Trying to Connect NCP CE Client to PIX using Preshared Keys...

Discussion in 'Cisco' started by Scott Townsend, Jun 23, 2005.

  1. I have my PIX set up for both Certs and PreShared Keys.

    I've been able to get the Cisco VPN Client to connect via Certs with no
    issues.

    I've been able to get other Routers to Connect using PreShared Keys using
    the name of the router as the VPDNGroup name with no issues.



    On the NCP Client In the Profile settings under Identities, I've tried
    several ID Types. I'm not sure which one I'm supposed to use. I thought it
    was ASN1 Group name, though I've tried them all.


    On the PIX I've seen the Following which makes me believe the ID Type is not
    set right.


    VPN Peer:ISAKMP: Peer Info for 166.220.45.45/500 not found - peers:10


    Where that IP address is the IP Address of the Client. Though since my
    device changed IP every time I connect to the internet I cannot do an
    Identity via IP. I'd like to use a name/group name/string. This works for
    my other PreShared Key Clients as they also have a DHCP WAN address.

    (Link to Clinet Software:
    http://www.ncp.de/english/produkte/secureentry/index.html)



    Please Advise.


    Thanks!

    Scott<-


    Here is my log info from a connection attempt from a client with IP
    166.220.9.6

    ----------------------------------------
    NCP Client
    ----------------------------------------
    IPSDIALCHAN::start building connect
    ion
    NCPIKE-phase1:name(sx66) - outgoin
    g connect request - main mode.
    XMIT_MSG1_MAIN - sx66
    RECV_MSG2_MAIN - sx66
    IKE phase I: Setting LifeTime to 2
    8800 seconds
    sx66 ->Support for NAT-T version -
    3
    XMIT_MSG3_MAIN - sx66
    IPSDIAL->FINAL_TUNNEL_ENDPOINT:204
    .145.245.017
    RECV_MSG4_MAIN - sx66
    Turning on NATD mode - sx66 - 1
    XMIT_MSG5_MAIN - sx66
    IPSDIAL - disconnecting from sx66
    on channel 1.
    NCPIKE-phase2:name(sx66) - error
    - cleared by phase1
    IPSDIAL - disconnected from sx66
    on channel 1.

    ----------------------------------------
    Cisco PIX
    ----------------------------------------



    charlie#
    crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: extended auth pre-share (init)
    ISAKMP: default group 2
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: extended auth pre-share (init)
    ISAKMP: default group 2
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: auth pre-share
    ISAKMP: default group 2
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: auth pre-share
    ISAKMP: default group 2
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
    ISAKMP: keylength of 128
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: extended auth pre-share (init)
    ISAKMP: default group 2
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash MD5
    ISAKMP: extended auth pre-share (init)
    ISAKMP: default group 2
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: auth... What? 64221?
    ISAKMP: default group 2
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash MD5
    ISAKMP: auth... What? 64221?
    ISAKMP: default group 2
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: auth pre-share
    ISAKMP: default group 2
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 10 against priority 8 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash MD5
    crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT match MINE hash
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT does not match HIS hash
    hash received: ca fd 52 eb ca 2b 3e fa 47 23 49 83 a8 bd 7b 44
    his nat hash : 17 5f 4e 86 7b b1 2d d0 2b a2 26 97 7e 8a 82 2e
    ISAKMP (0:0): constructed HIS NAT-D
    ISAKMP (0:0): constructed MINE NAT-D
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:4500
    dpt:4500
    ISAKMP: reserved not zero on payload 5!
    ISAKMP (0): deleting SA: src 166.220.9.6, dst charlie_o
    ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
    ISADB: reaper checking SA 0x15eb93c, conn_id = 0
    ISADB: reaper checking SA 0x15d6bd4, conn_id = 0 DELETE IT!

