pix 501 remote access vpn problem

Discussion in 'Cisco' started by Benjamin, May 13, 2007.

  1. Benjamin

    Benjamin Guest

    I'm trying to setup remote access VPN for my pix 501, version 6.2(2). The
    client I use is a cisco vpn client version 5.0.00.0340. When I've setup the
    client with a new connection and the corresponding group authentication, it
    fails to connect.

    I've tried changing and playing a lot with the config parameters but have
    not succeeded yet in finding the solution.

    Here is my config:
    PIX Version 6.2(2)
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password YrkJu97KuVj3vyCG encrypted
    passwd YrkJu97KuVj3vyCG encrypted
    hostname pix
    domain-name test.be
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol sip 5060
    fixup protocol skinny 2000
    names
    access-list NO_INSIDE_OUT permit icmp any any
    access-list NO_INSIDE_OUT permit tcp any any
    access-list NO_INSIDE_OUT permit udp any any
    access-list NO_INSIDE_OUT permit ip any any
    access-list NO_OUTSIDE_IN permit icmp any any
    access-list NO_OUTSIDE_IN permit udp any any
    access-list NO_OUTSIDE_IN permit ip any any
    access-list NO_OUTSIDE_IN permit tcp any any eq https
    access-list NO_OUTSIDE_IN permit tcp any any eq ssh
    access-list NO_OUTSIDE_IN permit tcp any any eq pptp
    access-list NO_OUTSIDE_IN permit tcp any any
    access-list vpn permit ip 192.168.10.0 255.255.255.0 any
    pager lines 24
    logging console debugging
    logging monitor debugging
    logging buffered debugging
    interface ethernet0 10baset
    interface ethernet1 10full
    mtu outside 1500
    mtu inside 1500
    ip address outside pppoe setroute
    ip address inside 192.168.0.254 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool vpnpool1 192.168.0.150-192.168.0.199
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    static (inside,outside) tcp interface https 192.168.0.253 https netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 3389 192.168.0.253 3389 netmask
    255.255.255.255 0 0
    access-group NO_OUTSIDE_IN in interface outside
    access-group NO_INSIDE_OUT in interface inside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
    0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server partnerauth protocol tacacs+
    http server enable
    http 192.168.10.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    no sysopt route dnat
    crypto ipsec transform-set trmset1 esp-des esp-md5-hmac
    crypto dynamic-map map2 10 set transform-set trmset1
    crypto map map1 10 ipsec-isakmp dynamic map2
    crypto map map1 interface outside
    isakmp enable outside
    isakmp key ******** address 192.168.10.0 netmask 255.255.255.0
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    vpngroup homeworkers address-pool vpnpool1
    vpngroup homeworkers dns-server 192.168.0.253
    vpngroup homeworkers wins-server 192.168.0.253
    vpngroup homeworkers default-domain huisartsendestelbergen.be
    vpngroup homeworkers split-tunnel NO_OUTSIDE_IN
    vpngroup homeworkers idle-time 1800
    vpngroup homeworkers password ********
    telnet 192.168.0.0 255.255.255.0 inside
    telnet timeout 15
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 192.168.0.0 255.255.255.0 inside
    ssh timeout 5
    vpdn group skynet request dialout pppoe
    vpdn group skynet localname *SNIP*
    vpdn group skynet ppp authentication chap
    vpdn group 1 client configuration address local vpnpool1
    vpdn group 1 client authentication local
    vpdn username *SNIP* password *********
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    vpnclient vpngroup homeworkers password ********
    terminal width 80
    Cryptochecksum:49de3e558bda6353b0d5c90cc5d86521
    : end



    When I run 'debug crypto isakmp' , I get:

    crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP
    VPN Peer: ISAKMP: Added new peer: ip:CLIENT_IP Total VPN Peers:1
    VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:1 Total VPN
    Peers:1
    OAK_AG exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption... What? 7?
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: attribute 3584
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption... What? 7?
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: attribute 3584
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
    ISAKMP: encryption... What? 7?
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: attribute 3584
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
    ISAKMP: encryption... What? 7?
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: attribute 3584
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
    ISAKMP: encryption... What? 7?
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: attribute 3584
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
    ISAKMP: encryption... What? 7?
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: attribute 3584
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
    ISAKMP: encryption... What? 7?
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: attribute 3584
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
    ISAKMP: encryption... What? 7?
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: attribute 3584
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4
    crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP
    VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:2 Total VPN
    Peers:1
    VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt decremented to:1 Total VPN
    Peers:1
    crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP
    VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:2 Total VPN
    Peers:1
    VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt decremented to:1 Total VPN
    Peers:1
    crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP
    VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:2 Total VPN
    Peers:1
    VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt decremented to:1 Total VPN
    Peers:1
    ISAKMP (0): retransmitting phase 1...
    ISADB: reaper checking SA 0x80c25030, conn_id = 0
    ISAKMP (0): retransmitting phase 1...
    ISAKMP (0): deleting SA: src CLIENT_IP, dst SERVER_IP
    ISADB: reaper checking SA 0x80c25030, conn_id = 0 DELETE IT!


