troubleshooting Question

VPN clients won't connect

Avatar of VMarcus
VMarcusFlag for Netherlands asked on
VPN
4 Comments1 Solution517 ViewsLast Modified:
Hi,

I'm using Cisco VPN client 4.6 to connect to 10 usr Cisco PIX 501 (config below). Somehow it won't connect, but it gives me a user/pwd prompt. I keep getting the following messeges:


ISAKMP:
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      encaps is 61443
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (9)
ISAKMP : Checking IPSec proposal 10

crypto_isakmp_process_block:src:213.201.208.164, dest:10.0.0.150 spt:4500 dpt:4500
ISAKMP (0): processing DELETE payload. message ID = 570594968, spi size = 4

IPSEC:
IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not supported

CONFIG:
PIX Version 6.3(3)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname JJJA-PIX
domain-name jjja.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 80.84.246.48 amsterdam-gw
name 10.0.1.0 lan-net
name 192.168.1.0 amsterdam-net
name 213.52.171.66 london-gw
name 192.168.110.0 london-web-net
name 192.168.120.0 london-db-net
name 192.168.41.0 VPNclients-net
name 84.86.57.204 Marieke_thuis
name 213.84.26.104 Jaap_Thuis
name 80.84.246.41 jjja-2
name 80.126.55.240 Joeri_thuis
name 213.84.233.217 Joost_thuis
name 212.238.145.136 Rimlan
name 82.161.4.201 xxx_denk_ik
name 195.86.248.0 Diago-oud
name 213.201.208.0 Diago
object-group network ftp-access
  network-object host jjja-2
  network-object host Joost_thuis
  network-object host Joeri_thuis
  network-object host Jaap_Thuis
  network-object Marieke_thuis 255.255.255.255
object-group network tsc-access
  network-object host Joost_thuis
  network-object host Joeri_thuis
  network-object host Jaap_Thuis
  network-object Diago-oud 255.255.255.128
object-group network SSH
  description SSH users
  network-object Diago-oud 255.255.255.128
  network-object Joeri_thuis 255.255.255.255
  network-object Jaap_Thuis 255.255.255.255
  network-object Joost_thuis 255.255.255.255
  network-object amsterdam-gw 255.255.255.255
access-list input permit tcp any host 10.0.0.150 eq smtp
access-list input permit tcp object-group SSH any eq ssh
access-list input permit tcp any host 10.0.0.150 eq www
access-list input permit tcp any host 10.0.0.150 eq https
access-list input permit tcp object-group tsc-access host 10.0.0.150 eq 3389
access-list input permit tcp object-group ftp-access host 10.0.0.150 eq ftp
access-list input permit tcp object-group ftp-access host 10.0.0.150 eq ftp-data
access-list input deny tcp any eq 1863 any eq 1863
access-list to-ams permit ip lan-net 255.255.255.0 amsterdam-net 255.255.255.0
access-list to-london permit ip lan-net 255.255.255.0 london-web-net 255.255.255.0
access-list to-london permit ip lan-net 255.255.255.0 london-db-net 255.255.255.0
access-list no-nat permit ip lan-net 255.255.255.0 amsterdam-net 255.255.255.0
access-list no-nat permit ip lan-net 255.255.255.0 london-web-net 255.255.255.0
access-list no-nat permit ip lan-net 255.255.255.0 london-db-net 255.255.255.0
access-list no-nat permit ip lan-net 255.255.255.0 VPNclients-net 255.255.255.0
access-list vpn-clients remark ### VPN clients ###
access-list vpn-clients permit ip lan-net 255.255.255.0 VPNclients-net 255.255.255.0
pager lines 24
logging on
logging buffered warnings
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.150 255.255.255.0
ip address inside 10.0.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN-DHCPpool 192.168.41.1-192.168.41.254
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no-nat
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 10.0.0.150 smtp 10.0.1.3 smtp dns netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.0.0.150 https 10.0.1.3 https dns netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.0.0.150 3389 10.0.1.3 3389 dns netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.0.0.150 ftp 10.0.1.4 ftp dns netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.0.0.150 ftp-data 10.0.1.4 ftp-data dns netmask 255.255.255.255 0 0
static (inside,outside) tcp 10.0.0.150 www 10.0.1.5 www dns netmask 255.255.255.255 0 0
access-group input in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.138 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server VPNClientAuth protocol radius
aaa-server VPNClientAuth (inside) host 10.0.1.3 @n0sys-VPN timeout 5
aaa authentication ssh console LOCAL
http server enable
http Diago-oud 255.255.255.128 outside
http lan-net 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set ams esp-des esp-sha-hmac
crypto ipsec transform-set lon esp-3des esp-sha-hmac
crypto ipsec transform-set VPNset esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address vpn-clients
crypto dynamic-map outside_dyn_map 20 set transform-set VPNset
crypto map vpn 10 ipsec-isakmp dynamic outside_dyn_map
crypto map vpn 11 ipsec-isakmp
crypto map vpn 11 match address to-ams
crypto map vpn 11 set peer amsterdam-gw
crypto map vpn 11 set transform-set ams
crypto map vpn 12 ipsec-isakmp
crypto map vpn 12 match address to-london
crypto map vpn 12 set pfs group2
crypto map vpn 12 set peer london-gw
crypto map vpn 12 set transform-set lon
crypto map vpn client authentication VPNClientAuth
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address amsterdam-gw netmask 255.255.255.255 no-xauth
isakmp key ******** address london-gw netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp nat-traversal 200
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash sha
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
isakmp policy 12 authentication pre-share
isakmp policy 12 encryption des
isakmp policy 12 hash sha
isakmp policy 12 group 1
isakmp policy 12 lifetime 86400
vpngroup VPN-Clients address-pool VPN-DHCPpool
vpngroup VPN-Clients dns-server 10.0.1.3
vpngroup VPN-Clients default-domain jjjalocal
vpngroup VPN-Clients split-tunnel vpn-clients
vpngroup VPN-Clients idle-time 1800
vpngroup VPN-Clients password ********
telnet Diago-oud 255.255.255.128 outside
telnet lan-net 255.255.255.0 inside
telnet timeout 5
ssh Diago-oud 255.255.255.128 outside
ssh Diago 255.255.255.0 outside
ssh timeout 60
console timeout 0
username joost password ************ encrypted privilege 15
username Diago password ************ encrypted privilege 15
terminal width 80
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 4 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros