1. Home
  2. Cisco Systems
  3. Can't configure VPN client in PIX

Can't configure VPN client in PIX

Hi gents, I have a problem with my pix, it has vpn tunnels configured, and I'm trying to configure a vpn client, I've done this in other pix without any problem , but it seems I forgot something and here it doesn't work.

I creat a vpn pool , to the vpn group, then I put the address of the pool in my NAT access-list , and create an access-list to the vpn group so it can access my network, I had some problems with isakmp because I don't have 3des encryptation , is it really necesary?

Please take a look to my config because I've been fighting 3 days with this and I'm starting to lose my nerve.

thanks and regards.

isakmp policy 21 is superceded by identical policy 20 : Saved : PIX Version 6.3(4) interface ethernet0 100full interface ethernet1 100full interface ethernet2 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security4 enable password ZlGq2vBPmW8hXSpI encrypted passwd ZlGq2vBPmW8hXSpI encrypted hostname pixvalencia domain-name valdisme.net fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside_access_in permit icmp any any access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0

255.255.255.0 access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list nonat_acl permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list nonat_acl permit ip any 172.16.1.0 255.255.255.0 access-list nonat_acl permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0 access-list remote_castellon_acl permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list remote_castellon_acl permit icmp 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list remote_alicante_acl permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list remote_alicante_acl permit icmp 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list remote_benidorm_acl permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list remote_benidorm_acl permit icmp 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list remote_murcia_acl permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list remote_murcia_acl permit icmp 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0 access-list remote_madrid_acl permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list remote_madrid_acl permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list tst_vpndecom_split_tunnel_acl permit ip 192.168.1.0 255.255.255.0 any access-list red_interna permit ip 192.168.1.0 255.255.255.0 any pager lines 24 logging timestamp logging trap debugging logging host inside 192.168.1.26 mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 10.200.100.253 255.255.0.0 ip address inside 192.168.1.1 255.255.255.0 ip address intf2 192.168.20.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpndecom_pool 172.16.1.1 pdm location 0.0.0.0 0.0.0.0 outside pdm location 192.168.20.0 255.255.255.0 inside pdm location 10.200.0.0 255.255.0.0 inside pdm location 192.168.1.50 255.255.255.255 inside pdm location 192.168.20.20 255.255.255.255 intf2 pdm location 192.168.5.0 255.255.255.0 outside pdm location 80.38.105.29 255.255.255.255 outside pdm location 192.168.2.0 255.255.255.0 outside pdm location 192.168.3.0 255.255.255.0 outside pdm location 192.168.4.0 255.255.255.0 outside pdm location 192.168.6.0 255.255.255.0 outside pdm location 192.168.2.0 255.255.255.0 intf2 pdm location 192.168.3.0 255.255.255.0 intf2 pdm location 192.168.4.0 255.255.255.0 intf2 pdm location 192.168.5.0 255.255.255.0 intf2 pdm location 192.168.6.0 255.255.255.0 intf2 pdm location 192.168.1.26 255.255.255.255 inside pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface global (intf2) 1 interface nat (inside) 0 access-list nonat_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 nat (intf2) 1 0.0.0.0 0.0.0.0 0 0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 10.200.100.250 1 route outside 80.38.105.29 255.255.255.255 10.200.100.190 1 timeout xlate 3:00:00 timeout conn 2:00:00 half-closed 0:10:00 udp 2:00:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 2:00:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 10.200.0.0 255.255.0.0 outside http 192.168.1.0 255.255.255.0 inside http 192.168.20.0 255.255.255.0 intf2 no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 set transform-set myset crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address remote_castellon_acl crypto map newmap 10 set peer 10.201.100.253 crypto map newmap 10 set transform-set myset crypto map newmap 11 ipsec-isakmp crypto map newmap 11 match address remote_alicante_acl crypto map newmap 11 set peer 10.202.100.253 crypto map newmap 11 set transform-set myset crypto map newmap 12 ipsec-isakmp crypto map newmap 12 match address remote_benidorm_acl crypto map newmap 12 set peer 10.205.100.253 crypto map newmap 12 set transform-set myset crypto map newmap 13 ipsec-isakmp crypto map newmap 13 match address remote_murcia_acl crypto map newmap 13 set peer 10.203.100.253 crypto map newmap 13 set transform-set myset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address remote_madrid_acl crypto map newmap 20 set peer 80.38.105.29 crypto map newmap 20 set transform-set myset crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 80.38.105.29 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.201.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.203.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.202.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address 10.205.100.253 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication rsa-sig isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400 vpngroup vpndecom address-pool vpndecom_pool vpngroup vpndecom dns-server 192.168.1.15 vpngroup vpndecom default-domain decom.es vpngroup vpndecom split-tunnel tst_vpndecom_split_tunnel_acl vpngroup vpndecom idle-time 1800 vpngroup vpndecom password ******** telnet timeout 5 ssh 10.200.0.0 255.255.0.0 outside ssh 192.168.1.0 255.255.255.0 inside ssh 192.168.20.0 255.255.255.0 intf2 ssh timeout 30 console timeout 0 dhcpd address 192.168.1.100-192.168.1.250 inside dhcpd dns 192.168.1.15 192.168.1.16 dhcpd lease 1048575 dhcpd ping_timeout 750 dhcpd domain valdisme.net dhcpd auto_config outside dhcpd enable inside terminal width 80 Cryptochecksum:85a4d85fae585f6cc1d481ec8e15524b : end pixvalencia(config)#
Reply to
Sako
Loading thread data ...

