Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Remote VPN

Reply
Thread Tools

Remote VPN

 
 
Charolette
Guest
Posts: n/a
 
      09-18-2006
Hi,

I have a PIX 506e and i have setup a remote VPN client on the PIX. I
have setup up the group name, password and VPN IP Pool. I already have
VPN site to site over IPsec on IKE. When i try to connect using the VPN
Client i get a

32 11:47:36.634 09/18/06 Sev=Warning/3 IKE/0xA300004B

Received a NOTIFY message with an invalid protocol id (0)

What is the problem??


thanks

 
Reply With Quote
 
 
 
 
[NICK]
Guest
Posts: n/a
 
      09-18-2006
Can we see your config ? (Remove any sensitive info 1st obviously)

 
Reply With Quote
 
 
 
 
Charolette
Guest
Posts: n/a
 
      09-18-2006
thank you very much for your help.

Here is the config on the PIX


access-list INSIDE_IN permit icmp 192.168.2.0 255.255.255.0 any
access-list INSIDE_IN permit udp host OFTSFAP1 any eq domain
access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224
object-group ML_Inbound_SMTP eq smtp
access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224
object-group special_www eq www
access-list INSIDE_IN permit udp host OFTSFAP1 object-group OPTUS_NTP
eq ntp
access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq www
access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq https
access-list INSIDE_IN remark Testing connnection to Net-2-Net
access-list INSIDE_IN permit ip 192.168.2.0 255.255.255.0 host
NET2NETSRV
access-list INSIDE_IN deny ip any any log
access-list OUTSIDE_IN permit tcp object-group ML_Inbound_SMTP host
Public_OFTSFAP1 eq smtp
access-list OUTSIDE_IN permit tcp host PM_PC host Public_OFTSFAP1 eq
3389
access-list OUTSIDE_IN deny ip any any log
access-list inside_outbound_nat0_acl permit ip 192.168.2.0
255.255.255.0 HO_VPN_NET 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.2.0
255.255.255.0 VPN_RM 255.255.255.0
access-list outside_cryptomap_20 remark VPN to head office
access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0
HO_VPN_NET 255.255.255.0
access-list outside_inbound_nat0_acl permit ip HO_VPN_NET 255.255.255.0
192.168.2.0 255.255.255.0
access-list outside_inbound_nat0_acl permit ip VPN_RM 255.255.255.0
192.168.2.0 255.255.255.0
access-list OFT_VPN_CL_splitTunnelAcl permit ip 192.168.2.0
255.255.255.0 any
pager lines 24
logging standby
mtu outside 1500
mtu inside 1500
ip address outside PIX_OUT_INT 255.255.255.248
ip address inside 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_POOL 172.11.1.64-172.11.1.96 mask 255.255.255.224
nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 3 192.168.2.0 255.255.255.128 0 0
access-group OUTSIDE_IN in interface outside
access-group INSIDE_IN in interface inside
route outside 0.0.0.0 0.0.0.0 61.88.19.161 1
timeout xlate 0:05:00
timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 30 set transform-set ESP-DES-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer HO_PIX
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address HO_PIX netmask 255.255.255.255 no-xauth
no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
vpngroup OFT_VPN_CL address-pool VPN_POOL
vpngroup OFT_VPN_CL dns-server OFTSFAP1
vpngroup OFT_VPN_CL split-tunnel OFT_VPN_CL_splitTunnelAcl
vpngroup OFT_VPN_CL idle-time 1800
vpngroup OFT_VPN_CL password ********
telnet HO_VPN_NET 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.224 inside
telnet HOST_PC 255.255.255.192 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
vpnclient server HO_PIX
vpnclient mode network-extension-mode
vpnclient vpngroup OFT_VPN password ********
vpnclient username OFT_VPN_User password ********
terminal width 80
Cryptochecksum:0e5ef91744953bfd6679320e8c0fb6c5

The VPN client connects fine to the PIX but there are no decrypted
packets and a lot of bypass.

