Hi -
i'm running a 515 with the 6.3.3 code. I am trying to get the cisco IPSEC client connected to the pix . I've followed the instructions on cisco's site, and had this working, but after a recent change it just wont finish the ISAKMP negotiation.
I also have PPTP enabled to the pix, which is working fine (so I know theres no RAIDUS/Auth problem)
Client side logs show:
18 09:43:23.015 04/14/06 Sev=Info/4 IKE/0x63000014 RECEIVING >ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
20 09:43:23.015 04/14/06 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=A2FA4A64ADDC7FD0 R_Cookie=DF2DA2372657AB00) reason = DEL_REASON_WE_FAILED_AUTH21 09:43:23.015 04/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>>
ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x
22 09:43:23.750 04/14/06 Sev=Info/4 IKE/0x6300004B Discarding IKE SA negotiation (I_Cookie=A2FA4A64ADDC7FD0 R_Cookie=DF2DA2372657AB00) reason = DEL_REASON_WE_FAILED_AUTH23 09:43:23.750 04/14/06 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_WE_FAILED_AUTH"
24 09:43:23.750 04/14/06 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection25 09:43:23.750 04/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys ============================ sanitized Pix config is below:
interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 savvist security0
fixup protocol dns maximum-length 512 fixup protocol domain 53 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol pptp 1723 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names access-list outside permit icmp any any echo-reply access-list outside permit icmp any any unreachable access-list outside permit icmp any any source-quench access-list outside permit icmp any any time-exceeded
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.10.0
255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.11.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.12.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.13.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.20.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.21.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.22.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.23.0 255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.255.0access-list nonat permit ip 10.0.0.0 255.255.0.0 10.253.58.0
255.255.255.0 access-list nonat permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0pager lines 24 logging on logging timestamp logging trap informational logging facility 23 logging device-id hostname logging host inside 10.0.0.42 no logging message 305012 icmp deny any outside mtu outside 1500 mtu inside 1500 mtu savvist 1500
ip audit info action alarm ip audit attack action alarm
ip local pool vpn 10.0.15.100-10.0.15.254 pdm history enable arp timeout 14400 global (outside) 1 interface global (savvist) 2 interface nat (inside) 0 access-list nonat nat (inside) 2 10.0.0.2 255.255.255.255 0 0 nat (inside) 1 10.0.0.0 255.255.0.0 0 0 access-group outside in interface outside access-group savvist in interface savvist
timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (inside) host 10.0.0.42 LehMePo23HHHee timeout 10 aaa-server RADIUS protocol radius aaa-server RADIUS (inside) host 10.0.0.10 k10D3* timeout 10 aaa-server LOCAL protocol local aaa authentication telnet console TACACS+ aaa authentication ssh console TACACS+ aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp
crypto ipsec transform-set kiodex esp-3des esp-md5-hmac crypto dynamic-map dynmap 5 set transform-set kiodex crypto map outside 1 ipsec-isakmp crypto map outside 1 match address savvis crypto map outside 1 set peer 216.74.163.199 crypto map outside 1 set transform-set kiodex crypto map outside 2 ipsec-isakmp crypto map outside 2 match address houston crypto map outside 2 set peer 209.163.128.71 crypto map outside 2 set transform-set kiodex crypto map outside 3 ipsec-isakmp crypto map outside 3 match address att crypto map outside 3 set peer 63.240.29.99 crypto map outside 3 set transform-set kiodex crypto map outside 4 ipsec-isakmp crypto map outside 4 match address pune crypto map outside 4 set peer 59.160.68.2 crypto map outside 4 set transform-set kiodex crypto map outside 5 ipsec-isakmp dynamic dynmap crypto map outside client authentication RADIUS crypto map outside interface outside isakmp enable outside isakmp key ******** address 216.74.163.199 netmask 255.255.255.255 isakmp key ******** address 209.163.128.71 netmask 255.255.255.255 isakmp key ******** address 63.240.29.99 netmask 255.255.255.255 isakmp key ******** address 59.160.68.2 netmask 255.255.255.255 no-xauth isakmp identity address isakmp nat-traversal 20 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 vpngroup 628vpn address-pool vpn vpngroup 628vpn dns-server 10.0.0.10 10.0.0.204 vpngroup 628vpn wins-server 10.0.0.10 10.0.0.204 vpngroup 628vpn default-domain vpn.kiodex.com vpngroup 628vpn split-tunnel nonat vpngroup 628vpn idle-time 1800 vpngroup 628vpn password ********
vpdn group 628pptp accept dialin pptp vpdn group 628pptp ppp authentication mschap vpdn group 628pptp ppp encryption mppe auto vpdn group 628pptp client configuration address local vpn vpdn group 628pptp client configuration dns 10.0.0.10 10.0.0.204 vpdn group 628pptp client configuration wins 10.0.0.10 10.0.0.204 vpdn group 628pptp client authentication aaa RADIUS vpdn group 628pptp pptp echo 60 vpdn enable outside ================= any help appreciated. thanks