Reply to
Thomas Miller

3DES is not necessary for VPNs.

I notice, though, that your isakmp policy 20 uses DES SHA for RSA signatures. Somewhere in PIX 6.3, Cisco stopped supporting DES SHA: for DES you need MD5. Your policy 10 is DES MD5 but it is pre-share not RSA Signatures.

As a security note: you don't really want ICMP Redirect to be let through, as an attacker can use it to phish for information. Allow icmp unreachable, icmp time-exceeded, and possibly icmp echo-reply .

icmp is part of ip so this line is redundant. This same thing occurs a number of times in your configuration.

192.168.1.0 is part of 'any' so this line is redundant.

icmp redundancy again.

All of your isakmp are host specific, which suggests that you are indeed counting on RSA for authenticating your VPN clients, but as indicated above you have the DES / SHA conflict for that.

When you have VPN clients that might have a connection dropped and might come back in with a different IP, then identity hostname is preferred to identity address: otherwise when the client reconnects then the old crypto SAs will not be automatically deleted (because the address the client sends the second time does not match the address sent the first time.)

Reply to
Walter Roberson

No, that is not correct. DES is enabled even if you do not have the

3DES license.
Reply to
Walter Roberson

Thanks the person who managed this before me is not working with us any more so any comment is helpfull for me.

about // notice, though, that your isakmp policy 20 uses DES SHA for RSA //signatures. Somewhere in PIX 6.3, Cisco stopped supporting DES SHA: //for DES you need MD5. Your policy 10 is DES MD5 but it is pre-share not //RSA Signatures. The pix is quite new, so may be it doesn't support DES RSA.

so you consider that some thing like : isakmp policy 20 authentication rsa-sig isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 86400

Could do ? Thanks I don't have access tonight to the pix but I want to solve this in a propper way knowing why I'm wrong.

Reply to
Sako

//crypto map newmap 20 ipsec-isakmp //crypto map newmap 20 match address remote_madrid_acl //crypto map newmap 20 set peer 80.38.105.29 //crypto map newmap 20 set transform-set myset //crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map //crypto map outside_map interface outside

You have multiple crypto maps set to the same interface.

Try: crypto map newmap 99 ipsec-isakmp dynamic outside_dyn_map crypto map newmap interface outside

Unless you have certificates in place and know they work, try preshared keys for your group authentication to troubleshoot. Your group name set in your VPN client groupname shoule be and whatever password you're using. Do the L2L tunnels work okay? Keep your ISAKMP POLICY 10 for now.

If you need more help, try adding the VPN Client log info from your client, LOG -> LOG WINDOW and debug information from your PIX. The command DEBUG CRYPTO ISAKMP will indicate if the policies match and which ones they match on. Good luck!

Reply to
DCS

The tunnel using crypto map newmap 20, works, the thing iI'm not sure is the :

isakmp policy 20 authentication rsa-sig isakmp policy 20 encryption des isakmp policy 20 hash sha isakmp policy 20 group 1 isakmp policy 20 lifetime 86400

When I open the log in the client nothing comes but I'll try with the debug crypto isakmp. and preshared keys

Thanks! I'll tell you if this works

Reply to
Sako

Thanks a lot, it was because or the two crypto maps in the same interface!!!

Now it joins , and i can see it with show crypto isakmp sa

but there's a problem, neither terminal server or ssh work

here is my current config , none of both vpngroups can terminal server or nothing.

access-list split_tunnel_ac permit ip 192.168.1.0 255.255.255.0

172.16.1.0 255.255.255.0 access-list split_tunnel_ac permit icmp 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list vldsm_tunnel_ac permit ip 192.168.1.0 255.255.255.0 any access-list vldsm_tunnel_ac permit icmp 192.168.1.0 255.255.255.0 any

ip local pool vpndkm_pool 172.16.1.1 ip local pool vldsm_pool 192.168.1.60

route outside 204.78.15.29 255.255.255.255 10.200.100.190 1 route outside 205.224.156.90 255.255.255.255 10.200.100.190 1

crypto dynamic-map dynmap 30 set transform-set myset ..... crypto map newmap 21 ipsec-isakmp dynamic dynmap crypto map newmap interface outside

vpngroup vpndecom address-pool vpndecom_pool vpngroup vpndkm dns-server 192.168.1.15 vpngroup vpndkm default-domain valdisme.net vpngroup vpndkm split-tunnel split_tunnel_ac vpngroup vpndkm idle-time 1800 vpngroup vpndkm password ******** vpngroup vldsm address-pool vldsm_pool vpngroup vldsm split-tunnel vldsm_tunnel_ac vpngroup vldsm idle-time 1800 vpngroup vldsm password ********

Reply to
Sako

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.