Can't configure VPN client in PIX

Discussion in 'Cisco' started by Sako, Jan 30, 2006.

  1. Sako

    Sako Guest

    Hi gents, I have a problem with my pix, it has vpn tunnels
    configured, and I'm trying to configure a vpn client, I've done this in
    other pix without any problem , but it seems I forgot something and
    here it doesn't work.

    I creat a vpn pool , to the vpn group, then I put the address of the
    pool in my NAT access-list , and create an access-list to the vpn group
    so it can access my network, I had some problems with isakmp because I
    don't have 3des encryptation , is it really necesary?

    Please take a look to my config because I've been fighting 3 days with
    this and I'm starting to lose my nerve.

    thanks and regards.



    isakmp policy 21 is superceded by identical policy 20
    : Saved
    :
    PIX Version 6.3(4)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 intf2 security4
    enable password ZlGq2vBPmW8hXSpI encrypted
    passwd ZlGq2vBPmW8hXSpI encrypted
    hostname pixvalencia
    domain-name valdisme.net
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    access-list outside_access_in permit icmp any any
    access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0
    255.255.255.0
    access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.5.0
    255.255.255.0
    access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.3.0
    255.255.255.0
    access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.3.0
    255.255.255.0
    access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.6.0
    255.255.255.0
    access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.6.0
    255.255.255.0
    access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.4.0
    255.255.255.0
    access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.4.0
    255.255.255.0
    access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.2.0
    255.255.255.0
    access-list nonat_acl permit ip any 172.16.1.0 255.255.255.0
    access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    255.255.255.0
    access-list remote_castellon_acl permit ip 192.168.1.0 255.255.255.0
    192.168.5.0 255.255.255.0
    access-list remote_castellon_acl permit icmp 192.168.1.0 255.255.255.0
    192.168.5.0 255.255.255.0
    access-list remote_alicante_acl permit ip 192.168.1.0 255.255.255.0
    192.168.3.0 255.255.255.0
    access-list remote_alicante_acl permit icmp 192.168.1.0 255.255.255.0
    192.168.3.0 255.255.255.0
    access-list remote_benidorm_acl permit ip 192.168.1.0 255.255.255.0
    192.168.6.0 255.255.255.0
    access-list remote_benidorm_acl permit icmp 192.168.1.0 255.255.255.0
    192.168.6.0 255.255.255.0
    access-list remote_murcia_acl permit ip 192.168.1.0 255.255.255.0
    192.168.4.0 255.255.255.0
    access-list remote_murcia_acl permit icmp 192.168.1.0 255.255.255.0
    192.168.4.0 255.255.255.0
    access-list remote_madrid_acl permit ip 192.168.1.0 255.255.255.0
    192.168.2.0 255.255.255.0
    access-list remote_madrid_acl permit icmp 192.168.1.0 255.255.255.0
    192.168.2.0 255.255.255.0
    access-list tst_vpndecom_split_tunnel_acl permit ip 192.168.1.0
    255.255.255.0 any
    access-list red_interna permit ip 192.168.1.0 255.255.255.0 any
    pager lines 24
    logging timestamp
    logging trap debugging
    logging host inside 192.168.1.26
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    ip address outside 10.200.100.253 255.255.0.0
    ip address inside 192.168.1.1 255.255.255.0
    ip address intf2 192.168.20.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpndecom_pool 172.16.1.1
    pdm location 0.0.0.0 0.0.0.0 outside
    pdm location 192.168.20.0 255.255.255.0 inside
    pdm location 10.200.0.0 255.255.0.0 inside
    pdm location 192.168.1.50 255.255.255.255 inside
    pdm location 192.168.20.20 255.255.255.255 intf2
    pdm location 192.168.5.0 255.255.255.0 outside
    pdm location 80.38.105.29 255.255.255.255 outside
    pdm location 192.168.2.0 255.255.255.0 outside
    pdm location 192.168.3.0 255.255.255.0 outside
    pdm location 192.168.4.0 255.255.255.0 outside
    pdm location 192.168.6.0 255.255.255.0 outside
    pdm location 192.168.2.0 255.255.255.0 intf2
    pdm location 192.168.3.0 255.255.255.0 intf2
    pdm location 192.168.4.0 255.255.255.0 intf2
    pdm location 192.168.5.0 255.255.255.0 intf2
    pdm location 192.168.6.0 255.255.255.0 intf2
    pdm location 192.168.1.26 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (intf2) 1 interface
    nat (inside) 0 access-list nonat_acl
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 10.200.100.250 1
    route outside 80.38.105.29 255.255.255.255 10.200.100.190 1
    timeout xlate 3:00:00
    timeout conn 2:00:00 half-closed 0:10:00 udp 2:00:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 2:00:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 10.200.0.0 255.255.0.0 outside
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.20.0 255.255.255.0 intf2
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set myset
    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address remote_castellon_acl
    crypto map newmap 10 set peer 10.201.100.253
    crypto map newmap 10 set transform-set myset
    crypto map newmap 11 ipsec-isakmp
    crypto map newmap 11 match address remote_alicante_acl
    crypto map newmap 11 set peer 10.202.100.253
    crypto map newmap 11 set transform-set myset
    crypto map newmap 12 ipsec-isakmp
    crypto map newmap 12 match address remote_benidorm_acl
    crypto map newmap 12 set peer 10.205.100.253
    crypto map newmap 12 set transform-set myset
    crypto map newmap 13 ipsec-isakmp
    crypto map newmap 13 match address remote_murcia_acl
    crypto map newmap 13 set peer 10.203.100.253
    crypto map newmap 13 set transform-set myset
    crypto map newmap 20 ipsec-isakmp
    crypto map newmap 20 match address remote_madrid_acl
    crypto map newmap 20 set peer 80.38.105.29
    crypto map newmap 20 set transform-set myset
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 80.38.105.29 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp key ******** address 10.201.100.253 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp key ******** address 10.203.100.253 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp key ******** address 10.202.100.253 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp key ******** address 10.205.100.253 netmask 255.255.255.255
    no-xauth no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    isakmp policy 20 authentication rsa-sig
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 86400
    vpngroup vpndecom address-pool vpndecom_pool
    vpngroup vpndecom dns-server 192.168.1.15
    vpngroup vpndecom default-domain decom.es
    vpngroup vpndecom split-tunnel tst_vpndecom_split_tunnel_acl
    vpngroup vpndecom idle-time 1800
    vpngroup vpndecom password ********
    telnet timeout 5
    ssh 10.200.0.0 255.255.0.0 outside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh 192.168.20.0 255.255.255.0 intf2
    ssh timeout 30
    console timeout 0
    dhcpd address 192.168.1.100-192.168.1.250 inside
    dhcpd dns 192.168.1.15 192.168.1.16
    dhcpd lease 1048575
    dhcpd ping_timeout 750
    dhcpd domain valdisme.net
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    Cryptochecksum:85a4d85fae585f6cc1d481ec8e15524b
    : end
    pixvalencia(config)#
    Sako, Jan 30, 2006
    #1
    1. Advertising