Regards

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-19-2006
In article <(E-Mail Removed) .com>,
Charolette <(E-Mail Removed)> wrote:

>Here is the config on the PIX


>ip local pool VPN_POOL 172.11.1.64-172.11.1.96 mask 255.255.255.224


The pool with a mask of .224 ends at .95 not .96 .
I would suggest that you use a netmask of 255.255.255.0,
and make sure that the first and last addresses implied by the
netmask are not listed in the pool.

>access-list INSIDE_IN permit icmp 192.168.2.0 255.255.255.0 any
>access-list INSIDE_IN permit udp host OFTSFAP1 any eq domain
>access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224 object-group ML_Inbound_SMTP eq smtp
>access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224 object-group special_www eq www


In your first line, you permit out the full 192.168.2/24, but in
the two lines above you only allow yout 192.168.2.0 - 192.168.2.31 .
Is that really what you want? If you have made a deliberate decision
to confine "hosts that are allowed to contact those services"
to that address range, then take note that that address range includes
the PIX inside interface, which would you wouldn't normally want to
include if you are being particular about what goes out where.

>access-list INSIDE_IN permit udp host OFTSFAP1 object-group OPTUS_NTP
>eq ntp
>access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq www
>access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq https


If you have allocated a group of hosts starting from HOST_PC
and extending to HOST_PC + 63, and that's what you want to allow
to access those services, then I would suggest that it is better
form to hide the details of the permitted hosts inside an
object-group; that way later you they don't have to be contiguous.

>access-list INSIDE_IN remark Testing connnection to Net-2-Net
>access-list INSIDE_IN permit ip 192.168.2.0 255.255.255.0 host
>NET2NETSRV
>access-list INSIDE_IN deny ip any any log


That denies traffic to the VPN_pool . However, the sysopt you
use later allows the VPN to ignore the access lists.

>access-list OUTSIDE_IN permit tcp object-group ML_Inbound_SMTP host
>Public_OFTSFAP1 eq smtp
>access-list OUTSIDE_IN permit tcp host PM_PC host Public_OFTSFAP1 eq
>3389
>access-list OUTSIDE_IN deny ip any any log
>access-list inside_outbound_nat0_acl permit ip 192.168.2.0
>255.255.255.0 HO_VPN_NET 255.255.255.0
>access-list inside_outbound_nat0_acl permit ip 192.168.2.0
>255.255.255.0 VPN_RM 255.255.255.0


With the information you gave, we cannot tell whether
HO_VPN_NET or VPN_RM encompasses VPN_POOL . If one of the two
does, notice the netmask inconsistancy compared to the pool
definition.


>access-list outside_cryptomap_20 remark VPN to head office
>access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0
>HO_VPN_NET 255.255.255.0


>access-list outside_inbound_nat0_acl permit ip HO_VPN_NET 255.255.255.0
>192.168.2.0 255.255.255.0
>access-list outside_inbound_nat0_acl permit ip VPN_RM 255.255.255.0
>192.168.2.0 255.255.255.0


>nat (outside) 0 access-list outside_inbound_nat0_acl outside


Don't try nat 0 against the outside interface: if it does anything
at all, it surely won't be whatever you intended. Instead just
rely upon the fact that nat (inside) 0 is automatically applied
"in reverse" for incoming traffic.

>access-list OFT_VPN_CL_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any


>ip address outside PIX_OUT_INT 255.255.255.248
>ip address inside 192.168.2.1 255.255.255.0
>ip local pool VPN_POOL 172.11.1.64-172.11.1.96 mask 255.255.255.224
>nat (outside) 0 access-list outside_inbound_nat0_acl outside
>nat (inside) 0 access-list inside_outbound_nat0_acl
>nat (inside) 3 192.168.2.0 255.255.255.128 0 0


no global (outside) 3 policy...

