unable to VPN into Cisco PIX 535 IKE Negotiation failed
I have a PIX 535 and I created a local user account. Then I went thru the VPN Wizard to setup the remote access VPN. I setup a preshared key and tunnel group name. When I try to connect I get this in the VPN Client log:
Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED
Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED
grblades
Can you post your configuration?
ASKER
Here's the client logs:
Cisco Systems VPN Client Version 4.0.4 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600
1 05:48:47.687 10/02/07 Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command
2 05:48:47.765 10/02/07 Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries
3 05:49:07.156 10/02/07 Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command
4 05:49:07.234 10/02/07 Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries
5 05:49:46.656 10/02/07 Sev=Info/4 CM/0x63100002
Begin connection process
6 05:49:46.671 10/02/07 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
7 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
8 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
9 05:49:47.671 10/02/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
10 05:49:47.687 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 216.110.208.114
11 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
12 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
13 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
14 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from x.x.x.x
15 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
16 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
17 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
18 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
19 05:49:47.781 10/02/07 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified
20 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
21 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:903)
22 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO)
23 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to x.x.x.x
24 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2201
25 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=DD5CB2F562AC2835
26 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=DD5CB2F562AC2835
27 05:49:48.671 10/02/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED
28 05:49:48.671 10/02/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
29 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
30 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully
31 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
32 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
33 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
34 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Cisco Systems VPN Client Version 4.0.4 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600
1 05:48:47.687 10/02/07 Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command
2 05:48:47.765 10/02/07 Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries
3 05:49:07.156 10/02/07 Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command
4 05:49:07.234 10/02/07 Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries
5 05:49:46.656 10/02/07 Sev=Info/4 CM/0x63100002
Begin connection process
6 05:49:46.671 10/02/07 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
7 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
8 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
9 05:49:47.671 10/02/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
10 05:49:47.687 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 216.110.208.114
11 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
12 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
13 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
14 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from x.x.x.x
15 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
16 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
17 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
18 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
19 05:49:47.781 10/02/07 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified
20 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.
21 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:903)
22 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO)
23 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to x.x.x.x
24 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2201
25 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=DD5CB2F562AC2835
26 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=DD5CB2F562AC2835
27 05:49:48.671 10/02/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED
28 05:49:48.671 10/02/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
29 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
30 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully
31 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
32 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
33 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
34 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Can you post the PIX configuration. From the command like type 'show run' and there should be an equivilent option from the web interface.
ASKER
What exactly are you looking for and I can post just that config. I don't feel that comfortable posting my entire PIX config in here.
Mainly the lines starting with the following commands :-
crypto
sysopt
isakmp
vpngroup (remove any passwords listed here)
I intend to make sure the security settings in the crypto command match the isakmp commands.
Check you are using the correct group.
Check you have crypto setup for clients. Your mention of a preshared key concerns me as that is used for fixed LAN-LAN vpns.
crypto
sysopt
isakmp
vpngroup (remove any passwords listed here)
I intend to make sure the security settings in the crypto command match the isakmp commands.
Check you are using the correct group.
Check you have crypto setup for clients. Your mention of a preshared key concerns me as that is used for fixed LAN-LAN vpns.
