Re: VPN over GPRS to PIX

NUNSWOR · ‎08-04-2004

Hello,

Please, can you help me?

I try to configure PIX firewall for remote VPN acess.

Client is using Vodaphone 3G corporate card. My IOS version is 6.3, and I enable nat traversal(isakmp nat-traversal). But configuration is not working.

It works if client connects to Internet via modem, but not via 3G card.

I negotiated with Vodaphone and they insisted it should work.

I looked through cisco web and I only can find information about nat traversal, but not examples of configuration.

Please, help or advise how to prove Vodaphone that it doesn't work.

Thank you,

natalie

cfenegan · ‎08-05-2004

Hello Natalie

I have had a number of issues with VPN over GPRS here in the UK, albeit with Orange not Vodafone, but hopefully the following pointers will help.

Can you ping or otherwise access the PIX or Internet from the 3G dialup connection? Not all GPRS dial up connections permit access to the Internet. You may be using the wrong APN. For Orange GPRS this is set using a modem command "orangewap" or "orangeinternet" - not sure what it is for Vodafone.

On the VPN client check "Enable Transparent Tunneling" and use IPSec over UDP.

What Operating system?. I have seen W2000 work and NT fail.

Once you have checked the above, set your client logging to verbose (3) and see what happens.

Hope this helps.

Clive

NUNSWOR · ‎08-05-2004

Hello Clive,

Thank you for reply.

There are two types in 3G card: Internet connection;

MYLAN connection(VPN).

To connect to PIX we use MYLAN.

The following debug crypto sa,debug crypto isakmp,debug crypto ipsec output:

crypto_isakmp_process_block:src:212.183.143.3, dest:192.168.254.2 spt:160 dpt:50

OAK_AG exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth pre-share (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): ID payload

next-payload : 10

type : 1

protocol : 17

port : 0

length : 8

ISAKMP (0): Total payload length: 12

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0:0): constructed HIS NAT-D

ISAKMP (0:0): constructed MINE NAT-D

ISAKMP (0:0): Detected port floating

return status is IKMP_NO_ERROR

ISAKMP (0): retransmitting phase 1...

ISAKMP (0): deleting SA: src 212.183.143.3, dst 192.168.254.2

ISADB: reaper checking SA 0x11dd3fc, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 212.183.143.3/160 not found - peers:0

It looks like PIX can't determine the port of incoming connection.

The Client configuration are just exactly as you deskribed. The OS is Windows XP Pro.

I shall try to do logging from client side.

Thank you,

Natalie