We help IT Professionals succeed at work.

unable to VPN into Cisco PIX 535  IKE Negotiation failed

3,805 Views
Last Modified: 2008-01-09
I have a PIX 535 and I created a local user account.  Then I went thru the VPN Wizard to setup the remote access VPN.  I setup a preshared key and tunnel group name.  When I try to connect I get this in the VPN Client log:

Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED"
Comment
Watch Question

CERTIFIED EXPERT

Commented:
Can you post your configuration?

Author

Commented:
Here's the client logs:

Cisco Systems VPN Client Version 4.0.4 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600

1 05:48:47.687 10/02/07 Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command

2 05:48:47.765 10/02/07 Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries

3 05:49:07.156 10/02/07 Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command

4 05:49:07.234 10/02/07 Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries

5 05:49:46.656 10/02/07 Sev=Info/4 CM/0x63100002
Begin connection process

6 05:49:46.671 10/02/07 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

7 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

8 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"

9 05:49:47.671 10/02/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.

10 05:49:47.687 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 216.110.208.114

11 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

12 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

13 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

14 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from x.x.x.x

15 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

16 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

17 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

18 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

19 05:49:47.781 10/02/07 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified

20 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.

21 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:903)

22 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to x.x.x.x

23 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to x.x.x.x

24 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2201)

25 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=DD5CB2F562AC2835 R_Cookie=8ABECB968B1F8D0F) reason = DEL_REASON_IKE_NEG_FAILED

26 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=DD5CB2F562AC2835 R_Cookie=8ABECB968B1F8D0F) reason = DEL_REASON_IKE_NEG_FAILED

27 05:49:48.671 10/02/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED"

28 05:49:48.671 10/02/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

29 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

30 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

31 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

32 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

33 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

34 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
CERTIFIED EXPERT

Commented:
Can you post the PIX configuration. From the command like type 'show run' and there should be an equivilent option from the web interface.

Author

Commented:
What exactly are you looking for and I can post just that config.  I don't feel that comfortable posting my entire PIX config in here.
CERTIFIED EXPERT

Commented:
Mainly the lines starting with the following commands :-

crypto
sysopt
isakmp
vpngroup (remove any passwords listed here)

I intend to make sure the security settings in the crypto command match the isakmp commands.
Check you are using the correct group.
Check you have crypto setup for clients. Your mention of a preshared key concerns me as that is used for fixed LAN-LAN vpns.

Author

Commented:

 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testvpn_splitTunnelAcl
group-policy testvpn_1 internal
group-policy testvpn_1 attributes
 dns-server value 172.x.x.x
 vpn-access-hours none
 vpn-simultaneous-logins 30
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testvpn_splitTunnelAcl
 default-domain value test.com
 split-dns value test.com
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass enable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
group-policy teststatic internal
group-policy teststatic attributes
 dns-server value 172.x.x.x
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testvpn_splitTunnelAcl
 default-domain value test.com
group-policy STATE internal
group-policy SSS internal
username sss1 password M90c5rCP2PtJM5u. encrypted
username test password P4ttSyrm33SV8TYp encrypted privilege 0
username test attributes
 vpn-group-policy dcipavpn_1
username gflorescu password w8mBXlD63mfCEpZv encrypted privilege 15
username gflorescu attributes
 vpn-group-policy testadmin
username efmmaint password cBd87LfKjBQpNg6I encrypted
username state password 0xIEpG//PP2OTuHh encrypted privilege 0
username state attributes
 vpn-group-policy STATE