  2. I could be wrong, but I don't think you can have des in your transform set
    if you don't have 3DES enabled on the Pix. Anyone else?
    "Sako" <> wrote in message
    news:...
    > Hi gents, I have a problem with my pix, it has vpn tunnels
    > configured, and I'm trying to configure a vpn client, I've done this in
    > other pix without any problem , but it seems I forgot something and
    > here it doesn't work.
    >
    > I creat a vpn pool , to the vpn group, then I put the address of the
    > pool in my NAT access-list , and create an access-list to the vpn group
    > so it can access my network, I had some problems with isakmp because I
    > don't have 3des encryptation , is it really necesary?
    >
    > Please take a look to my config because I've been fighting 3 days with
    > this and I'm starting to lose my nerve.
    >
    > thanks and regards.
    >
    >
    >
    > isakmp policy 21 is superceded by identical policy 20
    > : Saved
    > :
    > PIX Version 6.3(4)
    > interface ethernet0 100full
    > interface ethernet1 100full
    > interface ethernet2 auto
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > nameif ethernet2 intf2 security4
    > enable password ZlGq2vBPmW8hXSpI encrypted
    > passwd ZlGq2vBPmW8hXSpI encrypted
    > hostname pixvalencia
    > domain-name valdisme.net
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > access-list outside_access_in permit icmp any any
    > access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0
    > 255.255.255.0
    > access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.5.0
    > 255.255.255.0
    > access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.3.0
    > 255.255.255.0
    > access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.3.0
    > 255.255.255.0
    > access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.6.0
    > 255.255.255.0
    > access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.6.0
    > 255.255.255.0
    > access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.4.0
    > 255.255.255.0
    > access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.4.0
    > 255.255.255.0
    > access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.2.0
    > 255.255.255.0
    > access-list nonat_acl permit ip any 172.16.1.0 255.255.255.0
    > access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    > 255.255.255.0
    > access-list remote_castellon_acl permit ip 192.168.1.0 255.255.255.0
    > 192.168.5.0 255.255.255.0
    > access-list remote_castellon_acl permit icmp 192.168.1.0 255.255.255.0
    > 192.168.5.0 255.255.255.0
    > access-list remote_alicante_acl permit ip 192.168.1.0 255.255.255.0
    > 192.168.3.0 255.255.255.0
    > access-list remote_alicante_acl permit icmp 192.168.1.0 255.255.255.0
    > 192.168.3.0 255.255.255.0
    > access-list remote_benidorm_acl permit ip 192.168.1.0 255.255.255.0
    > 192.168.6.0 255.255.255.0
    > access-list remote_benidorm_acl permit icmp 192.168.1.0 255.255.255.0
    > 192.168.6.0 255.255.255.0
    > access-list remote_murcia_acl permit ip 192.168.1.0 255.255.255.0
    > 192.168.4.0 255.255.255.0
    > access-list remote_murcia_acl permit icmp 192.168.1.0 255.255.255.0
    > 192.168.4.0 255.255.255.0
    > access-list remote_madrid_acl permit ip 192.168.1.0 255.255.255.0
    > 192.168.2.0 255.255.255.0
    > access-list remote_madrid_acl permit icmp 192.168.1.0 255.255.255.0
    > 192.168.2.0 255.255.255.0
    > access-list tst_vpndecom_split_tunnel_acl permit ip 192.168.1.0
    > 255.255.255.0 any
    > access-list red_interna permit ip 192.168.1.0 255.255.255.0 any
    > pager lines 24
    > logging timestamp
    > logging trap debugging
    > logging host inside 192.168.1.26
    > mtu outside 1500
    > mtu inside 1500
    > mtu intf2 1500
    > ip address outside 10.200.100.253 255.255.0.0
    > ip address inside 192.168.1.1 255.255.255.0
    > ip address intf2 192.168.20.1 255.255.255.0
    > ip audit info action alarm
    > ip audit attack action alarm
    > ip local pool vpndecom_pool 172.16.1.1
    > pdm location 0.0.0.0 0.0.0.0 outside
    > pdm location 192.168.20.0 255.255.255.0 inside
    > pdm location 10.200.0.0 255.255.0.0 inside
    > pdm location 192.168.1.50 255.255.255.255 inside
    > pdm location 192.168.20.20 255.255.255.255 intf2
    > pdm location 192.168.5.0 255.255.255.0 outside
    > pdm location 80.38.105.29 255.255.255.255 outside
