08-04-2004 06:05 AM
Hello,
Please, can you help me?
I try to configure PIX firewall for remote VPN acess.
Client is using Vodaphone 3G corporate card. My IOS version is 6.3, and I enable nat traversal(isakmp nat-traversal). But configuration is not working.
It works if client connects to Internet via modem, but not via 3G card.
I negotiated with Vodaphone and they insisted it should work.
I looked through cisco web and I only can find information about nat traversal, but not examples of configuration.
Please, help or advise how to prove Vodaphone that it doesn't work.
Thank you,
natalie
08-05-2004 03:09 AM
Hello Natalie
I have had a number of issues with VPN over GPRS here in the UK, albeit with Orange not Vodafone, but hopefully the following pointers will help.
Can you ping or otherwise access the PIX or Internet from the 3G dialup connection? Not all GPRS dial up connections permit access to the Internet. You may be using the wrong APN. For Orange GPRS this is set using a modem command "orangewap" or "orangeinternet" - not sure what it is for Vodafone.
On the VPN client check "Enable Transparent Tunneling" and use IPSec over UDP.
What Operating system?. I have seen W2000 work and NT fail.
Once you have checked the above, set your client logging to verbose (3) and see what happens.
Hope this helps.
Clive
08-05-2004 05:07 AM
Hello Clive,
Thank you for reply.
There are two types in 3G card: Internet connection;
MYLAN connection(VPN).
To connect to PIX we use MYLAN.
The following debug crypto sa,debug crypto isakmp,debug crypto ipsec output:
crypto_isakmp_process_block:src:212.183.143.3, dest:192.168.254.2 spt:160 dpt:50
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
ISAKMP (0): ID payload
next-payload : 10
type : 1
protocol : 17
port : 0
length : 8
ISAKMP (0): Total payload length: 12
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
ISAKMP (0:0): Detected port floating
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): retransmitting phase 1...
ISAKMP (0): deleting SA: src 212.183.143.3, dst 192.168.254.2
ISADB: reaper checking SA 0x11dd3fc, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 212.183.143.3/160 not found - peers:0
It looks like PIX can't determine the port of incoming connection.
The Client configuration are just exactly as you deskribed. The OS is Windows XP Pro.
I shall try to do logging from client side.
Thank you,
Natalie
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide