Hi guys,
I have configured Client VPN with the following configuration:
PIX501(config)# wr term Building configuration... : Saved : PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password A2T0eYk/M7TyzGXX encrypted passwd A2T0eYk/M7TyzGXX encrypted domain-name ins-sa.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any source-quench access-list 101 permit icmp any any unreachable access-list 101 permit icmp any any time-exceeded access-list 102 permit ip 172.16.32.0 255.255.255.0 172.16.10.0
255.255.255.0 pager lines 24 logging on logging timestamp logging console debugging logging monitor debugging interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 172.16.32.253 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool VPNPOOL 172.16.10.100-172.16.10.150 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 102 nat (inside) 1 10.10.10.0 255.255.255.0 0 0 access-group 101 in interface outside route inside 10.10.10.0 255.255.255.0 172.16.32.254 1 route inside 192.168.0.0 255.255.255.0 172.16.32.254 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set insset esp-des esp-md5-hmac crypto dynamic-map insmap 10 set transform-set insset crypto map mymap 10 ipsec-isakmp dynamic insmap crypto map mymap interface outside isakmp enable outside isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup INSVPN address-pool VPNPOOL vpngroup INSVPN dns-server 4.2.2.2 63.203.35.55 vpngroup INSVPN default-domain ins-sa.com vpngroup INSVPN idle-time 2800 vpngroup INSVPN password ******** telnet timeout 5 ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh 172.16.32.254 255.255.255.255 inside ssh timeout 30 vpdn group ISP request dialout pppoe vpdn group ISP localname snipped-for-privacy@512.awalnet.net.sa vpdn group ISP ppp authentication pap vpdn username ************************** password ********* store- local username **************** password **************** terminal width 80 : end [OK]***********************************************************************************************
I recieved the following debug:
crypto_isakmp_process_block: src 77.30.202.109, dest 86.60.106.180 VPN Peer: ISAKMP: Added new peer: ip:77.30.202.109 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt incremented to:1 Total VPN Peers:1 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 crypto_isakmp_process_block: src 77.30.202.109, dest 86.60.106.180 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt decremented to:1 Total VPN Peers:1 crypto_isakmp_process_block: src 77.30.202.109, dest 86.60.106.180 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt decremented to:1 Total VPN Peers:1 crypto_isakmp_process_block: src 77.30.202.109, dest 86.60.106.180 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt decremented to:1 Total VPN Peers:1 ISAKMP (0): retransmitting phase 1... ISAKMP (0): retransmitting phase 1... INS-Riyadh-PIX(config)# INS-Riyadh-PIX(config)# ISAKMP (0): deleting SA: src 77.30.202.109, dst 86.60.106.180 ISADB: reaper checking SA 0x80a8f2a8, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:77.30.202.109 Ref cnt decremented to:0 Total VPN Peers:1
************************************************************************Your support is higly appreciated.
Regards, Andy