amitphilip
asked on
Cisco VPN Client Connects to PIX Gateway but Cannot access resources
I am able to connect to my Cisco VPN Gateway (PIX) with the VPN client, however am unable to access (even ping) any resources behind it. I saw someone else had a similar issue, but what he/she did to resolve it was not clear.
I have all the appropriate commands in place (this was tested and worked in a lab) but once I added other firewall policy rules and upgraded the software on the PIX and put it in production, I can connect, but not access resources.
The debug of the isakmp and ipsec processes are below:
crypto_isakmp_process_bloc k:src:24.2 7.90.74, dest:<VPN_GW_IP> spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_bloc k:src:24.2 7.90.74, dest:<VPN_GW_IP> spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of
crypto_isakmp_process_bloc k:src:24.2 7.90.74, dest:<VPN_GW_IP> spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_e ngine): got a queue even
t...
ISADB: reaper checking SA 0x101b0a4, conn_id = 0
ISADB: reaper checking SA 0x101a66c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:24.27.90.74/500 Ref cnt decremented to:0 Total VPN Pee
rs:1
VPN Peer: ISAKMP: Deleted peer: ip:24.27.90.74/500 Total VPN peers:0
ISADB: reaper checking SA 0x101b0a4, conn_id = 0
crypto_isakmp_process_bloc k:src:24.2 7.90.74, dest:<VPN_GW_IP> spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 24.27.90.74. message ID = 1855
3924
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute ALT_DEF_DOMAIN (28674)
ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute ALT_SPLITDNS_NAME (28675)
ISAKMP: attribute ALT_PFS (28679)
ISAKMP: attribute UNKNOWN (28683)
Unsupported Attr: 28683
ISAKMP: attribute ALT_BACKUP_SERVERS (28681)
ISAKMP: attribute APPLICATION_VERSION (7)
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28682)
Unsupported Attr: 28682
ISAKMP: attribute UNKNOWN (28677)
Unsupported Attr: 28677
ISAKMP: attribute UNKNOWN (28678)
Unsupported Attr: 28678
ISAKMP (0:0): responding to peer config from 24.27.90.74. ID = 1588884442
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc k:src:24.2 7.90.74, dest:<VPN_GW_IP> spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 79589721
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
crypto_isakmp_process_bloc k:src:24.2 7.90.74, dest:<VPN_GW_IP> spt:500 dpt:500
crypto_isakmp_process_bloc k:src:24.2 7.90.74, dest:<VPN_GW_IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 2766623497
ISAMKP (0): received DPD_R_U_THERE from peer 24.27.90.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_bloc k:src:24.2 7.90.74, dest:<VPN_GW_IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 1450310135
ISAMKP (0): received DPD_R_U_THERE from peer 24.27.90.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_bloc k:src:24.2 7.90.74, dest:<VPN_GW_IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 160143405
ISAMKP (0): received DPD_R_U_THERE from peer 24.27.90.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
HOU-SC-FW-515E#
HOU-SC-FW-515E#
crypto_isakmp_process_bloc k:src:24.2 7.90.74, dest:<VPN_GW_IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 400920988
ISAMKP (0): received DPD_R_U_THERE from peer 24.27.90.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_bloc k:src:24.2 7.90.74, dest:<VPN_GW_IP> spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 4241242449
ISAMKP (0): received DPD_R_U_THERE from peer 24.27.90.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
I have all the appropriate commands in place (this was tested and worked in a lab) but once I added other firewall policy rules and upgraded the software on the PIX and put it in production, I can connect, but not access resources.
The debug of the isakmp and ipsec processes are below:
crypto_isakmp_process_bloc
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_bloc
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of
crypto_isakmp_process_bloc
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_e
t...