ASKER
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testvpn_splitTunnelAcl
group-policy testvpn_1 internal
group-policy testvpn_1 attributes
dns-server value 172.x.x.x
vpn-access-hours none
vpn-simultaneous-logins 30
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testvpn_splitTunnelAcl
default-domain value test.com
split-dns value test.com
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass enable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
group-policy teststatic internal
group-policy teststatic attributes
dns-server value 172.x.x.x
split-tunnel-policy tunnelspecified
split-tunnel-network-list value testvpn_splitTunnelAcl
default-domain value test.com
group-policy STATE internal
group-policy SSS internal
username sss1 password M90c5rCP2PtJM5u. encrypted
username test password P4ttSyrm33SV8TYp encrypted privilege 0
username test attributes
vpn-group-policy dcipavpn_1
username gflorescu password w8mBXlD63mfCEpZv encrypted privilege 15
username gflorescu attributes
vpn-group-policy testadmin
username efmmaint password cBd87LfKjBQpNg6I encrypted
username state password 0xIEpG//PP2OTuHh encrypted privilege 0
username state attributes
vpn-group-policy STATE
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 80 set reverse-route
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-AES-192-SHA
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-AES-256-SHA
crypto map outside_map 140 match address outside_cryptomap_140_1
crypto map outside_map 140 set peer 216.110.199.90
crypto map outside_map 140 set transform-set ESP-3DES-MD5
crypto map outside_map 220 match address outside_cryptomap_220
crypto map outside_map 220 set peer 66.213.240.53
crypto map outside_map 220 set transform-set ESP-3DES-MD5
crypto map outside_map 240 match address outside_cryptomap_240
crypto map outside_map 240 set pfs
crypto map outside_map 240 set peer 199.34.6.30
crypto map outside_map 240 set transform-set ESP-3DES-SHA
crypto map outside_map 260 match address outside_cryptomap_260_1
crypto map outside_map 260 set peer 67.133.62.65
crypto map outside_map 260 set transform-set ESP-3DES-MD5
crypto map outside_map 280 match address outside_cryptomap_280
crypto map outside_map 280 set peer 12.5.170.131
crypto map outside_map 280 set transform-set ESP-3DES-MD5
crypto map outside_map 300 match address outside_cryptomap_300
crypto map outside_map 300 set peer 66.105.34.178
crypto map outside_map 300 set transform-set ESP-3DES-SHA
crypto map outside_map 320 match address outside_cryptomap_320
crypto map outside_map 320 set peer 205.158.190.163
crypto map outside_map 320 set transform-set ESP-3DES-MD5
crypto map outside_map 340 match address outside_cryptomap_340_1
crypto map outside_map 340 set peer 216.110.209.146
crypto map outside_map 340 set transform-set ESP-AES-256-MD5
crypto map outside_map 360 match address outside_cryptomap_360
crypto map outside_map 360 set peer 66.178.152.34
crypto map outside_map 360 set transform-set ESP-DES-MD5
crypto map outside_map 380 match address outside_cryptomap_380
crypto map outside_map 380 set peer 71.216.44.116
crypto map outside_map 380 set transform-set ESP-DES-MD5
crypto map outside_map 400 match address outside_cryptomap_400_1
crypto map outside_map 400 set peer 12.39.198.46
crypto map outside_map 400 set transform-set ESP-3DES-SHA
crypto map outside_map 420 match address outside_cryptomap_420
crypto map outside_map 420 set pfs
crypto map outside_map 420 set peer 67.131.15.186
crypto map outside_map 420 set transform-set ESP-3DES-MD5
crypto map outside_map 440 match address outside_cryptomap_440
crypto map outside_map 440 set peer 67.133.62.54
crypto map outside_map 440 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 5
isakmp policy 50 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption aes-256
isakmp policy 70 hash md5
isakmp policy 70 group 5
isakmp policy 70 lifetime 86400
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption des
isakmp policy 90 hash md5
isakmp policy 90 group 2
isakmp policy 90 lifetime 86400
isakmp policy 110 authentication pre-share
isakmp policy 110 encryption aes-192
isakmp policy 110 hash sha
isakmp policy 110 group 5
isakmp policy 110 lifetime 86400
isakmp nat-traversal 20
tunnel-group 216.110.199.90 type ipsec-l2l
tunnel-group 216.110.199.90 ipsec-attributes
pre-shared-key *
tunnel-group 12.5.170.131 type ipsec-l2l
tunnel-group 12.5.170.131 ipsec-attributes
pre-shared-key *
tunnel-group 67.133.62.65 type ipsec-l2l
tunnel-group 67.133.62.65 ipsec-attributes
pre-shared-key *
tunnel-group 67.133.62.54 type ipsec-l2l
tunnel-group 67.133.62.54 ipsec-attributes
pre-shared-key *
tunnel-group 66.213.240.53 type ipsec-l2l
tunnel-group 66.213.240.53 ipsec-attributes
pre-shared-key *
tunnel-group 199.34.6.30 type ipsec-l2l
tunnel-group 199.34.6.30 ipsec-attributes
pre-shared-key *
tunnel-group testvpn type ipsec-ra
tunnel-group testvpn general-attributes
address-pool VPN-pool-1
authentication-server-grou
default-group-policy dcipavpn_1
tunnel-group testvpn ipsec-attributes
pre-shared-key *
tunnel-group TS-TEST type ipsec-ra
tunnel-group TS-TEST general-attributes
address-pool VPN-pool-1
