Can't configure VPN client in PIX

Hi gents, I have a problem with my pix, it has vpn tunnels
configured, and I'm trying to configure a vpn client, I've done this in
other pix without any problem , but it seems I forgot something and
here it doesn't work.

I creat a vpn pool , to the vpn group, then I put the address of the
pool in my NAT access-list , and create an access-list to the vpn group
so it can access my network, I had some problems with isakmp because I
don't have 3des encryptation , is it really necesary?

Please take a look to my config because I've been fighting 3 days with
this and I'm starting to lose my nerve.

thanks and regards.



isakmp policy 21 is superceded by identical policy 20
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password ZlGq2vBPmW8hXSpI encrypted
passwd ZlGq2vBPmW8hXSpI encrypted
hostname pixvalencia
domain-name valdisme.net
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0
255.255.255.0
access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.5.0
255.255.255.0
access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0
access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0
access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.6.0
255.255.255.0
access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.6.0
255.255.255.0
access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.4.0
255.255.255.0
access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.4.0
255.255.255.0
access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list nonat_acl permit ip any 172.16.1.0 255.255.255.0
access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 172.16.1.0
255.255.255.0
access-list remote_castellon_acl permit ip 192.168.1.0 255.255.255.0
192.168.5.0 255.255.255.0
access-list remote_castellon_acl permit icmp 192.168.1.0 255.255.255.0
192.168.5.0 255.255.255.0
access-list remote_alicante_acl permit ip 192.168.1.0 255.255.255.0
192.168.3.0 255.255.255.0
access-list remote_alicante_acl permit icmp 192.168.1.0 255.255.255.0
192.168.3.0 255.255.255.0
access-list remote_benidorm_acl permit ip 192.168.1.0 255.255.255.0
192.168.6.0 255.255.255.0
access-list remote_benidorm_acl permit icmp 192.168.1.0 255.255.255.0
192.168.6.0 255.255.255.0
access-list remote_murcia_acl permit ip 192.168.1.0 255.255.255.0
192.168.4.0 255.255.255.0
access-list remote_murcia_acl permit icmp 192.168.1.0 255.255.255.0
192.168.4.0 255.255.255.0
access-list remote_madrid_acl permit ip 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
access-list remote_madrid_acl permit icmp 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
access-list tst_vpndecom_split_tunnel_acl permit ip 192.168.1.0
255.255.255.0 any
access-list red_interna permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging timestamp
logging trap debugging
logging host inside 192.168.1.26
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 10.200.100.253 255.255.0.0
ip address inside 192.168.1.1 255.255.255.0
ip address intf2 192.168.20.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpndecom_pool 172.16.1.1
pdm location 0.0.0.0 0.0.0.0 outside
pdm location 192.168.20.0 255.255.255.0 inside
pdm location 10.200.0.0 255.255.0.0 inside
pdm location 192.168.1.50 255.255.255.255 inside
pdm location 192.168.20.20 255.255.255.255 intf2
pdm location 192.168.5.0 255.255.255.0 outside
pdm location 80.38.105.29 255.255.255.255 outside
pdm location 192.168.2.0 255.255.255.0 outside
pdm location 192.168.3.0 255.255.255.0 outside
pdm location 192.168.4.0 255.255.255.0 outside
pdm location 192.168.6.0 255.255.255.0 outside
pdm location 192.168.2.0 255.255.255.0 intf2
pdm location 192.168.3.0 255.255.255.0 intf2
pdm location 192.168.4.0 255.255.255.0 intf2
pdm location 192.168.5.0 255.255.255.0 intf2
pdm location 192.168.6.0 255.255.255.0 intf2
pdm location 192.168.1.26 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (intf2) 1 interface
nat (inside) 0 access-list nonat_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.200.100.250 1
route outside 80.38.105.29 255.255.255.255 10.200.100.190 1
timeout xlate 3:00:00
timeout conn 2:00:00 half-closed 0:10:00 udp 2:00:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 2:00:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.200.0.0 255.255.0.0 outside
http 192.168.1.0 255.255.255.0 inside
http 192.168.20.0 255.255.255.0 intf2
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address remote_castellon_acl
crypto map newmap 10 set peer 10.201.100.253
crypto map newmap 10 set transform-set myset
crypto map newmap 11 ipsec-isakmp
crypto map newmap 11 match address remote_alicante_acl
crypto map newmap 11 set peer 10.202.100.253
crypto map newmap 11 set transform-set myset
crypto map newmap 12 ipsec-isakmp
crypto map newmap 12 match address remote_benidorm_acl
crypto map newmap 12 set peer 10.205.100.253
crypto map newmap 12 set transform-set myset
crypto map newmap 13 ipsec-isakmp
crypto map newmap 13 match address remote_murcia_acl
crypto map newmap 13 set peer 10.203.100.253
crypto map newmap 13 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address remote_madrid_acl
crypto map newmap 20 set peer 80.38.105.29
crypto map newmap 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 80.38.105.29 netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ******** address 10.201.100.253 netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ******** address 10.203.100.253 netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ******** address 10.202.100.253 netmask 255.255.255.255
no-xauth no-config-mode
isakmp key ******** address 10.205.100.253 netmask 255.255.255.255
no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup vpndecom address-pool vpndecom_pool
vpngroup vpndecom dns-server 192.168.1.15
vpngroup vpndecom default-domain decom.es
vpngroup vpndecom split-tunnel tst_vpndecom_split_tunnel_acl
vpngroup vpndecom idle-time 1800
vpngroup vpndecom password ********
telnet timeout 5
ssh 10.200.0.0 255.255.0.0 outside
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 intf2
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.100-192.168.1.250 inside
dhcpd dns 192.168.1.15 192.168.1.16
dhcpd lease 1048575
dhcpd ping_timeout 750
dhcpd domain valdisme.net
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:85a4d85fae585f6cc1d481ec8e15524b
: end
pixvalencia(config)#