ISADB: reaper checking SA 0x101b0a4, conn_id = 0
ISADB: reaper checking SA 0x101a66c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:24.27.90.74/500 Ref cnt decremented to:0 Total VPN Pee
rs:1
VPN Peer: ISAKMP: Deleted peer: ip:24.27.90.74/500 Total VPN peers:0
ISADB: reaper checking SA 0x101b0a4, conn_id = 0
crypto_isakmp_process_bloc
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 24.27.90.74. message ID = 1855
3924
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
ISAKMP: attribute UNKNOWN (28673)
Unsupported Attr: 28673
ISAKMP: attribute ALT_DEF_DOMAIN (28674)
ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute ALT_SPLITDNS_NAME (28675)
ISAKMP: attribute ALT_PFS (28679)
ISAKMP: attribute UNKNOWN (28683)
Unsupported Attr: 28683
ISAKMP: attribute ALT_BACKUP_SERVERS (28681)
ISAKMP: attribute APPLICATION_VERSION (7)
ISAKMP: attribute UNKNOWN (28680)
Unsupported Attr: 28680
ISAKMP: attribute UNKNOWN (28682)
Unsupported Attr: 28682
ISAKMP: attribute UNKNOWN (28677)
Unsupported Attr: 28677
ISAKMP: attribute UNKNOWN (28678)
Unsupported Attr: 28678
ISAKMP (0:0): responding to peer config from 24.27.90.74. ID = 1588884442
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 79589721
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 2) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_propos
al): transform proposal (prot 3, trans 12, hmac_alg 1) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 256
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b
crypto_isakmp_process_bloc
crypto_isakmp_process_bloc
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 2766623497
ISAMKP (0): received DPD_R_U_THERE from peer 24.27.90.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_bloc
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 1450310135
ISAMKP (0): received DPD_R_U_THERE from peer 24.27.90.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_bloc
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 160143405
ISAMKP (0): received DPD_R_U_THERE from peer 24.27.90.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
HOU-SC-FW-515E#
HOU-SC-FW-515E#
crypto_isakmp_process_bloc
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 400920988
ISAMKP (0): received DPD_R_U_THERE from peer 24.27.90.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_bloc
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
spi 0, message ID = 4241242449
ISAMKP (0): received DPD_R_U_THERE from peer 24.27.90.74
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
ASKER
I believe I have the required configuration.... As I mentioned, this worked at one time in a lab, till I added other ACLs (which should not affect it anyway because of the sysopt permit ipsec command) and routes. see below (172.16.14.0/24 is the ip pool assigned to vpn clients):
access-list 102 permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.11.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.12.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.13.0 255.255.255.0 172.16.14.0 255.255.255.0
ip local pool ippool 172.16.14.1-172.16.14.254
global (outside) 1 <public PAT address>
nat (inside) 0 access-list 102
nat (inside) 1 172.16.10.0 255.255.255.0 0 0
nat (inside) 1 172.16.11.0 255.255.255.0 0 0
nat (inside) 1 172.16.12.0 255.255.255.0 0 0
nat (inside) 1 172.16.13.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 <Next hop IP of Internet Gateway> 1
route inside 172.16.10.0 255.255.255.0 172.16.13.6 1
route inside 172.16.11.0 255.255.255.0 172.16.13.6 1
route inside 172.16.12.0 255.255.255.0 172.16.13.6 1
route inside 172.16.13.0 255.255.255.0 172.16.13.6 1
route outside 172.16.14.0 255.255.255.0 <IP of PIX outside interface> 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 172.16.11.154
vpngroup vpn3000 wins-server 172.16.11.154
vpngroup vpn3000 split-tunnel 102
vpngroup vpn3000 password ********
access-list 102 permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.11.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.12.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.13.0 255.255.255.0 172.16.14.0 255.255.255.0
ip local pool ippool 172.16.14.1-172.16.14.254
global (outside) 1 <public PAT address>
nat (inside) 0 access-list 102
nat (inside) 1 172.16.10.0 255.255.255.0 0 0
nat (inside) 1 172.16.11.0 255.255.255.0 0 0
nat (inside) 1 172.16.12.0 255.255.255.0 0 0
nat (inside) 1 172.16.13.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 <Next hop IP of Internet Gateway> 1
route inside 172.16.10.0 255.255.255.0 172.16.13.6 1
route inside 172.16.11.0 255.255.255.0 172.16.13.6 1
route inside 172.16.12.0 255.255.255.0 172.16.13.6 1
route inside 172.16.13.0 255.255.255.0 172.16.13.6 1
route outside 172.16.14.0 255.255.255.0 <IP of PIX outside interface> 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 dns-server 172.16.11.154
vpngroup vpn3000 wins-server 172.16.11.154
vpngroup vpn3000 split-tunnel 102
vpngroup vpn3000 password ********
>route inside 172.16.10.0 255.255.255.0 172.16.13.6 1
Assuming that your PIX inside interface is addressed 172.16.13.x
Assuming that your PIX inside interface has 255.255.255.0 mask
Assuming that the local users' default gateway is 172.16.13.6
Whatever the router is @ 172.16.13.6 needs a route for the 172.16.14.0/24 subnet pointing to the PIX
Other ACLs can affect the traffic if you have applied any to the inside interface. The sysopt only affects the outside interface.