>access-group OUTSIDE_IN in interface outside
>access-group INSIDE_IN in interface inside


>sysopt connection permit-ipsec
>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
>crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
>crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
>crypto dynamic-map outside_dyn_map 30 set transform-set ESP-DES-MD5
>crypto map outside_map 20 ipsec-isakmp
>crypto map outside_map 20 match address outside_cryptomap_20
>crypto map outside_map 20 set peer HO_PIX
>crypto map outside_map 20 set transform-set ESP-DES-SHA


Why is your fixed peer using ESP-DES-SHA but your dynamics
are using ESP-DES-MD5 ? PIX 6.3 does not support ESP-DES-SHA
by the way (if I recall correctly.) It's better to list several
transforms in the set, strongest first; then if somehow there
becomes a mismatch in support, they can fall back to another transform.

>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
>crypto map outside_map interface outside
>isakmp enable outside
>isakmp key ******** address HO_PIX netmask 255.255.255.255 no-xauth
>no-config-mode
>isakmp policy 20 authentication pre-share
>isakmp policy 20 encryption des
>isakmp policy 20 hash md5
>isakmp policy 20 group 2
>isakmp policy 20 lifetime 86400
>isakmp policy 30 authentication pre-share
>isakmp policy 30 encryption des
>isakmp policy 30 hash sha
>isakmp policy 30 group 1
>isakmp policy 30 lifetime 86400


DES SHA is stronger than DES MD5, so it would be better if it
were a lower policy number.

>vpngroup OFT_VPN_CL address-pool VPN_POOL
>vpngroup OFT_VPN_CL dns-server OFTSFAP1
>vpngroup OFT_VPN_CL split-tunnel OFT_VPN_CL_splitTunnelAcl
>vpngroup OFT_VPN_CL idle-time 1800
>vpngroup OFT_VPN_CL password ********
>telnet HO_VPN_NET 255.255.255.0 inside


Everything else implies that HO_VPN_NET is outside, but here you
have it on the inside.

>telnet 192.168.2.0 255.255.255.224 inside
>telnet HOST_PC 255.255.255.192 inside
>telnet timeout 5
>ssh timeout 5
>console timeout 0
>dhcpd address 192.168.2.2-192.168.2.254 inside


??? You are allowing accidents of DHCP address allocation to
determine whether a particular host is allowed particular kinds
of inside or outside access (because of the various .224 you use
against inside addresses in places) ?

And if there are fixed hosts at HOST_PC then they overlap with
your dhcpd address pool, unless HOST_PC is in a completely
different IP range -- but if it is in a completely different
range then the situation can't work without an 'ip route' statement.


>vpnclient server HO_PIX
>vpnclient mode network-extension-mode
>vpnclient vpngroup OFT_VPN password ********
>vpnclient username OFT_VPN_User password ********


You are trying to create a management VPN to HO_PIX and
there is a corresponding VPN at HO_PIX marked with a
'management interface' command? If not then don't use
network-extension-mode . If you -are- trying to create such
a management VPN, note that the network-extension-mode VPN
being created will permit only traffic that originates at the
PIX itself, such as CLI pings -- usually not of substantial utility
considering the configuration complexity.

If you want to build a LAN to LAN VPN to the outside interface of
HO_PIX then include the outside interface IP of HO_PIX amongst the
traffic permitted by outside_cryptomap_20 .
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OT: How to reboot remote PC via VPN/Remote Desktop? (PeteCresswell) Wireless Networking 9 02-08-2013 02:18 PM
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
PIX-to-PIX vpn + remote Access VPN not working Marko Uusitalo Cisco 1 04-11-2005 12:45 PM
Remote Assistance fails to connect, remote remote host name could not be resolved Peter Sale Wireless Networking 1 12-11-2004 09:09 PM
PIX 501 :VPN client traffic does not pass down VPN tunnel to remote subnet.. Tim Fortea Cisco 2 10-23-2004 12:25 PM



Advertisments