Remote VPN

Discussion in 'Cisco' started by Charolette, Sep 18, 2006.

  1. Charolette

    Charolette Guest

    Hi,

    I have a PIX 506e and i have setup a remote VPN client on the PIX. I
    have setup up the group name, password and VPN IP Pool. I already have
    VPN site to site over IPsec on IKE. When i try to connect using the VPN
    Client i get a

    32 11:47:36.634 09/18/06 Sev=Warning/3 IKE/0xA300004B

    Received a NOTIFY message with an invalid protocol id (0)

    What is the problem??


    thanks
    Charolette, Sep 18, 2006
    #1
    1. Advertising

  2. Charolette

    [NICK] Guest

    Can we see your config ? (Remove any sensitive info 1st obviously)
    [NICK], Sep 18, 2006
    #2
    1. Advertising

  3. Charolette

    Charolette Guest

    thank you very much for your help.

    Here is the config on the PIX


    access-list INSIDE_IN permit icmp 192.168.2.0 255.255.255.0 any
    access-list INSIDE_IN permit udp host OFTSFAP1 any eq domain
    access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224
    object-group ML_Inbound_SMTP eq smtp
    access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224
    object-group special_www eq www
    access-list INSIDE_IN permit udp host OFTSFAP1 object-group OPTUS_NTP
    eq ntp
    access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq www
    access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq https
    access-list INSIDE_IN remark Testing connnection to Net-2-Net
    access-list INSIDE_IN permit ip 192.168.2.0 255.255.255.0 host
    NET2NETSRV
    access-list INSIDE_IN deny ip any any log
    access-list OUTSIDE_IN permit tcp object-group ML_Inbound_SMTP host
    Public_OFTSFAP1 eq smtp
    access-list OUTSIDE_IN permit tcp host PM_PC host Public_OFTSFAP1 eq
    3389
    access-list OUTSIDE_IN deny ip any any log
    access-list inside_outbound_nat0_acl permit ip 192.168.2.0
    255.255.255.0 HO_VPN_NET 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 192.168.2.0
    255.255.255.0 VPN_RM 255.255.255.0
    access-list outside_cryptomap_20 remark VPN to head office
    access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0
    HO_VPN_NET 255.255.255.0
    access-list outside_inbound_nat0_acl permit ip HO_VPN_NET 255.255.255.0
    192.168.2.0 255.255.255.0
    access-list outside_inbound_nat0_acl permit ip VPN_RM 255.255.255.0
    192.168.2.0 255.255.255.0
    access-list OFT_VPN_CL_splitTunnelAcl permit ip 192.168.2.0
    255.255.255.0 any
    pager lines 24
    logging standby
    mtu outside 1500
    mtu inside 1500
    ip address outside PIX_OUT_INT 255.255.255.248
    ip address inside 192.168.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPN_POOL 172.11.1.64-172.11.1.96 mask 255.255.255.224
    nat (outside) 0 access-list outside_inbound_nat0_acl outside
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 3 192.168.2.0 255.255.255.128 0 0
    access-group OUTSIDE_IN in interface outside
    access-group INSIDE_IN in interface inside
    route outside 0.0.0.0 0.0.0.0 61.88.19.161 1
    timeout xlate 0:05:00
    timeout conn 2:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 30 set transform-set ESP-DES-MD5
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer HO_PIX
    crypto map outside_map 20 set transform-set ESP-DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address HO_PIX netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption des
    isakmp policy 30 hash sha
    isakmp policy 30 group 1
    isakmp policy 30 lifetime 86400
    vpngroup OFT_VPN_CL address-pool VPN_POOL
    vpngroup OFT_VPN_CL dns-server OFTSFAP1
    vpngroup OFT_VPN_CL split-tunnel OFT_VPN_CL_splitTunnelAcl
    vpngroup OFT_VPN_CL idle-time 1800
    vpngroup OFT_VPN_CL password ********
    telnet HO_VPN_NET 255.255.255.0 inside
    telnet 192.168.2.0 255.255.255.224 inside
    telnet HOST_PC 255.255.255.192 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.2.2-192.168.2.254 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    vpnclient server HO_PIX
    vpnclient mode network-extension-mode
    vpnclient vpngroup OFT_VPN password ********
    vpnclient username OFT_VPN_User password ********
    terminal width 80
    Cryptochecksum:0e5ef91744953bfd6679320e8c0fb6c5

    The VPN client connects fine to the PIX but there are no decrypted
    packets and a lot of bypass.