Assuming that your PIX inside interface is addressed 172.16.13.x
Assuming that your PIX inside interface has 255.255.255.0 mask
Assuming that the local users' default gateway is 172.16.13.6
Whatever the router is @ 172.16.13.6 needs a route for the 172.16.14.0/24 subnet pointing to the PIX
Other ACLs can affect the traffic if you have applied any to the inside interface. The sysopt only affects the outside interface.
ASKER
Yes, the PIX inside interface has IP 172.16.13.6, but the mask is 255.255.255.252
Local users' default gateway is the router that they connect to, and this router has a default route pointing to the PIX inside interface (172.16.13.6)
I have listed below ACLs on the inside interface of the PIX (they should not be stoppping anything as far as I know, but you can have a look... maybe I should just have a permit ip any any ?)
access-list acl_in permit icmp any any log
access-list acl_in permit tcp any any
access-list acl_in permit udp any any
access-group acl_in in interface inside
Local users' default gateway is the router that they connect to, and this router has a default route pointing to the PIX inside interface (172.16.13.6)
I have listed below ACLs on the inside interface of the PIX (they should not be stoppping anything as far as I know, but you can have a look... maybe I should just have a permit ip any any ?)
access-list acl_in permit icmp any any log
access-list acl_in permit tcp any any
access-list acl_in permit udp any any
access-group acl_in in interface inside
Remove the acl from the inside interface completely for testing.
Then yes, if you simply want a way to log all icmp packets:
access-list acl_in permit icmp any any log
access-list acl_in permit ip any any
There are other methods of handling the icmp issue other than using acls, depending on what your goal is..
- "icmp" commands
- "ip audit" commands (IDS)
Then yes, if you simply want a way to log all icmp packets:
access-list acl_in permit icmp any any log
access-list acl_in permit ip any any
There are other methods of handling the icmp issue other than using acls, depending on what your goal is..
- "icmp" commands
- "ip audit" commands (IDS)
I didn't think the remote pool could be that of the outside interface(or isn't normally so), because then you are coming from a lower security interface to a higher so you need acl, static etc... for every type of traffic
It may work I've just never seen it made to the outisde interface.
I though the pix bridges incomming vpn's somewhere in the middle closer to the inside.
-= Felix =-
It may work I've just never seen it made to the outisde interface.
I though the pix bridges incomming vpn's somewhere in the middle closer to the inside.
-= Felix =-
Felix,
I don't see anywhere in here where the vpn address pool is on the same subnet as the outside interface.. it is a different subnet than the inside interface, which is accepted and recommended, but it is still a private subnet, therefore has no relation to the outside interface. You are correct that a terminated VPN appears sort of "in between" the interfaces. That's one primary reason for using a different subnet...
I did notice one more item...
>nat (inside) 0 access-list 102
>vpngroup vpn3000 split-tunnel 102
You have the same access-list being used by two separate processes. I know this is exactly according to the Cisco examples, but it is not recommended practice by TAC..
