I'm trying to setup remote access VPN for my pix 501, version 6.2(2). The client I use is a cisco vpn client version 5.0.00.0340. When I've setup the client with a new connection and the corresponding group authentication, it fails to connect.
I've tried changing and playing a lot with the config parameters but have not succeeded yet in finding the solution.
Here is my config: PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password YrkJu97KuVj3vyCG encrypted passwd YrkJu97KuVj3vyCG encrypted hostname pix domain-name test.be fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list NO_INSIDE_OUT permit icmp any any access-list NO_INSIDE_OUT permit tcp any any access-list NO_INSIDE_OUT permit udp any any access-list NO_INSIDE_OUT permit ip any any access-list NO_OUTSIDE_IN permit icmp any any access-list NO_OUTSIDE_IN permit udp any any access-list NO_OUTSIDE_IN permit ip any any access-list NO_OUTSIDE_IN permit tcp any any eq https access-list NO_OUTSIDE_IN permit tcp any any eq ssh access-list NO_OUTSIDE_IN permit tcp any any eq pptp access-list NO_OUTSIDE_IN permit tcp any any access-list vpn permit ip 192.168.10.0 255.255.255.0 any pager lines 24 logging console debugging logging monitor debugging logging buffered debugging interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 192.168.0.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool1 192.168.0.150-192.168.0.199 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.0.0 255.255.255.0 0 0 static (inside,outside) tcp interface https 192.168.0.253 https netmask
255.255.255.255 0 0 static (inside,outside) tcp interface 3389 192.168.0.253 3389 netmask 255.255.255.255 0 0 access-group NO_OUTSIDE_IN in interface outside access-group NO_INSIDE_OUT in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server partnerauth protocol tacacs+ http server enable http 192.168.10.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set trmset1 esp-des esp-md5-hmac crypto dynamic-map map2 10 set transform-set trmset1 crypto map map1 10 ipsec-isakmp dynamic map2 crypto map map1 interface outside isakmp enable outside isakmp key ******** address 192.168.10.0 netmask 255.255.255.0 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup homeworkers address-pool vpnpool1 vpngroup homeworkers dns-server 192.168.0.253 vpngroup homeworkers wins-server 192.168.0.253 vpngroup homeworkers default-domain huisartsendestelbergen.be vpngroup homeworkers split-tunnel NO_OUTSIDE_IN vpngroup homeworkers idle-time 1800 vpngroup homeworkers password ******** telnet 192.168.0.0 255.255.255.0 inside telnet timeout 15 ssh 0.0.0.0 0.0.0.0 outside ssh 192.168.0.0 255.255.255.0 inside ssh timeout 5 vpdn group skynet request dialout pppoe vpdn group skynet localname *SNIP* vpdn group skynet ppp authentication chap vpdn group 1 client configuration address local vpnpool1 vpdn group 1 client authentication local vpdn username *SNIP* password ********* dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside vpnclient vpngroup homeworkers password ******** terminal width 80 Cryptochecksum:49de3e558bda6353b0d5c90cc5d86521 : endWhen I run 'debug crypto isakmp' , I get:
crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP VPN Peer: ISAKMP: Added new peer: ip:CLIENT_IP Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:1 Total VPN Peers:1 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt decremented to:1 Total VPN Peers:1 crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt decremented to:1 Total VPN Peers:1 crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt decremented to:1 Total VPN Peers:1 ISAKMP (0): retransmitting phase 1... ISADB: reaper checking SA 0x80c25030, conn_id = 0 ISAKMP (0): retransmitting phase 1... ISAKMP (0): deleting SA: src CLIENT_IP, dst SERVER_IP ISADB: reaper checking SA 0x80c25030, conn_id = 0 DELETE IT!
For the moment I have no idea what is wrong. Can someone tell me what is wrong in my config? Thanks in advance!
Ben