• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3798
  • Last Modified:

VPN Client not connected error

I setup Cisco PIX 515 in my lab to test IPSec VPN. The PIX is behind a Linksys WRTP54G router and UDP port 500 is open. I can establish the VPN in the LAN, but I get not connected error if I test it from a remote office that is behind another PIX 515E. I am not sure the problem is the Linksys router or PIX in the office. Any suggestions?

The lab PIX configuration can be found here, http://www.howtonetworking.com/cisco/pixvpnsample.htm 

Here are VPN client log.

Cisco Systems VPN Client Version 4.6.01.0019
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

1      09:58:38.469  05/26/06  Sev=Info/4      CM/0x63100002
Begin connection process

2      09:58:38.979  05/26/06  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      09:58:38.979  05/26/06  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

4      09:58:38.979  05/26/06  Sev=Info/4      CM/0x63100024
Attempt connection with server "chicagotech.net"

5      09:58:40.247  05/26/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with x.x.x.246.

6      09:58:40.557  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to x.x.x.246

7      09:58:40.587  05/26/06  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      09:58:40.587  05/26/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      09:58:40.947  05/26/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.246

10     09:58:40.947  05/26/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from x.x.x.246

11     09:58:40.947  05/26/06  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

12     09:58:40.947  05/26/06  Sev=Info/5      IKE/0x63000001
Peer supports DPD

13     09:58:40.947  05/26/06  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

14     09:58:40.947  05/26/06  Sev=Info/5      IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5

15     09:58:40.947  05/26/06  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

16     09:58:40.977  05/26/06  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

17     09:58:40.977  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.246

18     09:58:40.997  05/26/06  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

19     09:58:40.997  05/26/06  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194

20     09:58:40.997  05/26/06  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end IS behind a NAT device
   This   end IS behind a NAT device

21     09:58:40.997  05/26/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

22     09:58:40.997  05/26/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

23     09:58:41.566  05/26/06  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

24     09:58:41.566  05/26/06  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

25     09:58:41.566  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.246

26     09:58:46.860  05/26/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

27     09:58:46.860  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246

28     09:58:51.305  05/26/06  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

29     09:58:52.304  05/26/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

30     09:58:52.304  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246

31     09:58:55.900  05/26/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.246

32     09:58:55.900  05/26/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (Retransmission) from x.x.x.246

33     09:58:55.900  05/26/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

34     09:58:55.900  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(Retransmission) to x.x.x.246

35     09:58:57.798  05/26/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

36     09:58:57.798  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to x.x.x.246

37     09:59:01.793  05/26/06  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

38     09:59:03.291  05/26/06  Sev=Info/4      IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=442F0A75

39     09:59:03.291  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to x.x.x.246

40     09:59:03.291  05/26/06  Sev=Info/6      IKE/0x6300003D
Sending DPD request to x.x.x.246, our seq# = 2226793716

41     09:59:03.341  05/26/06  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=672CDA295511818F R_Cookie=9ADE594A69BA0090) reason = DEL_REASON_IKE_NEG_FAILED

42     09:59:03.341  05/26/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.246

43     09:59:06.787  05/26/06  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=672CDA295511818F R_Cookie=9ADE594A69BA0090) reason = DEL_REASON_IKE_NEG_FAILED

44     09:59:06.787  05/26/06  Sev=Info/4      CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

45     09:59:06.797  05/26/06  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

46     09:59:06.807  05/26/06  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

47     09:59:06.937  05/26/06  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

48     09:59:07.297  05/26/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

49     09:59:07.297  05/26/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

50     09:59:07.297  05/26/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

51     09:59:07.297  05/26/06  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
0
blin2000
Asked:
blin2000
  • 3
  • 3
1 Solution
 
lrmooreCommented:
Two things:
 On BOTH PIX's, be sure the following command is entered:
   isakmp nat-traversal 20

 And on the Linksys WRTP54G router open UDP 4500
0
 
blin2000Author Commented:
Hi Irmoore,

I already have isakmp nat-traversal 20. After opened UDP 500, it works. Thank you.

