Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Trying to Connect NCP CE Client to PIX using Preshared Keys...

Reply
Thread Tools

Trying to Connect NCP CE Client to PIX using Preshared Keys...

 
 
Scott Townsend
Guest
Posts: n/a
 
      06-23-2005
I have my PIX set up for both Certs and PreShared Keys.

I've been able to get the Cisco VPN Client to connect via Certs with no
issues.

I've been able to get other Routers to Connect using PreShared Keys using
the name of the router as the VPDNGroup name with no issues.



On the NCP Client In the Profile settings under Identities, I've tried
several ID Types. I'm not sure which one I'm supposed to use. I thought it
was ASN1 Group name, though I've tried them all.


On the PIX I've seen the Following which makes me believe the ID Type is not
set right.


VPN Peer:ISAKMP: Peer Info for 166.220.45.45/500 not found - peers:10


Where that IP address is the IP Address of the Client. Though since my
device changed IP every time I connect to the internet I cannot do an
Identity via IP. I'd like to use a name/group name/string. This works for
my other PreShared Key Clients as they also have a DHCP WAN address.

(Link to Clinet Software:
http://www.ncp.de/english/produkte/s...try/index.html)



Please Advise.


Thanks!

Scott<-


Here is my log info from a connection attempt from a client with IP
166.220.9.6

----------------------------------------
NCP Client
----------------------------------------
IPSDIALCHAN::start building connect
ion
NCPIKE-phase1:name(sx66) - outgoin
g connect request - main mode.
XMIT_MSG1_MAIN - sx66
RECV_MSG2_MAIN - sx66
IKE phase I: Setting LifeTime to 2
8800 seconds
sx66 ->Support for NAT-T version -
3
XMIT_MSG3_MAIN - sx66
IPSDIAL->FINAL_TUNNEL_ENDPOINT:204
.145.245.017
RECV_MSG4_MAIN - sx66
Turning on NATD mode - sx66 - 1
XMIT_MSG5_MAIN - sx66
IPSDIAL - disconnecting from sx66
on channel 1.
NCPIKE-phase2:name(sx66) - error
- cleared by phase1
IPSDIAL - disconnected from sx66
on channel 1.

----------------------------------------
Cisco PIX
----------------------------------------



charlie#
crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: extended auth pre-share (init)
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: extended auth pre-share (init)
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: extended auth pre-share (init)
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: extended auth pre-share (init)
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth... What? 64221?
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth... What? 64221?
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 10 against priority 8 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): NAT does not match HIS hash
hash received: ca fd 52 eb ca 2b 3e fa 47 23 49 83 a8 bd 7b 44
his nat hash : 17 5f 4e 86 7b b1 2d d0 2b a2 26 97 7e 8a 82 2e
ISAKMP (0:0): constructed HIS NAT-D
ISAKMP (0:0): constructed MINE NAT-D
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:4500
dpt:4500
ISAKMP: reserved not zero on payload 5!
ISAKMP (0): deleting SA: src 166.220.9.6, dst charlie_o
ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
ISADB: reaper checking SA 0x15eb93c, conn_id = 0
ISADB: reaper checking SA 0x15d6bd4, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 166.220.9.6/500 not found - peers:10

ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
ISADB: reaper checking SA 0x15eb93c, conn_id = 0
ISADB: reaper checking SA 0x15e140c, conn_id = 0
ISADB: reaper checking SA 0x15dc59c, conn_id = 0
ISADB: reaper checking SA 0x15de6d4, conn_id = 0
ISADB: reaper checking SA 0x15d0174, conn_id = 0
ISADB: reaper checking SA 0x158020c, conn_id = 0
ISADB: reaper checking SA 0x147aa94, conn_id = 0
ISADB: reaper checking SA 0x15e03d4, conn_id = 0
ISADB: reaper checking SA 0x14b155c, conn_id = 0
ISADB: reaper checking SA 0xe4eb0c, conn_id = 0
crypto_isakmp_process_block:src:67.124.15.121, dest:charlie_o spt:500
dpt:500
ISAKMP (0): processing DELETE payload. message ID = 795482895, spi size = 16
ISAKMP (0): deleting SA: src 67.124.15.121, dst charlie_o
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
ISADB: reaper checking SA 0x15eb93c, conn_id = 0
ISADB: reaper checking SA 0x15e140c, conn_id = 0
ISADB: reaper checking SA 0x15dc59c, conn_id = 0
ISADB: reaper checking SA 0x15de6d4, conn_id = 0
ISADB: reaper checking SA 0x15d0174, conn_id = 0
ISADB: reaper checking SA 0x158020c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:67.124.15.121/500 Ref cnt decremented to:2 Total
VPN Peers:10
ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
ISADB: reaper checking SA 0x15eb93c, conn_id = 0
ISADB: reaper checking SA 0x15e140c, conn_id = 0
ISADB: reaper checking SA 0x15dc59c, conn_id = 0
ISADB: reaper checking SA 0x15de6d4, conn_id = 0
ISADB: reaper checking SA 0x15d0174, conn_id = 0
ISADB: reaper checking SA 0x147aa94, conn_id = 0
ISADB: reaper checking SA 0x15e03d4, conn_id = 0
ISADB: reaper checking SA 0x14b155c, conn_id = 0
ISADB: reaper checking SA 0xe4eb0c, conn_id = 0
crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:4500
dpt:4500
ISAKMP: reserved not zero on payload 5!
crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:4500
dpt:4500
ISAKMP: reserved not zero on payload 5!
crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:4500
dpt:4500
ISAKMP: reserved not zero on payload 8!
ISAKMP (0): deleting SA: src 166.220.9.6, dst charlie_o
ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
ISADB: reaper checking SA 0x15eb93c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 166.220.9.6/500 not found - peers:10

ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
ISADB: reaper checking SA 0x15e140c, conn_id = 0
ISADB: reaper checking SA 0x15dc59c, conn_id = 0
ISADB: reaper checking SA 0x15de6d4, conn_id = 0
ISADB: reaper checking SA 0x15d0174, conn_id = 0
ISADB: reaper checking SA 0x147aa94, conn_id = 0
ISADB: reaper checking SA 0x15e03d4, conn_id = 0
ISADB: reaper checking SA 0x14b155c, conn_id = 0
ISADB: reaper checking SA 0xe4eb0c, conn_id = 0



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Setup VPN 3005 for use with a preshared key Corbin O'Reilly Cisco 1 02-18-2006 03:33 PM
Preshared secret (isakmp key) lenght =?ISO-8859-1?Q?Edgar=AE_du_Midi=AE?= Cisco 1 09-14-2005 08:59 PM
Using certificate authentication on VPN tunnel instaed of preshared Krzysztof Cisco 3 05-17-2005 06:57 PM
Error when trying to connect over HTTPS using a client certificate. Subra Mallampalli ASP .Net 0 10-02-2003 07:22 PM
pix 6.3 and L2TP/preshared keys + Windows XP problem Rik Bain Cisco 1 07-06-2003 09:24 PM



Advertisments