    > pdm location 192.168.2.0 255.255.255.0 outside
    > pdm location 192.168.3.0 255.255.255.0 outside
    > pdm location 192.168.4.0 255.255.255.0 outside
    > pdm location 192.168.6.0 255.255.255.0 outside
    > pdm location 192.168.2.0 255.255.255.0 intf2
    > pdm location 192.168.3.0 255.255.255.0 intf2
    > pdm location 192.168.4.0 255.255.255.0 intf2
    > pdm location 192.168.5.0 255.255.255.0 intf2
    > pdm location 192.168.6.0 255.255.255.0 intf2
    > pdm location 192.168.1.26 255.255.255.255 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > global (intf2) 1 interface
    > nat (inside) 0 access-list nonat_acl
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 10.200.100.250 1
    > route outside 80.38.105.29 255.255.255.255 10.200.100.190 1
    > timeout xlate 3:00:00
    > timeout conn 2:00:00 half-closed 0:10:00 udp 2:00:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 2:00:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ max-failed-attempts 3
    > aaa-server TACACS+ deadtime 10
    > aaa-server RADIUS protocol radius
    > aaa-server RADIUS max-failed-attempts 3
    > aaa-server RADIUS deadtime 10
    > aaa-server LOCAL protocol local
    > http server enable
    > http 10.200.0.0 255.255.0.0 outside
    > http 192.168.1.0 255.255.255.0 inside
    > http 192.168.20.0 255.255.255.0 intf2
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > sysopt connection permit-ipsec
    > crypto ipsec transform-set myset esp-des esp-md5-hmac
    > crypto dynamic-map outside_dyn_map 20 set transform-set myset
    > crypto map newmap 10 ipsec-isakmp
    > crypto map newmap 10 match address remote_castellon_acl
    > crypto map newmap 10 set peer 10.201.100.253
    > crypto map newmap 10 set transform-set myset
    > crypto map newmap 11 ipsec-isakmp
    > crypto map newmap 11 match address remote_alicante_acl
    > crypto map newmap 11 set peer 10.202.100.253
    > crypto map newmap 11 set transform-set myset
    > crypto map newmap 12 ipsec-isakmp
    > crypto map newmap 12 match address remote_benidorm_acl
    > crypto map newmap 12 set peer 10.205.100.253
    > crypto map newmap 12 set transform-set myset
    > crypto map newmap 13 ipsec-isakmp
    > crypto map newmap 13 match address remote_murcia_acl
    > crypto map newmap 13 set peer 10.203.100.253
    > crypto map newmap 13 set transform-set myset
    > crypto map newmap 20 ipsec-isakmp
    > crypto map newmap 20 match address remote_madrid_acl
    > crypto map newmap 20 set peer 80.38.105.29
    > crypto map newmap 20 set transform-set myset
    > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    > crypto map outside_map interface outside
    > isakmp enable outside
    > isakmp key ******** address 80.38.105.29 netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp key ******** address 10.201.100.253 netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp key ******** address 10.203.100.253 netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp key ******** address 10.202.100.253 netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp key ******** address 10.205.100.253 netmask 255.255.255.255
    > no-xauth no-config-mode
    > isakmp identity address
    > isakmp policy 10 authentication pre-share
    > isakmp policy 10 encryption des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > isakmp policy 20 authentication rsa-sig
    > isakmp policy 20 encryption des
    > isakmp policy 20 hash sha
    > isakmp policy 20 group 1
    > isakmp policy 20 lifetime 86400
    > vpngroup vpndecom address-pool vpndecom_pool
    > vpngroup vpndecom dns-server 192.168.1.15
    > vpngroup vpndecom default-domain decom.es
    > vpngroup vpndecom split-tunnel tst_vpndecom_split_tunnel_acl
    > vpngroup vpndecom idle-time 1800
    > vpngroup vpndecom password ********
    > telnet timeout 5
    > ssh 10.200.0.0 255.255.0.0 outside
    > ssh 192.168.1.0 255.255.255.0 inside
    > ssh 192.168.20.0 255.255.255.0 intf2
    > ssh timeout 30
    > console timeout 0
    > dhcpd address 192.168.1.100-192.168.1.250 inside
    > dhcpd dns 192.168.1.15 192.168.1.16
    > dhcpd lease 1048575
    > dhcpd ping_timeout 750
    > dhcpd domain valdisme.net
    > dhcpd auto_config outside
    > dhcpd enable inside
    > terminal width 80
    > Cryptochecksum:85a4d85fae585f6cc1d481ec8e15524b
    > : end
    > pixvalencia(config)#
    >
    Thomas Miller, Jan 30, 2006
    #2
    1. Advertising

  3. In article <>,
    Sako <> wrote:
    > Hi gents, I have a problem with my pix, it has vpn tunnels
    >configured, and I'm trying to configure a vpn client, I've done this in
    >other pix without any problem , but it seems I forgot something and
    >here it doesn't work.


    >I creat a vpn pool , to the vpn group, then I put the address of the
    >pool in my NAT access-list , and create an access-list to the vpn group
    >so it can access my network, I had some problems with isakmp because I
    >don't have 3des encryptation , is it really necesary?


    3DES is not necessary for VPNs.

    I notice, though, that your isakmp policy 20 uses DES SHA for RSA
    signatures. Somewhere in PIX 6.3, Cisco stopped supporting DES SHA:
    for DES you need MD5. Your policy 10 is DES MD5 but it is pre-share not
    RSA Signatures.


    >PIX Version 6.3(4)


    >access-list outside_access_in permit icmp any any


    As a security note: you don't really want ICMP Redirect to be
    let through, as an attacker can use it to phish for information.
    Allow icmp unreachable, icmp time-exceeded, and possibly icmp echo-reply .

    >access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0
    >255.255.255.0
    >access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.5.0
    >255.255.255.0


    icmp is part of ip so this line is redundant. This same thing
    occurs a number of times in your configuration.

    >access-list nonat_acl permit ip any 172.16.1.0 255.255.255.0
    >access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 172.16.1.0
    >255.255.255.0


    192.168.1.0 is part of 'any' so this line is redundant.

    >access-list remote_castellon_acl permit ip 192.168.1.0 255.255.255.0
    >192.168.5.0 255.255.255.0
    >access-list remote_castellon_acl permit icmp 192.168.1.0 255.255.255.0
    >192.168.5.0 255.255.255.0


    icmp redundancy again.

    >access-list tst_vpndecom_split_tunnel_acl permit ip 192.168.1.0
    >255.255.255.0 any
    >access-list red_interna permit ip 192.168.1.0 255.255.255.0 any


    >ip address outside 10.200.100.253 255.255.0.0
    >ip address inside 192.168.1.1 255.255.255.0


    >ip local pool vpndecom_pool 172.16.1.1


    >global (outside) 1 interface
    >nat (inside) 0 access-list nonat_acl
    >nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    >access-group outside_access_in in interface outside


    >sysopt connection permit-ipsec
    >crypto ipsec transform-set myset esp-des esp-md5-hmac
    >crypto dynamic-map outside_dyn_map 20 set transform-set myset


    >crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    >crypto map outside_map interface outside


    >isakmp key ******** address 80.38.105.29 netmask 255.255.255.255
    >no-xauth no-config-mode


    All of your isakmp are host specific, which suggests that you
    are indeed counting on RSA for authenticating your VPN clients,
    but as indicated above you have the DES / SHA conflict for that.

    >isakmp identity address


    When you have VPN clients that might have a connection dropped
    and might come back in with a different IP, then identity hostname
    is preferred to identity address: otherwise when the client reconnects
    then the old crypto SAs will not be automatically deleted (because
    the address the client sends the second time does not match the
    address sent the first time.)

    >isakmp policy 10 authentication pre-share
    >isakmp policy 10 encryption des
    >isakmp policy 10 hash md5
    >isakmp policy 10 group 2
    >isakmp policy 10 lifetime 86400
    >isakmp policy 20 authentication rsa-sig
    >isakmp policy 20 encryption des
    >isakmp policy 20 hash sha
    >isakmp policy 20 group 1
    >isakmp policy 20 lifetime 86400
    >vpngroup vpndecom address-pool vpndecom_pool
    Walter Roberson, Jan 30, 2006
    #3
  4. In article <vKtDf.41391$>,
    Thomas Miller <> wrote:
    >I could be wrong, but I don't think you can have des in your transform set
    >if you don't have 3DES enabled on the Pix. Anyone else?