    VPN Peer:ISAKMP: Peer Info for 166.220.9.6/500 not found - peers:10

    ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
    ISADB: reaper checking SA 0x15eb93c, conn_id = 0
    ISADB: reaper checking SA 0x15e140c, conn_id = 0
    ISADB: reaper checking SA 0x15dc59c, conn_id = 0
    ISADB: reaper checking SA 0x15de6d4, conn_id = 0
    ISADB: reaper checking SA 0x15d0174, conn_id = 0
    ISADB: reaper checking SA 0x158020c, conn_id = 0
    ISADB: reaper checking SA 0x147aa94, conn_id = 0
    ISADB: reaper checking SA 0x15e03d4, conn_id = 0
    ISADB: reaper checking SA 0x14b155c, conn_id = 0
    ISADB: reaper checking SA 0xe4eb0c, conn_id = 0
    crypto_isakmp_process_block:src:67.124.15.121, dest:charlie_o spt:500
    dpt:500
    ISAKMP (0): processing DELETE payload. message ID = 795482895, spi size = 16
    ISAKMP (0): deleting SA: src 67.124.15.121, dst charlie_o
    return status is IKMP_NO_ERR_NO_TRANS
    ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
    ISADB: reaper checking SA 0x15eb93c, conn_id = 0
    ISADB: reaper checking SA 0x15e140c, conn_id = 0
    ISADB: reaper checking SA 0x15dc59c, conn_id = 0
    ISADB: reaper checking SA 0x15de6d4, conn_id = 0
    ISADB: reaper checking SA 0x15d0174, conn_id = 0
    ISADB: reaper checking SA 0x158020c, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:67.124.15.121/500 Ref cnt decremented to:2 Total
    VPN Peers:10
    ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
    ISADB: reaper checking SA 0x15eb93c, conn_id = 0
    ISADB: reaper checking SA 0x15e140c, conn_id = 0
    ISADB: reaper checking SA 0x15dc59c, conn_id = 0
    ISADB: reaper checking SA 0x15de6d4, conn_id = 0
    ISADB: reaper checking SA 0x15d0174, conn_id = 0
    ISADB: reaper checking SA 0x147aa94, conn_id = 0
    ISADB: reaper checking SA 0x15e03d4, conn_id = 0
    ISADB: reaper checking SA 0x14b155c, conn_id = 0
    ISADB: reaper checking SA 0xe4eb0c, conn_id = 0
    crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:4500
    dpt:4500
    ISAKMP: reserved not zero on payload 5!
    crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:4500
    dpt:4500
    ISAKMP: reserved not zero on payload 5!
    crypto_isakmp_process_block:src:166.220.9.6, dest:charlie_o spt:4500
    dpt:4500
    ISAKMP: reserved not zero on payload 8!
    ISAKMP (0): deleting SA: src 166.220.9.6, dst charlie_o
    ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
    ISADB: reaper checking SA 0x15eb93c, conn_id = 0 DELETE IT!

    VPN Peer:ISAKMP: Peer Info for 166.220.9.6/500 not found - peers:10

    ISADB: reaper checking SA 0x15d1d1c, conn_id = 0
    ISADB: reaper checking SA 0x15e140c, conn_id = 0
    ISADB: reaper checking SA 0x15dc59c, conn_id = 0
    ISADB: reaper checking SA 0x15de6d4, conn_id = 0
    ISADB: reaper checking SA 0x15d0174, conn_id = 0
    ISADB: reaper checking SA 0x147aa94, conn_id = 0
    ISADB: reaper checking SA 0x15e03d4, conn_id = 0
    ISADB: reaper checking SA 0x14b155c, conn_id = 0
    ISADB: reaper checking SA 0xe4eb0c, conn_id = 0
     
    Scott Townsend, Jun 23, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rik Bain
    Replies:
    1
    Views:
    6,792
    Hugo Drax
    Jul 6, 2003
  2. Krzysztof
    Replies:
    3
    Views:
    6,561
    Krzysztof
    May 17, 2005
  3. =?ISO-8859-1?Q?Edgar=AE_du_Midi=AE?=

    Preshared secret (isakmp key) lenght

    =?ISO-8859-1?Q?Edgar=AE_du_Midi=AE?=, Sep 14, 2005, in forum: Cisco
    Replies:
    1
    Views:
    749
    Walter Roberson
    Sep 14, 2005
  4. larry

    keyboard keys replacing mouse keys?

    larry, Sep 14, 2003, in forum: Computer Support
    Replies:
    8
    Views:
    8,320
    Ralph Wade Phillips
    Sep 14, 2003
  5. Sean Cleary
    Replies:
    0
    Views:
    541
    Sean Cleary
    Aug 4, 2003
Loading...

Share This Page