecksum:xxxxx

mindinformatica · ‎04-12-2006

.. and here the VPN Client log's:

28 14:42:05.698 04/12/06 Sev=Info/4 CM/0x63100002

Begin connection process

29 14:42:05.708 04/12/06 Sev=Info/4 CVPND/0xE3400001

Microsoft IPSec Policy Agent service stopped successfully

30 14:42:05.708 04/12/06 Sev=Info/4 CM/0x63100004

Establish secure connection using Ethernet

31 14:42:05.708 04/12/06 Sev=Info/4 CM/0x63100024

Attempt connection with server "83.211.116.125"

32 14:42:05.718 04/12/06 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 83.211.116.125.

33 14:42:05.738 04/12/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 83.211.116.125

34 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 83.211.116.125

35 14:42:07.640 04/12/06 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from 83.211.116.125

36 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

37 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001

Peer supports DPD

38 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

39 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000082

Received IOS Vendor ID with unknown capabilities flag 0x000000A5

40 14:42:07.640 04/12/06 Sev=Info/5 IKE/0x63000001

Peer supports NAT-T

41 14:42:07.650 04/12/06 Sev=Warning/3 IKE/0xE3000056

The received HASH payload cannot be verified

42 14:42:07.650 04/12/06 Sev=Warning/2 IKE/0xE300007D

Hash verification failed... may be configured with invalid group password.

43 14:42:07.650 04/12/06 Sev=Warning/2 IKE/0xE3000099

Failed to authenticate peer (Navigator:904)

44 14:42:07.650 04/12/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 83.211.116.125

45 14:42:07.650 04/12/06 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 83.211.116.125

46 14:42:07.650 04/12/06 Sev=Warning/2 IKE/0xE30000A5

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2237)

47 14:42:07.650 04/12/06 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=01ECE9A69506D456 R_Cookie=BC3CB59FC58AFFE0) reason = DEL_REASON_IKE_NEG_FAILED

48 14:42:08.341 04/12/06 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=01ECE9A69506D456 R_Cookie=BC3CB59FC58AFFE0) reason = DEL_REASON_IKE_NEG_FAILED

49 14:42:08.341 04/12/06 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "83.211.116.125" because of "DEL_REASON_IKE_NEG_FAILED"

50 14:42:08.341 04/12/06 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

51 14:42:08.351 04/12/06 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

52 14:42:08.361 04/12/06 Sev=Info/4 IKE/0x63000086

Microsoft IPSec Policy Agent service started successfully

What's wrong?

Thank you!