    For the moment I have no idea what is wrong. Can someone tell me what is
    wrong in my config?
    Thanks in advance!

    Ben
     
    Benjamin, May 13, 2007
    #1
    1. Advertisements

  2. Hmmm, that's kind of old, and there were free security upgrades for
    that version.
    ip includes icmp and tcp and udp, so most of that ACL is redundant.
    ip includes icmp and udp, so the part above this statement is redundant.
    ip includes tcp, so the tcp parts of this ACL will never be examined.
    Just as a point of interest: if you were able to upgrade to PIX 6.3,
    you would get 100 Mbit ability on the inside interface.
    Always set your vpn pool addresses to be -outside- your current network,
    so that packets addressed to the vpn clients would head towards the
    outside interface, intercepted and encapsulated into the VPN at the
    last minute. When your vpn address are in the same network as your
    inside network, you have to rely upon the PIX proxy-arping for those
    IPs, which it is unreliable at.
    There you re-use the access-list NO_OUTSIDE_IN, having used it
    once in the access-group statement, and here a second time in split-tunnel.
    Never re-use an access-list: the PIX manipulates the access-lists
    internally to handle Adaptive Security, and the manipulation for
    that purpose is going to interfere with the usage for split-tunnel.

    In your case, you do not need the access-group applied to the inside
    interface, since you are allowing everything through.
    What is the purpose there of the vpdn group 1? Are you trying to
    use PPTP or L2TP connections to your PIX in addition to your
    VPN client connections (the configuration of which is handled by
    the 'vpngroup' commands) ?
    You haven't configured a vpnclient mode or server, and haven't configured
    vpnclient enable, so you aren't going to be able to use vpnclient .
    Are you trying to configure Easy VPN in addition to VPN client and
    PPTP/LT2P ??

    For your information, "encryption... What? 7?" is displayed when the
    client attempts to connect with AES, which is not a known encryption
    for 6.2.
    Your debug output does not correspond to the configuration you have
    shown. Your priority 10 ISAKMP policy is DES MD5 Group 2; this debug
    output is for 3DES SHA Group 2. This is the last ISAKMP transform
    output group in your log; on the other hand, the "atts are acceptable"
    log entry is not present, indicating that something went missing.
     
    Walter Roberson, May 13, 2007
    #2
    1. Advertisements

  3. Benjamin

    Benjamin Guest

    Walter, first of all, thanks a lot for the fast reply.

    Ok, I've removed the ip section. I've got to tune it further as I want to
    let everything open for testing now.

    That's very interesting indeed. I wonder if 6.3 also supports AES?
    The next question of course is HOW to get the upgrade if it is free.
    I've registered at cisco but was not able to find an upgrade yet.

    I was experimenting, but I see now that I don't need this so I've excluded
    it from the config.

    It is possible to force the client to use DES or 3DES or do I need an older
    client?

    I'll try making a test soon, with an older client or an upgraded pix.
     
    Benjamin, May 13, 2007
    #3
  4. Yes it does, provided you have the 3DES license (it's the same key.)
    You'd have to work the security updates the right way. If I recall
    correctly, somewhere around the update from 6.3(3) to 6.3(4), they
    indicated that for 6.2 the fix was to upgrade to 6.3; if my memory is
    correct and you could find that one security advisory, you could
    possibly use it to argue with Cisco that you were entitled to a
    free upgrade from 6.2 to 6.3. Once at 6.3, you'd be entitled to free
    upgrades to 6.3(5)114 (I think the current one is.) This providing that
    you are the registered owner of the device: if you aren't the registered
    owner of the device, Cisco would want you to "relicense" the device.
    I believe it is possible to force the client to use DES or 3DES, but
    the instructions for this were always unclear.
     
    Walter Roberson, May 14, 2007
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.