authentication-server-grou
default-group-policy TS-TEST
tunnel-group TS-TEST ipsec-attributes
pre-shared-key *
tunnel-group 66.105.34.178 type ipsec-l2l
tunnel-group 66.105.34.178 ipsec-attributes
pre-shared-key *
tunnel-group testadmin type ipsec-ra
tunnel-group testadmin general-attributes
address-pool VPN-pool-1
authentication-server-grou
default-group-policy testadmin
tunnel-group testadmin ipsec-attributes
pre-shared-key *
tunnel-group 205.158.190.163 type ipsec-l2l
tunnel-group 205.158.190.163 ipsec-attributes
pre-shared-key *
tunnel-group 216.110.209.146 type ipsec-l2l
tunnel-group 216.110.209.146 ipsec-attributes
pre-shared-key *
tunnel-group 66.178.152.34 type ipsec-l2l
tunnel-group 66.178.152.34 ipsec-attributes
pre-shared-key *
tunnel-group 71.216.44.116 type ipsec-l2l
tunnel-group 71.216.44.116 ipsec-attributes
pre-shared-key *
tunnel-group 12.39.198.46 type ipsec-l2l
tunnel-group 12.39.198.46 ipsec-attributes
pre-shared-key *
tunnel-group teststatic type ipsec-ra
tunnel-group teststatic general-attributes
address-pool static-1
default-group-policy teststatic
tunnel-group teststatic ipsec-attributes
pre-shared-key *
tunnel-group 67.131.15.186 type ipsec-l2l
tunnel-group 67.131.15.186 ipsec-attributes
pre-shared-key *
tunnel-group EFM type ipsec-ra
tunnel-group EFM general-attributes
address-pool VPN-pool-1
tunnel-group EFM ipsec-attributes
pre-shared-key *
tunnel-group STATE type ipsec-ra
tunnel-group STATE general-attributes
address-pool VPN-pool-1
default-group-policy STATE
tunnel-group STATE ipsec-attributes
pre-shared-key *
tunnel-group SSS type ipsec-ra
tunnel-group SSS general-attributes
address-pool VPN-pool-1
default-group-policy SSS
tunnel-group SSS ipsec-attributes
pre-shared-key *
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
This specifies which crypto_map is to be used for dynamic connections (software vpn clients)
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 80 set reverse-route
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-AES-192-SHA
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-AES-256-SHA
You have loads of them defined. You should really only have one.
I would keep the first one and delete the others.
The following web page gives you a guide on how to set it up.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml
Let me know how you get on.
This specifies which crypto_map is to be used for dynamic connections (software vpn clients)
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 80 set reverse-route
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-AES-192-SHA
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-AES-256-SHA
You have loads of them defined. You should really only have one.
I would keep the first one and delete the others.
The following web page gives you a guide on how to set it up.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml
Let me know how you get on.
ASKER
Our network is pretty complex and we need all of those. What am I missing in my config?
I have other tunnel groups that work just fine.
I have other tunnel groups that work just fine.
'crypto map outside_map ' defines all the crypto maps for your fixed VPN connections between networks. The 'crypto dynamic-map' is just for dynamic connections where the other end has a dynamic IP address i.e a software vpn client or a site with a dynamic IP address that is setup in easyvpn mode.
>VPN Client Version 4.0.4 (Rel)
Highly suggest updating to at least 4.8 with XP/SP2
>Hash verification failed... may be configured with invalid group password.
This says it all.
>group-policy testvpn_1 internal
Is this the group that you are using for this test?
If yes, I don't see the following matching required commands:
tunnel-group testvpn_1 ipsec-attributes
pre-shared-key *
tunnel-group testvpn_1 general-attributes
address-pool VPN-pool-1
Highly suggest updating to at least 4.8 with XP/SP2
>Hash verification failed... may be configured with invalid group password.
This says it all.
>group-policy testvpn_1 internal
Is this the group that you are using for this test?
If yes, I don't see the following matching required commands:
tunnel-group testvpn_1 ipsec-attributes
pre-shared-key *
tunnel-group testvpn_1 general-attributes
address-pool VPN-pool-1
ASKER
No, the group I'm using is called SSS.
OK...
>tunnel-group SSS ipsec-attributes
pre-shared-key *
Are you sure you are using the right group authentication with groupname SSS and password same as the pre-shared key?
>tunnel-group SSS ipsec-attributes
pre-shared-key *
Are you sure you are using the right group authentication with groupname SSS and password same as the pre-shared key?
ASKER
I figured out what was wrong. I didn't realize the tunnel group was case sensitive. I was using sss, instead of SSS.
My next problem with it that I got it to work now is that I can vpn in but I can access every resource. I thought I had restricted it to only 1 host. Where can I check that?
My next problem with it that I got it to work now is that I can vpn in but I can access every resource. I thought I had restricted it to only 1 host. Where can I check that?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.