    Regards
    Charolette, Sep 19, 2006
    #3
  4. In article <>,
    Charolette <> wrote:

    >Here is the config on the PIX


    >ip local pool VPN_POOL 172.11.1.64-172.11.1.96 mask 255.255.255.224


    The pool with a mask of .224 ends at .95 not .96 .
    I would suggest that you use a netmask of 255.255.255.0,
    and make sure that the first and last addresses implied by the
    netmask are not listed in the pool.

    >access-list INSIDE_IN permit icmp 192.168.2.0 255.255.255.0 any
    >access-list INSIDE_IN permit udp host OFTSFAP1 any eq domain
    >access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224 object-group ML_Inbound_SMTP eq smtp
    >access-list INSIDE_IN permit tcp 192.168.2.0 255.255.255.224 object-group special_www eq www


    In your first line, you permit out the full 192.168.2/24, but in
    the two lines above you only allow yout 192.168.2.0 - 192.168.2.31 .
    Is that really what you want? If you have made a deliberate decision
    to confine "hosts that are allowed to contact those services"
    to that address range, then take note that that address range includes
    the PIX inside interface, which would you wouldn't normally want to
    include if you are being particular about what goes out where.

    >access-list INSIDE_IN permit udp host OFTSFAP1 object-group OPTUS_NTP
    >eq ntp
    >access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq www
    >access-list INSIDE_IN permit tcp HOST_PC 255.255.255.192 any eq https


    If you have allocated a group of hosts starting from HOST_PC
    and extending to HOST_PC + 63, and that's what you want to allow
    to access those services, then I would suggest that it is better
    form to hide the details of the permitted hosts inside an
    object-group; that way later you they don't have to be contiguous.

    >access-list INSIDE_IN remark Testing connnection to Net-2-Net
    >access-list INSIDE_IN permit ip 192.168.2.0 255.255.255.0 host
    >NET2NETSRV
    >access-list INSIDE_IN deny ip any any log


    That denies traffic to the VPN_pool . However, the sysopt you
    use later allows the VPN to ignore the access lists.

    >access-list OUTSIDE_IN permit tcp object-group ML_Inbound_SMTP host
    >Public_OFTSFAP1 eq smtp
    >access-list OUTSIDE_IN permit tcp host PM_PC host Public_OFTSFAP1 eq
    >3389
    >access-list OUTSIDE_IN deny ip any any log
    >access-list inside_outbound_nat0_acl permit ip 192.168.2.0
    >255.255.255.0 HO_VPN_NET 255.255.255.0
    >access-list inside_outbound_nat0_acl permit ip 192.168.2.0
    >255.255.255.0 VPN_RM 255.255.255.0


    With the information you gave, we cannot tell whether
    HO_VPN_NET or VPN_RM encompasses VPN_POOL . If one of the two
    does, notice the netmask inconsistancy compared to the pool
    definition.


    >access-list outside_cryptomap_20 remark VPN to head office
    >access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0
    >HO_VPN_NET 255.255.255.0


    >access-list outside_inbound_nat0_acl permit ip HO_VPN_NET 255.255.255.0
    >192.168.2.0 255.255.255.0
    >access-list outside_inbound_nat0_acl permit ip VPN_RM 255.255.255.0
    >192.168.2.0 255.255.255.0


    >nat (outside) 0 access-list outside_inbound_nat0_acl outside


    Don't try nat 0 against the outside interface: if it does anything
    at all, it surely won't be whatever you intended. Instead just
    rely upon the fact that nat (inside) 0 is automatically applied
    "in reverse" for incoming traffic.

    >access-list OFT_VPN_CL_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any


    >ip address outside PIX_OUT_INT 255.255.255.248
    >ip address inside 192.168.2.1 255.255.255.0
    >ip local pool VPN_POOL 172.11.1.64-172.11.1.96 mask 255.255.255.224
    >nat (outside) 0 access-list outside_inbound_nat0_acl outside
    >nat (inside) 0 access-list inside_outbound_nat0_acl
    >nat (inside) 3 192.168.2.0 255.255.255.128 0 0


    no global (outside) 3 policy...

    >access-group OUTSIDE_IN in interface outside
    >access-group INSIDE_IN in interface inside


    >sysopt connection permit-ipsec
    >crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    >crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    >crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    >crypto dynamic-map outside_dyn_map 30 set transform-set ESP-DES-MD5
    >crypto map outside_map 20 ipsec-isakmp
    >crypto map outside_map 20 match address outside_cryptomap_20
    >crypto map outside_map 20 set peer HO_PIX
    >crypto map outside_map 20 set transform-set ESP-DES-SHA


    Why is your fixed peer using ESP-DES-SHA but your dynamics
    are using ESP-DES-MD5 ? PIX 6.3 does not support ESP-DES-SHA
    by the way (if I recall correctly.) It's better to list several
    transforms in the set, strongest first; then if somehow there
    becomes a mismatch in support, they can fall back to another transform.

    >crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    >crypto map outside_map interface outside
    >isakmp enable outside
    >isakmp key ******** address HO_PIX netmask 255.255.255.255 no-xauth
    >no-config-mode
    >isakmp policy 20 authentication pre-share
    >isakmp policy 20 encryption des
    >isakmp policy 20 hash md5
    >isakmp policy 20 group 2
    >isakmp policy 20 lifetime 86400
    >isakmp policy 30 authentication pre-share
    >isakmp policy 30 encryption des
    >isakmp policy 30 hash sha
    >isakmp policy 30 group 1
    >isakmp policy 30 lifetime 86400


    DES SHA is stronger than DES MD5, so it would be better if it
    were a lower policy number.

    >vpngroup OFT_VPN_CL address-pool VPN_POOL
    >vpngroup OFT_VPN_CL dns-server OFTSFAP1
    >vpngroup OFT_VPN_CL split-tunnel OFT_VPN_CL_splitTunnelAcl
    >vpngroup OFT_VPN_CL idle-time 1800
    >vpngroup OFT_VPN_CL password ********
    >telnet HO_VPN_NET 255.255.255.0 inside


    Everything else implies that HO_VPN_NET is outside, but here you
    have it on the inside.

    >telnet 192.168.2.0 255.255.255.224 inside
    >telnet HOST_PC 255.255.255.192 inside
    >telnet timeout 5
    >ssh timeout 5
    >console timeout 0
    >dhcpd address 192.168.2.2-192.168.2.254 inside


    ??? You are allowing accidents of DHCP address allocation to
    determine whether a particular host is allowed particular kinds
    of inside or outside access (because of the various .224 you use
    against inside addresses in places) ?

    And if there are fixed hosts at HOST_PC then they overlap with
    your dhcpd address pool, unless HOST_PC is in a completely
    different IP range -- but if it is in a completely different
    range then the situation can't work without an 'ip route' statement.


    >vpnclient server HO_PIX
    >vpnclient mode network-extension-mode
    >vpnclient vpngroup OFT_VPN password ********
    >vpnclient username OFT_VPN_User password ********


    You are trying to create a management VPN to HO_PIX and
    there is a corresponding VPN at HO_PIX marked with a
    'management interface' command? If not then don't use
    network-extension-mode . If you -are- trying to create such
    a management VPN, note that the network-extension-mode VPN
    being created will permit only traffic that originates at the
    PIX itself, such as CLI pings -- usually not of substantial utility
    considering the configuration complexity.

    If you want to build a LAN to LAN VPN to the outside interface of
    HO_PIX then include the outside interface IP of HO_PIX amongst the
    traffic permitted by outside_cryptomap_20 .
    Walter Roberson, Sep 19, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter Sale
    Replies:
    1
    Views:
    11,940
    Robin Walker
    Dec 11, 2004
  2. Tim Fortea
    Replies:
    2
    Views:
    990
  3. Marko Uusitalo
    Replies:
    1
    Views:
    1,487
    Frank Durham
    Apr 11, 2005
  4. (PeteCresswell)

    OT: How to reboot remote PC via VPN/Remote Desktop?

    (PeteCresswell), Jul 4, 2006, in forum: Wireless Networking
    Replies:
    9
    Views:
    29,991
    staffwriter
    Feb 8, 2013
  5. pasatealinux
    Replies:
    1
    Views:
    2,004
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page