VPN cisco Client to PIX

Discussion in 'Cisco' started by Neo, Dec 26, 2003.

  1. Neo

    Neo Guest

    Hi to all
    I have a question on PIX Firewall
    when I try to connect with my Cisco VPN client 4.0.3 (c)
    to my PIX 525
    with this settings for vpn

    crypto ipsec transform-set strong esp-3des esp-md5-hmac
    crypto dynamic-map PIPPO 10 set transform-set strong
    crypto map PIPPO-crypto 65535 ipsec-isakmp dynamic PIPPO
    crypto map PIPPO-crypto client authentication AuthClient
    crypto map PIPPO-crypto interface outside
    isakmp enable outside
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    If I watch the debug to my PIX I see that there's 9 check to match the
    ISAKMP policy

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption... What? 7?
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: attribute 3584
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption... What? 7?
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: attribute 3584
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
    ISAKMP: encryption... What? 7?
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: attribute 3584
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy

    at the end it's all right

    ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4

    I want to know if this is normal or not

    Thanks to everyone

    Excuse me for my bad English
     
    Neo, Dec 26, 2003
    #1
    1. Advertising

  2. Neo

    Rik Bain Guest

    On Fri, 26 Dec 2003 13:27:43 -0600, Neo wrote:

    > Hi to all
    > I have a question on PIX Firewall
    > when I try to connect with my Cisco VPN client 4.0.3 (c) to my PIX 525
    > with this settings for vpn
    >
    > crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto
    > dynamic-map PIPPO 10 set transform-set strong crypto map PIPPO-crypto
    > 65535 ipsec-isakmp dynamic PIPPO crypto map PIPPO-crypto client
    > authentication AuthClient crypto map PIPPO-crypto interface outside
    > isakmp enable outside
    > isakmp identity address
    > isakmp policy 10 authentication pre-share isakmp policy 10 encryption
    > 3des
    > isakmp policy 10 hash md5
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    >
    > If I watch the debug to my PIX I see that there's 9 check to match the
    > ISAKMP policy
    >
    > ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    > ISAKMP: encryption... What? 7?
    > ISAKMP: hash SHA
    > ISAKMP: default group 2
    > ISAKMP: extended auth pre-share
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP:
    > attribute 3584
    > ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0):
    > Checking ISAKMP transform 2 against priority 10 policy ISAKMP:
    > encryption... What? 7?
    > ISAKMP: hash MD5
    > ISAKMP: default group 2
    > ISAKMP: extended auth pre-share
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP:
    > attribute 3584
    > ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0):
    > Checking ISAKMP transform 3 against priority 10 policy ISAKMP:
    > encryption... What? 7?
    > ISAKMP: hash SHA
    > ISAKMP: default group 2
    > ISAKMP: auth pre-share
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP:
    > attribute 3584
    > ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0):
    > Checking ISAKMP transform 4 against priority 10 policy
    >
    > at the end it's all right
    >
    > ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    > ISAKMP: encryption 3DES-CBC
    > ISAKMP: hash SHA
    > ISAKMP: default group 2
    > ISAKMP: extended auth pre-share
    > ISAKMP: life type in seconds
    > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4
    >
    > I want to know if this is normal or not
    >
    > Thanks to everyone
    >
    > Excuse me for my bad English



    That's fine. The pix will check the proposed policy against it's
    configured policies until it finds a match.
     
    Rik Bain, Dec 27, 2003
    #2
    1. Advertising

  3. In article <PY%Gb.10700$>,
    Neo <> wrote:
    :I have a question on PIX Firewall
    :when I try to connect with my Cisco VPN client 4.0.3 (c)
    :to my PIX 525

    :crypto ipsec transform-set strong esp-3des esp-md5-hmac

    :If I watch the debug to my PIX I see that there's 9 check to match the
    :ISAKMP policy

    :ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    :ISAKMP: encryption... What? 7?

    "encryption... What? 7?" is generated when the vpn client
    attempts to ask for AES encryption. Your 525 has not been upgraded
    to PIX 6.3 and does so not have AES support. This is a normal
    message for this situation, but if you want to get rid of it,
    then upgrade to 6.3(3).
    --
    I've been working on a kernel
    All the livelong night.
    I've been working on a kernel
    And it still won't work quite right. -- J. Benson & J. Doll
     
    Walter Roberson, Dec 27, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MP
    Replies:
    2
    Views:
    12,305
  2. GVB
    Replies:
    1
    Views:
    2,843
    Martin Bilgrav
    Feb 6, 2004
  3. jarcar
    Replies:
    0
    Views:
    608
    jarcar
    Feb 12, 2004
  4. Nick
    Replies:
    2
    Views:
    2,430
  5. Svenn
    Replies:
    3
    Views:
    745
    Svenn
    Mar 13, 2006
Loading...

Share This Page