You can create identical acls:
access-list 102 permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.11.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.12.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.13.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 103 permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 103 permit ip 172.16.11.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 103 permit ip 172.16.12.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 103 permit ip 172.16.13.0 255.255.255.0 172.16.14.0 255.255.255.0
Then apply one to the nat process, and one as the split-tunnel acl:
nat (inside) 0 access-list 102
vpngroup vpn3000 split-tunnel 103
I don't see anywhere in here where the vpn address pool is on the same subnet as the outside interface.. it is a different subnet than the inside interface, which is accepted and recommended, but it is still a private subnet, therefore has no relation to the outside interface. You are correct that a terminated VPN appears sort of "in between" the interfaces. That's one primary reason for using a different subnet...
I did notice one more item...
>nat (inside) 0 access-list 102
>vpngroup vpn3000 split-tunnel 102
You have the same access-list being used by two separate processes. I know this is exactly according to the Cisco examples, but it is not recommended practice by TAC..
You can create identical acls:
access-list 102 permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.11.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.12.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 102 permit ip 172.16.13.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 103 permit ip 172.16.10.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 103 permit ip 172.16.11.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 103 permit ip 172.16.12.0 255.255.255.0 172.16.14.0 255.255.255.0
access-list 103 permit ip 172.16.13.0 255.255.255.0 172.16.14.0 255.255.255.0
Then apply one to the nat process, and one as the split-tunnel acl:
nat (inside) 0 access-list 102
vpngroup vpn3000 split-tunnel 103
My mistake I looked at this line and assumed it was
route outside 172.16.14.0 255.255.255.0 <IP of PIX outside interface> 1
route outside 172.16.14.0 255.255.255.0 <IP of PIX outside interface> 1
ASKER
Ok, thanks for the suggestions. I took off the ACL from the inside interface of the pix. I also created two separate ACL statements for the nat (inside) 0 and split tunnel command as shown above, but still cannot get to anything on the inside.
I am wondering whether I need the following route statement (it was not there when I tested this and had it working before:
route outside 172.16.14.0 255.255.255.0 <IP of PIX outside interface> 1
Thanks,
AP
I am wondering whether I need the following route statement (it was not there when I tested this and had it working before:
route outside 172.16.14.0 255.255.255.0 <IP of PIX outside interface> 1
Thanks,
AP
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Folks, thanks for your help.
I removed the route statement, but it still did not help.
I however did get it working. There wer 2 issues:
1) A colleague enabled 3DES and AES on the PIX, so when comparing transforms, it was never getting to DES ( as seen in the PIX debug of the isakmp transactions). I changed the config so that the transform set and isakmp policy used 3DES instead of DES. This got it working past phase 1, however I was still unable to ping anything on the inside.
2) The second thing that you notice on the PIX debug of the ISAKMP transaction is "IKMP_NO_ERR_NO_TRANS", and I believe it should be "IKMP_NO_ERR". This was fixed by adding the isakmp nat-traversal command.
-AP
I removed the route statement, but it still did not help.
I however did get it working. There wer 2 issues:
1) A colleague enabled 3DES and AES on the PIX, so when comparing transforms, it was never getting to DES ( as seen in the PIX debug of the isakmp transactions). I changed the config so that the transform set and isakmp policy used 3DES instead of DES. This got it working past phase 1, however I was still unable to ping anything on the inside.
2) The second thing that you notice on the PIX debug of the ISAKMP transaction is "IKMP_NO_ERR_NO_TRANS", and I believe it should be "IKMP_NO_ERR". This was fixed by adding the isakmp nat-traversal command.
-AP
Sounds like it might be the range of IP's that's being assigned to your VPN clients is not in the no nat list.
So if you vpn ip's were .75-79 you would add this
access-list 80 permit ip any host 192.168.1.75
access-list 80 permit ip any host 192.168.1.76
access-list 80 permit ip any host 192.168.1.77
access-list 80 permit ip any host 192.168.1.78
access-list 80 permit ip any host 192.168.1.79
nat (inside) 0 access-list 80
Otherwise please post some relivant config details.
Thanks
-= Felix 2000 =-