 

I could be wrong, but I don't think you can have des in your transform set
if you don't have 3DES enabled on the Pix. Anyone else?

 

3DES is not necessary for VPNs.

I notice, though, that your isakmp policy 20 uses DES SHA for RSA
signatures. Somewhere in PIX 6.3, Cisco stopped supporting DES SHA:
for DES you need MD5. Your policy 10 is DES MD5 but it is pre-share not
RSA Signatures.

As a security note: you don't really want ICMP Redirect to be
let through, as an attacker can use it to phish for information.
Allow icmp unreachable, icmp time-exceeded, and possibly icmp echo-reply .

icmp is part of ip so this line is redundant. This same thing
occurs a number of times in your configuration.

192.168.1.0 is part of 'any' so this line is redundant.

icmp redundancy again.

All of your isakmp are host specific, which suggests that you
are indeed counting on RSA for authenticating your VPN clients,
but as indicated above you have the DES / SHA conflict for that.

When you have VPN clients that might have a connection dropped
and might come back in with a different IP, then identity hostname
is preferred to identity address: otherwise when the client reconnects
then the old crypto SAs will not be automatically deleted (because
the address the client sends the second time does not match the
address sent the first time.)

 

No, that is not correct. DES is enabled even if you do not have the
3DES license.

 

Thanks the person who managed this before me is not working with us any
more so any comment is helpfull for me.

about
// notice, though, that your isakmp policy 20 uses DES SHA for RSA
//signatures. Somewhere in PIX 6.3, Cisco stopped supporting DES SHA:
//for DES you need MD5. Your policy 10 is DES MD5 but it is pre-share
not
//RSA Signatures.
The pix is quite new, so may be it doesn't support DES RSA.

so you consider that some thing like :
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400

Could do ?
Thanks I don't have access tonight to the pix but I want to solve this
in a propper way knowing why I'm wrong.

 

//crypto map newmap 20 ipsec-isakmp
//crypto map newmap 20 match address remote_madrid_acl
//crypto map newmap 20 set peer 80.38.105.29
//crypto map newmap 20 set transform-set myset
//crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
//crypto map outside_map interface outside

You have multiple crypto maps set to the same interface.

Try:
crypto map newmap 99 ipsec-isakmp dynamic outside_dyn_map
crypto map newmap interface outside

Unless you have certificates in place and know they work, try preshared
keys for your group authentication to troubleshoot. Your group name
set in your VPN client groupname shoule be <vpndecom> and whatever
password you're using. Do the L2L tunnels work okay? Keep your ISAKMP
POLICY 10 for now.

If you need more help, try adding the VPN Client log info from your
client, LOG -> LOG WINDOW and debug information from your PIX. The
command DEBUG CRYPTO ISAKMP will indicate if the policies match and
which ones they match on. Good luck!

 

The tunnel using crypto map newmap 20, works, the thing iI'm not sure
is the :

isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400

When I open the log in the client nothing comes but I'll try with the
debug crypto isakmp. and preshared keys

Thanks! I'll tell you if this works

 

Thanks a lot, it was because or the two crypto maps in the same
interface!!!

Now it joins , and i can see it with show crypto isakmp sa

but there's a problem, neither terminal server or ssh work

here is my current config , none of both vpngroups can terminal server
or nothing.

access-list split_tunnel_ac permit ip 192.168.1.0 255.255.255.0
172.16.1.0 255.255.255.0
access-list split_tunnel_ac permit icmp 192.168.1.0 255.255.255.0
172.16.1.0 255.255.255.0

access-list vldsm_tunnel_ac permit ip 192.168.1.0 255.255.255.0 any
access-list vldsm_tunnel_ac permit icmp 192.168.1.0 255.255.255.0 any

ip local pool vpndkm_pool 172.16.1.1
ip local pool vldsm_pool 192.168.1.60

route outside 204.78.15.29 255.255.255.255 10.200.100.190 1
route outside 205.224.156.90 255.255.255.255 10.200.100.190 1

crypto dynamic-map dynmap 30 set transform-set myset
......
crypto map newmap 21 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside


vpngroup vpndecom address-pool vpndecom_pool
vpngroup vpndkm dns-server 192.168.1.15
vpngroup vpndkm default-domain valdisme.net
vpngroup vpndkm split-tunnel split_tunnel_ac
vpngroup vpndkm idle-time 1800
vpngroup vpndkm password ********
vpngroup vldsm address-pool vldsm_pool
vpngroup vldsm split-tunnel vldsm_tunnel_ac
vpngroup vldsm idle-time 1800
vpngroup vldsm password ********