[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco VPN Client question

Posted on 2005-05-02
15
Medium Priority
?
8,371 Views
Last Modified: 2013-11-16
Does the Cisco VPN Client ver 4.6.02.0011 on a windows XP or 2000 computer "need" a certificate installed to connect to my PIX-501? And if so do I have to purchase one from a CA?
0
Comment
Question by:Bill Warren
  • 7
  • 4
  • 4
15 Comments
 
LVL 8

Expert Comment

by:christsis
ID: 13913599
No it doesn't "need" one unless that's the way you are configuring your VPN...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html#anchor16

But if you do want to use certificates you can either purchase them, as you stated, or you can generate them within the PIX or generate them from a Microsoft Server:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080089924_4container_ccmigration_09186a00801e893a.html

Chris
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13916767
Chris is correct. No certificates are ever "needed" with the VPN client unless that is what you require on the PIX end, but you can have the PIX "self generate" its own cert.

What issues are you having that made you think of this as a requirement?
0
 

Author Comment

by:Bill Warren
ID: 13921351
Well I was successful in getting one client connected to the VPN, So I installed the client on another remote computer and it would not connect.... the only thing that I noticed that was different was that this computer (the one that couldn't connect) did not have a Certificate listed under Certificates in the VPN client.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 8

Expert Comment

by:christsis
ID: 13921387
Under the VPN client that is working what type of authentication is it?

e.g. Group Authentication, Mutual Group Authentication, Certificate Authentication

Unless it's on Certificate Autentication your problem is likely elsewhere.
0
 

Author Comment

by:Bill Warren
ID: 13921493
No it's under Group Authentication... Oh anothing thing that i failed to mention different from the computer that can connect is.... The one that can connect is Windows XP SP2 and the one that cannot is Windows 2000 SP4. The Win2K has no firewall that should be stopping it other than the Linksys DSL router that has the private IP of this machine setup as the DMZ. Also I had made sure that the router was setup to allow IPSEC passthrough..... Do you think it has something to do with the router config?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13921496
Were both of these remote computers perchance at the same location, trying to connect at the same time?
Probably only one at a time, not both.

Do you have isamp nat-traversal enabled on the PIX?
0
 

Author Comment

by:Bill Warren
ID: 13921506
No different locations
0
 
LVL 8

Expert Comment

by:christsis
ID: 13921706
Okay, why don't we backup and start with what kind of error is it giving?

Is it timing out connecting to the PIX, failing authentication, etc.?

Have you tried enabling logging in the client and setting all the levels to high for debugging?
0
 

Author Comment

by:Bill Warren
ID: 13974463
Sorry for the late reply the client connection log says the following

Cisco Systems VPN Client Version 4.6.01.0019
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.0.2195 Service Pack 4
Config file directory: C:\Program Files\Cisco Systems\VPN Client

1      18:51:52.796  05/10/05  Sev=Info/4      CM/0x63100002
Begin connection process

2      18:51:52.826  05/10/05  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

3      18:51:52.826  05/10/05  Sev=Info/4      CM/0x63100024
Attempt connection with server "64.60.xx.xxx"

4      18:51:52.836  05/10/05  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 64.60.xx.xxx.

5      18:51:52.836  05/10/05  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 64.60.8.190

6      18:51:52.856  05/10/05  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

7      18:51:52.856  05/10/05  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

8      18:51:53.878  05/10/05  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 64.60.xx.xxx

9      18:51:53.878  05/10/05  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from 64.60.8.190

10     18:51:53.878  05/10/05  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

11     18:51:53.878  05/10/05  Sev=Info/5      IKE/0x63000001
Peer supports DPD

12     18:51:53.878  05/10/05  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

13     18:51:53.878  05/10/05  Sev=Info/5      IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5

14     18:51:53.878  05/10/05  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

15     18:51:53.888  05/10/05  Sev=Warning/3      IKE/0xE3000056
The received HASH payload cannot be verified

16     18:51:53.888  05/10/05  Sev=Warning/2      IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.

17     18:51:53.888  05/10/05  Sev=Warning/2      IKE/0xE3000099
Failed to authenticate peer (Navigator:904)

18     18:51:53.888  05/10/05  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 64.60.8.190

19     18:51:53.888  05/10/05  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 64.60.8.190

20     18:51:53.888  05/10/05  Sev=Warning/2      IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2202)

21     18:51:53.888  05/10/05  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=BF8F00ADDAB2EFE4 R_Cookie=9ACA3DA049C6F44A) reason = DEL_REASON_IKE_NEG_FAILED

22     18:51:54.428  05/10/05  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=BF8F00ADDAB2EFE4 R_Cookie=9ACA3DA049C6F44A) reason = DEL_REASON_IKE_NEG_FAILED

23     18:51:54.428  05/10/05  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "64.60.8.190" because of "DEL_REASON_IKE_NEG_FAILED"

24     18:51:54.448  05/10/05  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

25     18:51:54.458  05/10/05  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

26     18:51:54.468  05/10/05  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

27     18:51:54.468  05/10/05  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

28     18:51:54.468  05/10/05  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

29     18:51:54.468  05/10/05  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1500 total points
ID: 13976903
These entries make it pretty clear that the group/password are not setup correctly on the client

15     18:51:53.888  05/10/05  Sev=Warning/3     IKE/0xE3000056
The received HASH payload cannot be verified

16     18:51:53.888  05/10/05  Sev=Warning/2     IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.

17     18:51:53.888  05/10/05  Sev=Warning/2     IKE/0xE3000099
Failed to authenticate peer (Navigator:904)
0
 

Author Comment

by:Bill Warren
ID: 13979146
Should the clients that are connecting to the PIX use the lase group/password or should there be a seperate one for every client?
0
 

Author Comment

by:Bill Warren
ID: 13979161
sorry lase=same ....... bad typing day
0
 
LVL 8

Expert Comment

by:christsis
ID: 13979304
Yes, they will use the same info in this type of config.
0
 

Author Comment

by:Bill Warren
ID: 13983082
I have triple and quadruple checked the group name and password are correct.... Is there something else I could check. The other client is using the same login info and connects flawlessly everytime. Do I need to add a line for every connecting VPN client's IP address in the PIX... Or shouldn't anyone with the login and password be able to connect..... unless specifically blocked??
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 14053373
Sorry to leave you hanging.. Any progress to report? Still having same problem?
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month18 days, 12 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question