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 80 set reverse-route
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-AES-192-SHA
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-AES-256-SHA
crypto map outside_map 140 match address outside_cryptomap_140_1
crypto map outside_map 140 set peer 216.110.199.90
crypto map outside_map 140 set transform-set ESP-3DES-MD5
crypto map outside_map 220 match address outside_cryptomap_220
crypto map outside_map 220 set peer 66.213.240.53
crypto map outside_map 220 set transform-set ESP-3DES-MD5
crypto map outside_map 240 match address outside_cryptomap_240
crypto map outside_map 240 set pfs
crypto map outside_map 240 set peer 199.34.6.30
crypto map outside_map 240 set transform-set ESP-3DES-SHA
crypto map outside_map 260 match address outside_cryptomap_260_1
crypto map outside_map 260 set peer 67.133.62.65
crypto map outside_map 260 set transform-set ESP-3DES-MD5
crypto map outside_map 280 match address outside_cryptomap_280
crypto map outside_map 280 set peer 12.5.170.131
crypto map outside_map 280 set transform-set ESP-3DES-MD5
crypto map outside_map 300 match address outside_cryptomap_300
crypto map outside_map 300 set peer 66.105.34.178
crypto map outside_map 300 set transform-set ESP-3DES-SHA
crypto map outside_map 320 match address outside_cryptomap_320
crypto map outside_map 320 set peer 205.158.190.163
crypto map outside_map 320 set transform-set ESP-3DES-MD5
crypto map outside_map 340 match address outside_cryptomap_340_1
crypto map outside_map 340 set peer 216.110.209.146
crypto map outside_map 340 set transform-set ESP-AES-256-MD5
crypto map outside_map 360 match address outside_cryptomap_360
crypto map outside_map 360 set peer 66.178.152.34
crypto map outside_map 360 set transform-set ESP-DES-MD5
crypto map outside_map 380 match address outside_cryptomap_380
crypto map outside_map 380 set peer 71.216.44.116
crypto map outside_map 380 set transform-set ESP-DES-MD5
crypto map outside_map 400 match address outside_cryptomap_400_1
crypto map outside_map 400 set peer 12.39.198.46
crypto map outside_map 400 set transform-set ESP-3DES-SHA
crypto map outside_map 420 match address outside_cryptomap_420
crypto map outside_map 420 set pfs
crypto map outside_map 420 set peer 67.131.15.186
crypto map outside_map 420 set transform-set ESP-3DES-MD5
crypto map outside_map 440 match address outside_cryptomap_440
crypto map outside_map 440 set peer 67.133.62.54
crypto map outside_map 440 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 5
isakmp policy 50 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption aes-256
isakmp policy 70 hash md5
isakmp policy 70 group 5
isakmp policy 70 lifetime 86400
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption des
isakmp policy 90 hash md5
isakmp policy 90 group 2
isakmp policy 90 lifetime 86400
isakmp policy 110 authentication pre-share
isakmp policy 110 encryption aes-192
isakmp policy 110 hash sha
isakmp policy 110 group 5
isakmp policy 110 lifetime 86400
isakmp nat-traversal  20
tunnel-group 216.110.199.90 type ipsec-l2l
tunnel-group 216.110.199.90 ipsec-attributes
 pre-shared-key *
tunnel-group 12.5.170.131 type ipsec-l2l
tunnel-group 12.5.170.131 ipsec-attributes
 pre-shared-key *
tunnel-group 67.133.62.65 type ipsec-l2l
tunnel-group 67.133.62.65 ipsec-attributes
 pre-shared-key *
tunnel-group 67.133.62.54 type ipsec-l2l
tunnel-group 67.133.62.54 ipsec-attributes
 pre-shared-key *
tunnel-group 66.213.240.53 type ipsec-l2l
tunnel-group 66.213.240.53 ipsec-attributes
 pre-shared-key *
tunnel-group 199.34.6.30 type ipsec-l2l
tunnel-group 199.34.6.30 ipsec-attributes
 pre-shared-key *
tunnel-group testvpn type ipsec-ra
tunnel-group testvpn general-attributes
 address-pool VPN-pool-1
 authentication-server-group RADIUS LOCAL
 default-group-policy dcipavpn_1
tunnel-group testvpn ipsec-attributes
 pre-shared-key *
tunnel-group TS-TEST type ipsec-ra
tunnel-group TS-TEST general-attributes
 address-pool VPN-pool-1
 authentication-server-group RADIUS
 default-group-policy TS-TEST
tunnel-group TS-TEST ipsec-attributes
 pre-shared-key *
tunnel-group 66.105.34.178 type ipsec-l2l
tunnel-group 66.105.34.178 ipsec-attributes
 pre-shared-key *
tunnel-group testadmin type ipsec-ra
tunnel-group testadmin general-attributes
 address-pool VPN-pool-1
 authentication-server-group RADIUS
 default-group-policy testadmin
tunnel-group testadmin ipsec-attributes
 pre-shared-key *
tunnel-group 205.158.190.163 type ipsec-l2l
tunnel-group 205.158.190.163 ipsec-attributes
 pre-shared-key *
tunnel-group 216.110.209.146 type ipsec-l2l
tunnel-group 216.110.209.146 ipsec-attributes
 pre-shared-key *
tunnel-group 66.178.152.34 type ipsec-l2l
tunnel-group 66.178.152.34 ipsec-attributes
 pre-shared-key *
tunnel-group 71.216.44.116 type ipsec-l2l
tunnel-group 71.216.44.116 ipsec-attributes
 pre-shared-key *
tunnel-group 12.39.198.46 type ipsec-l2l
tunnel-group 12.39.198.46 ipsec-attributes
 pre-shared-key *
tunnel-group teststatic type ipsec-ra
tunnel-group teststatic general-attributes
 address-pool static-1
 default-group-policy teststatic
tunnel-group teststatic ipsec-attributes
 pre-shared-key *
tunnel-group 67.131.15.186 type ipsec-l2l
tunnel-group 67.131.15.186 ipsec-attributes
 pre-shared-key *
tunnel-group EFM type ipsec-ra
tunnel-group EFM general-attributes
 address-pool VPN-pool-1
tunnel-group EFM ipsec-attributes
 pre-shared-key *
tunnel-group STATE type ipsec-ra
tunnel-group STATE general-attributes
 address-pool VPN-pool-1
 default-group-policy STATE
tunnel-group STATE ipsec-attributes
 pre-shared-key *
tunnel-group SSS type ipsec-ra
tunnel-group SSS general-attributes
 address-pool VPN-pool-1
 default-group-policy SSS
tunnel-group SSS ipsec-attributes
 pre-shared-key *
CERTIFIED EXPERT

Commented:
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
This specifies which crypto_map is to be used for dynamic connections (software vpn clients)

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 80 set reverse-route
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-AES-192-SHA
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-AES-256-SHA
You have loads of them defined. You should really only have one.
I would keep the first one and delete the others.

The following web page gives you a guide on how to set it up.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml
Let me know how you get on.

Author

Commented:
Our network is pretty complex and we need all of those.  What am I missing in my config?  

I have other tunnel groups that work just fine.  
CERTIFIED EXPERT

Commented:
'crypto map outside_map ' defines all the crypto maps for your fixed VPN connections between networks. The 'crypto dynamic-map' is just for dynamic connections where the other end has a dynamic IP address i.e a software vpn client or a site with a dynamic IP address that is setup in easyvpn mode.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
>VPN Client Version 4.0.4 (Rel)
Highly suggest updating to at least 4.8 with XP/SP2

>Hash verification failed... may be configured with invalid group password.
This says it all.

>group-policy testvpn_1 internal
Is this the group that you are using for this test?
If yes, I don't see the following matching required commands:

tunnel-group testvpn_1 ipsec-attributes
 pre-shared-key *
tunnel-group testvpn_1 general-attributes
 address-pool VPN-pool-1

Author

Commented:
No, the group I'm using is called SSS.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
OK...
>tunnel-group SSS ipsec-attributes
 pre-shared-key *

Are you sure you are using the right group authentication with groupname SSS and password same as the pre-shared key?

Author

Commented:
I figured out what was wrong.  I didn't realize the tunnel group was case sensitive.  I was using sss, instead of SSS.  

My next problem with it that I got it to work now is that I can vpn in but I can access every resource.  I thought I had restricted it to only 1 host.  Where can I check that?
Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.