    No, that is not correct. DES is enabled even if you do not have the
    3DES license.
    Walter Roberson, Jan 30, 2006
    #4
  5. Sako

    Sako Guest

    Thanks the person who managed this before me is not working with us any
    more so any comment is helpfull for me.

    about
    // notice, though, that your isakmp policy 20 uses DES SHA for RSA
    //signatures. Somewhere in PIX 6.3, Cisco stopped supporting DES SHA:
    //for DES you need MD5. Your policy 10 is DES MD5 but it is pre-share
    not
    //RSA Signatures.
    The pix is quite new, so may be it doesn't support DES RSA.

    so you consider that some thing like :
    isakmp policy 20 authentication rsa-sig
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 86400

    Could do ?
    Thanks I don't have access tonight to the pix but I want to solve this
    in a propper way knowing why I'm wrong.
    Sako, Jan 30, 2006
    #5
  6. Sako

    DCS Guest

    //crypto map newmap 20 ipsec-isakmp
    //crypto map newmap 20 match address remote_madrid_acl
    //crypto map newmap 20 set peer 80.38.105.29
    //crypto map newmap 20 set transform-set myset
    //crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    //crypto map outside_map interface outside

    You have multiple crypto maps set to the same interface.

    Try:
    crypto map newmap 99 ipsec-isakmp dynamic outside_dyn_map
    crypto map newmap interface outside

    Unless you have certificates in place and know they work, try preshared
    keys for your group authentication to troubleshoot. Your group name
    set in your VPN client groupname shoule be <vpndecom> and whatever
    password you're using. Do the L2L tunnels work okay? Keep your ISAKMP
    POLICY 10 for now.

    If you need more help, try adding the VPN Client log info from your
    client, LOG -> LOG WINDOW and debug information from your PIX. The
    command DEBUG CRYPTO ISAKMP will indicate if the policies match and
    which ones they match on. Good luck!
    DCS, Jan 31, 2006
    #6
  7. Sako

    Sako Guest

    The tunnel using crypto map newmap 20, works, the thing iI'm not sure
    is the :

    isakmp policy 20 authentication rsa-sig
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 86400

    When I open the log in the client nothing comes but I'll try with the
    debug crypto isakmp. and preshared keys

    Thanks! I'll tell you if this works
    Sako, Jan 31, 2006
    #7
  8. Sako

    Sako Guest

    Thanks a lot, it was because or the two crypto maps in the same
    interface!!!

    Now it joins , and i can see it with show crypto isakmp sa

    but there's a problem, neither terminal server or ssh work

    here is my current config , none of both vpngroups can terminal server
    or nothing.

    access-list split_tunnel_ac permit ip 192.168.1.0 255.255.255.0
    172.16.1.0 255.255.255.0
    access-list split_tunnel_ac permit icmp 192.168.1.0 255.255.255.0
    172.16.1.0 255.255.255.0

    access-list vldsm_tunnel_ac permit ip 192.168.1.0 255.255.255.0 any
    access-list vldsm_tunnel_ac permit icmp 192.168.1.0 255.255.255.0 any

    ip local pool vpndkm_pool 172.16.1.1
    ip local pool vldsm_pool 192.168.1.60

    route outside 204.78.15.29 255.255.255.255 10.200.100.190 1
    route outside 205.224.156.90 255.255.255.255 10.200.100.190 1

    crypto dynamic-map dynmap 30 set transform-set myset
    ......
    crypto map newmap 21 ipsec-isakmp dynamic dynmap
    crypto map newmap interface outside


    vpngroup vpndecom address-pool vpndecom_pool
    vpngroup vpndkm dns-server 192.168.1.15
    vpngroup vpndkm default-domain valdisme.net
    vpngroup vpndkm split-tunnel split_tunnel_ac
    vpngroup vpndkm idle-time 1800
    vpngroup vpndkm password ********
    vpngroup vldsm address-pool vldsm_pool
    vpngroup vldsm split-tunnel vldsm_tunnel_ac
    vpngroup vldsm idle-time 1800
    vpngroup vldsm password ********
    Sako, Jan 31, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,752
    Martin Bilgrav
    Feb 6, 2004
  2. AlanP
    Replies:
    3
    Views:
    915
    Mirek
    Apr 7, 2004
  3. Nick
    Replies:
    2
    Views:
    2,364
  4. Svenn
    Replies:
    3
    Views:
    706
    Svenn
    Mar 13, 2006
  5. Stephen M
    Replies:
    1
    Views:
    630
    mcaissie
    Nov 14, 2006
Loading...

Share This Page