However, the VPN client can't ping the remote computers while remote computers can ping the VPN client. I think I need some access-list command, but what are they?
0
 
lrmooreCommented:
If you only open up UDP 500, then you only have half of the requirement. UDP 4500 is required for the data.
If you have sysopt connect permit-ipsec, then you don't need any access-lists unless you have an outbound acl applied to the inside interface.
Client pool is in different subnet than the internal LAN? Client PC's local LAN subnet is different from remote subnet through the VPN tunnel?
Systems that you want to access have their default gateway pointed to the PIX?
If you want to post your config, I'll take a look at it.
 
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Rob WilliamsCommented:
Does the WRTP54G support IPSec? The WRT54G is supposed to, but the only mention of IPSec in the WRTP54G manual or spec sheet, was in the appendix which seems to be somewhat universal. Also, the normal Firewall/Security/enable IPSec option doesn't seem to exist in the manual. lrmoore is far more aware of any implications this may have on the Cisco client than I, but thought I would point it out.
Perhaps try by-passing the router and connecting directly to the modem as a test.
0
 
blin2000Author Commented:
here are the configuration.

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname CHICAGOTECH

domain-name chicagotech.net

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.16.254.2 chicagotech

access-list outside_in permit icmp any any

access-list outside_in permit tcp any host 192.168.10.253 eq 3389

access-list outside_inbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 any

access-list 10 permit 192.168.10.0 255.255.255.0

access-list 192_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any

pager lines 24

logging on

logging trap errors

logging device-id hostname

mtu outside 1500

mtu inside 1500

ip address outside 192.168.10.254 255.255.255.0

ip address inside 172.16.254.1 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

ip local pool 172pool 172.16.10.1-172.16.10.9

pdm location chicagotech 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 2 192.168.10.250-192.168.10.253

global (outside) 1 interface

nat (outside) 0 access-list outside_inbound_nat0_acl outside

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.10.253 chicagotech netmask 255.255.255.255 0 0

static (inside,outside) 192.168.10.111 172.16.254.1 netmask 255.255.255.255 0 0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 172.16.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 600 kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup 192 address-pool 172pool

vpngroup 192 dns-server 4.2.2.1

vpngroup 192 split-tunnel 192_splitTunnelAcl

vpngroup 192 idle-time 1800

vpngroup 192 password ********

telnet 172.16.0.0 255.255.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

0
 
lrmooreCommented:
These lines represent part of the problem:
\\-- VPN client address pool is in same subnet as the inside LAN - not recommended
ip address inside 172.16.254.1 255.255.0.0
ip local pool 172pool 172.16.10.1-172.16.10.9

\\-- Acls should reference inside LAN to IP Pool subnet, and should not have "any" in them - they don't
access-list outside_inbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 any
access-list 192_splitTunnelAcl permit ip 192.168.10.0 255.255.255.0 any

Recommended:
\\-- IP pool in totally different subnet
ip local pool 172pool 172.17.10.1-172.17.10.9
no access-list outside_inbound_nat0_acl
no access-list 192_splitTunnelAcl
access-list inside_outbound_nat0_acl permit ip 172.16.0.0 255.255.0.0 172.17.10.0 255.255.255.240
access-list SplitTunnel permit ip 172.16.0.0 255.255.0.0 172.17.10.0 255.255.255.240
no nat (outside) 0 access-list outside_inbound_nat0_acl outside
nat (outside) 0 access-list inside_outbound_nat0_acl  outside
vpngroup 192 split-tunnel SplitTunnel

BTW:
>vpngroup 192 dns-server 4.2.2.1
If you're not going to give the VPN client an internal DNS IP address, then don't give them anything
  no vpngroup 192 dns-server 4.2.2.1
0
 
blin2000Author Commented:
It works. Thank you very much.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now