Cant establish a VPN tunnel between PIX 501 and Cisco VPN Client

Discussion in 'Cisco' started by Martin Nowles, Nov 10, 2003.

  1. As mentioned the subject, the tunnel wont work, the user authentication
    via Radius grants the user access, but then the Client stops with the
    message: "Secure VPN connection terminated locally by the client. Reason
    403: Unable to connect to the security gateway". I added the config of
    my setup, and the result of "debug crypto isakmp".

    Software Versions:
    PIX: 6.3.3
    VPN Client: 4.0.3 (A)

    Maybe someone can help.

    --
    Martin

    PIX - Config:
    -------------------------
    : Saved
    :
    PIX Version 6.3(3)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname <mypix>
    domain-name <mydomain>
    clock timezone CET 1
    clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    access-list acl permit ip 172.17.0.0 255.255.0.0 any
    access-list acl permit ip 172.23.0.0 255.255.0.0 any
    no pager
    icmp permit any echo-reply outside
    icmp permit any unreachable outside
    icmp permit any source-quench outside
    icmp permit any echo outside
    icmp permit any time-exceeded outside
    icmp permit any parameter-problem outside
    icmp permit any conversion-error outside
    icmp permit any redirect outside
    icmp deny any outside
    icmp permit any inside
    mtu outside 1500
    mtu inside 1500
    ip address outside <mypixexternal-IP> 255.255.255.0
    ip address inside 172.17.81.62 255.255.0.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool freiburg 172.17.81.122-172.17.81.125
    pdm location 172.17.88.89 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    route outside 0.0.0.0 0.0.0.0 213.160.22.49 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host <myradiusserver> <password> timeout 5
    aaa-server LOCAL protocol local
    ntp server 172.17.88.99 source inside
    http server enable
    http 172.17.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    no floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 900
    crypto dynamic-map vpndialin 65534 set pfs group2
    crypto dynamic-map vpndialin 65534 set transform-set ESP-3DES-SHA
    crypto map freiburg 65534 ipsec-isakmp dynamic vpndialin
    crypto map freiburg client authentication RADIUS
    crypto map freiburg interface outside
    isakmp enable outside
    isakmp nat-traversal 30
    isakmp policy 5 authentication rsa-sig
    isakmp policy 5 encryption aes-256
    isakmp policy 5 hash sha
    isakmp policy 5 group 5
    isakmp policy 5 lifetime 86400
    vpngroup vpn address-pool freiburg
    vpngroup vpn dns-server 172.17.88.88 172.17.88.89
    vpngroup vpn wins-server 172.17.88.88 172.17.88.89
    vpngroup vpn default-domain <mydomain>
    vpngroup vpn split-dns <mydomain>
    vpngroup vpn idle-time 1800
    ca identity certsrv.<mydomain> 172.17.81.93:/certsrv/mscep/MSCEP.dll
    ca configure certsrv.<mydomain> ra 1 0 crloptional
    telnet timeout 5
    ssh 172.17.0.0 255.255.0.0 inside
    ssh timeout 60
    console timeout 0
    terminal width 80
    Cryptochecksum:d14ee9f904fe7ca49298ec578c4f5470
    : end

    ISAKMP Debug
    --------------------------------

    crypto_isakmp_process_block:src:<myvpnclient-IP>,
    dest:<mypixexternal-IP> spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 5
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are acceptable. Next payload is 3
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): received xauth v6 vendor id

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): remote peer supports dead peer detection

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to a Unity client

    ISAKMP (0): SA is doing RSA signature authentication using id type
    ID_FQDN
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:<myvpnclient-IP>,
    dest:<mypixexternal-IP> spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to another IOS box!

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to a Unity client

    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:<myvpnclient-IP>,
    dest:<mypixexternal-IP> spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing CERT payload. message ID = 0
    ISAKMP (0): processing a CT_X509_SIGNATURE cert
    ISAKMP (0): cert approved with warning
    ISAKMP (0): processing CERT_REQ payload. message ID = 0
    ISAKMP (0): peer wants a CT_X509_SIGNATURE cert
    ISAKMP (0): processing SIG payload. message ID = 0
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 0
    ISAKMP (0): processing notify INITIAL_CONTACT
    ISAKMP (0): SA has been authenticated

    ISAKMP: Created a peer struct for <myvpnclient-IP>, peer port 62465
    ISAKMP (0): ID payload
    next-payload : 6
    type : 2
    protocol : 17
    port : 0
    length : 26
    ISAKMP (0): Total payload length: 30
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
    ISAKMP (0): sending NOTIFY message 24576 protocol 1
    VPN Peer: ISAKMP: Added new peer: ip:<myvpnclient-IP>/500 Total VPN
    Peers:1
    VPN Peer: ISAKMP: Peer ip:<myvpnclient-IP>/500 Ref cnt incremented to:1
    Total VPN Peers:1
    ISAKMP: peer is a remote access client
    ISAKMP/xauth: request attribute XAUTH_TYPE
    ISAKMP/xauth: request attribute XAUTH_USER_NAME
    ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
    ISAKMP (0:0): initiating peer config to <myvpnclient-IP>. ID = 492727403
    (0x1d5e6c6b)
    ISAKMP (0): retransmitting Config Mode Request...
    crypto_isakmp_process_block:src:<myvpnclient-IP>,
    dest:<mypixexternal-IP> spt:500 dpt:500
    ISAKMP_TRANSACTION exchange
    ISAKMP (0:0): processing transaction payload from <myvpnclient-IP>.
    message ID = 11112876
    ISAKMP: Config payload CFG_REPLY
    return status is IKMP_ERR_NO_RETRANS
    ISAKMP (0:0): initiating peer config to <myvpnclient-IP>. ID =
    4150976923 (0xf76ae19b)
    crypto_isakmp_process_block:src:<myvpnclient-IP>,
    dest:<mypixexternal-IP> spt:500 dpt:500
    ISAKMP_TRANSACTION exchange
    ISAKMP (0:0): processing transaction payload from <myvpnclient-IP>.
    message ID = 11112876
    ISAKMP: Config payload CFG_ACK
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:<myvpnclient-IP>,
    dest:<mypixexternal-IP> spt:500 dpt:500
    ISAKMP_TRANSACTION exchange
    ISAKMP (0:0): processing transaction payload from <myvpnclient-IP>.
    message ID = 11112876
    ISAKMP: Config payload CFG_REQUEST
    ISAKMP (0:0): checking request:
    ISAKMP: attribute IP4_ADDRESS (1)
    ISAKMP: attribute IP4_NETMASK (2)
    ISAKMP: attribute IP4_DNS (3)
    ISAKMP: attribute IP4_NBNS (4)
    ISAKMP: attribute ADDRESS_EXPIRY (5)
    Unsupported Attr: 5
    ISAKMP: attribute UNKNOWN (28672)
    Unsupported Attr: 28672
    ISAKMP: attribute UNKNOWN (28673)
    Unsupported Attr: 28673
    ISAKMP: attribute ALT_DEF_DOMAIN (28674)
    ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
    ISAKMP: attribute ALT_SPLITDNS_NAME (28675)
    ISAKMP: attribute ALT_PFS (28679)
    ISAKMP: attribute ALT_BACKUP_SERVERS (28681)
    ISAKMP: attribute APPLICATION_VERSION (7)
    ISAKMP: attribute UNKNOWN (28680)
    Unsupported Attr: 28680
    ISAKMP: attribute UNKNOWN (28682)
    Unsupported Attr: 28682
    ISAKMP (0:0): responding to peer config from <myvpnclient-IP>. ID =
    3904303469
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:<myvpnclient-IP>,
    dest:<mypixexternal-IP> spt:500 dpt:500
    ISAKMP (0): processing DELETE payload. message ID = 1619518855, spi size
    = 16
    ISAKMP (0): deleting SA: src <myvpnclient-IP>, dst <mypixexternal-IP>
    return status is IKMP_NO_ERR_NO_TRANS
    ISADB: reaper checking SA 0xae6c64, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:<myvpnclient-IP>/500 Ref cnt decremented to:0
    Total VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:<myvpnclient-IP>/500 Total VPN
    peers:0
    Martin Nowles, Nov 10, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ian Easson
    Replies:
    1
    Views:
    3,631
    Jyri Korhonen
    Jul 8, 2003
  2. Hank Arnold
    Replies:
    0
    Views:
    717
    Hank Arnold
    Jan 15, 2004
  3. Tim Fortea
    Replies:
    2
    Views:
    1,008
  4. Nick
    Replies:
    2
    Views:
    2,387
  5. cornerman
    Replies:
    0
    Views:
    808
    cornerman
    May 25, 2011
Loading...

Share This Page