pix 501 remote access vpn problem

I'm trying to setup remote access VPN for my pix 501, version 6.2(2). The client I use is a cisco vpn client version 5.0.00.0340. When I've setup the client with a new connection and the corresponding group authentication, it fails to connect.

I've tried changing and playing a lot with the config parameters but have not succeeded yet in finding the solution.

Here is my config: PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password YrkJu97KuVj3vyCG encrypted passwd YrkJu97KuVj3vyCG encrypted hostname pix domain-name test.be fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list NO_INSIDE_OUT permit icmp any any access-list NO_INSIDE_OUT permit tcp any any access-list NO_INSIDE_OUT permit udp any any access-list NO_INSIDE_OUT permit ip any any access-list NO_OUTSIDE_IN permit icmp any any access-list NO_OUTSIDE_IN permit udp any any access-list NO_OUTSIDE_IN permit ip any any access-list NO_OUTSIDE_IN permit tcp any any eq https access-list NO_OUTSIDE_IN permit tcp any any eq ssh access-list NO_OUTSIDE_IN permit tcp any any eq pptp access-list NO_OUTSIDE_IN permit tcp any any access-list vpn permit ip 192.168.10.0 255.255.255.0 any pager lines 24 logging console debugging logging monitor debugging logging buffered debugging interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside pppoe setroute ip address inside 192.168.0.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool vpnpool1 192.168.0.150-192.168.0.199 pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.0.0 255.255.255.0 0 0 static (inside,outside) tcp interface https 192.168.0.253 https netmask

255.255.255.255 0 0 static (inside,outside) tcp interface 3389 192.168.0.253 3389 netmask 255.255.255.255 0 0 access-group NO_OUTSIDE_IN in interface outside access-group NO_INSIDE_OUT in interface inside timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server partnerauth protocol tacacs+ http server enable http 192.168.10.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set trmset1 esp-des esp-md5-hmac crypto dynamic-map map2 10 set transform-set trmset1 crypto map map1 10 ipsec-isakmp dynamic map2 crypto map map1 interface outside isakmp enable outside isakmp key ******** address 192.168.10.0 netmask 255.255.255.0 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup homeworkers address-pool vpnpool1 vpngroup homeworkers dns-server 192.168.0.253 vpngroup homeworkers wins-server 192.168.0.253 vpngroup homeworkers default-domain huisartsendestelbergen.be vpngroup homeworkers split-tunnel NO_OUTSIDE_IN vpngroup homeworkers idle-time 1800 vpngroup homeworkers password ******** telnet 192.168.0.0 255.255.255.0 inside telnet timeout 15 ssh 0.0.0.0 0.0.0.0 outside ssh 192.168.0.0 255.255.255.0 inside ssh timeout 5 vpdn group skynet request dialout pppoe vpdn group skynet localname *SNIP* vpdn group skynet ppp authentication chap vpdn group 1 client configuration address local vpnpool1 vpdn group 1 client authentication local vpdn username *SNIP* password ********* dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside vpnclient vpngroup homeworkers password ******** terminal width 80 Cryptochecksum:49de3e558bda6353b0d5c90cc5d86521 : end

When I run 'debug crypto isakmp' , I get:

crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP VPN Peer: ISAKMP: Added new peer: ip:CLIENT_IP Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:1 Total VPN Peers:1 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt decremented to:1 Total VPN Peers:1 crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt decremented to:1 Total VPN Peers:1 crypto_isakmp_process_block: src CLIENT_IP, dest SERVER_IP VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:CLIENT_IP Ref cnt decremented to:1 Total VPN Peers:1 ISAKMP (0): retransmitting phase 1... ISADB: reaper checking SA 0x80c25030, conn_id = 0 ISAKMP (0): retransmitting phase 1... ISAKMP (0): deleting SA: src CLIENT_IP, dst SERVER_IP ISADB: reaper checking SA 0x80c25030, conn_id = 0 DELETE IT!

For the moment I have no idea what is wrong. Can someone tell me what is wrong in my config? Thanks in advance!

Ben

Reply to
Benjamin
Loading thread data ...

Hmmm, that's kind of old, and there were free security upgrades for that version.

ip includes icmp and tcp and udp, so most of that ACL is redundant.

ip includes icmp and udp, so the part above this statement is redundant.

ip includes tcp, so the tcp parts of this ACL will never be examined.

Just as a point of interest: if you were able to upgrade to PIX 6.3, you would get 100 Mbit ability on the inside interface.

Always set your vpn pool addresses to be -outside- your current network, so that packets addressed to the vpn clients would head towards the outside interface, intercepted and encapsulated into the VPN at the last minute. When your vpn address are in the same network as your inside network, you have to rely upon the PIX proxy-arping for those IPs, which it is unreliable at.

There you re-use the access-list NO_OUTSIDE_IN, having used it once in the access-group statement, and here a second time in split-tunnel. Never re-use an access-list: the PIX manipulates the access-lists internally to handle Adaptive Security, and the manipulation for that purpose is going to interfere with the usage for split-tunnel.

In your case, you do not need the access-group applied to the inside interface, since you are allowing everything through.

What is the purpose there of the vpdn group 1? Are you trying to use PPTP or L2TP connections to your PIX in addition to your VPN client connections (the configuration of which is handled by the 'vpngroup' commands) ?

You haven't configured a vpnclient mode or server, and haven't configured vpnclient enable, so you aren't going to be able to use vpnclient . Are you trying to configure Easy VPN in addition to VPN client and PPTP/LT2P ??

For your information, "encryption... What? 7?" is displayed when the client attempts to connect with AES, which is not a known encryption for 6.2.

Your debug output does not correspond to the configuration you have shown. Your priority 10 ISAKMP policy is DES MD5 Group 2; this debug output is for 3DES SHA Group 2. This is the last ISAKMP transform output group in your log; on the other hand, the "atts are acceptable" log entry is not present, indicating that something went missing.

Reply to
Walter Roberson

Walter, first of all, thanks a lot for the fast reply.

Ok, I've removed the ip section. I've got to tune it further as I want to let everything open for testing now.

That's very interesting indeed. I wonder if 6.3 also supports AES? The next question of course is HOW to get the upgrade if it is free. I've registered at cisco but was not able to find an upgrade yet.

I was experimenting, but I see now that I don't need this so I've excluded it from the config.

It is possible to force the client to use DES or 3DES or do I need an older client?

I'll try making a test soon, with an older client or an upgraded pix.

Reply to
Benjamin

Yes it does, provided you have the 3DES license (it's the same key.)

You'd have to work the security updates the right way. If I recall correctly, somewhere around the update from 6.3(3) to 6.3(4), they indicated that for 6.2 the fix was to upgrade to 6.3; if my memory is correct and you could find that one security advisory, you could possibly use it to argue with Cisco that you were entitled to a free upgrade from 6.2 to 6.3. Once at 6.3, you'd be entitled to free upgrades to 6.3(5)114 (I think the current one is.) This providing that you are the registered owner of the device: if you aren't the registered owner of the device, Cisco would want you to "relicense" the device.

I believe it is possible to force the client to use DES or 3DES, but the instructions for this were always unclear.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.