[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

unable to VPN into Cisco PIX 535  IKE Negotiation failed

Posted on 2007-10-02
14
Medium Priority
?
3,662 Views
Last Modified: 2008-01-09
I have a PIX 535 and I created a local user account.  Then I went thru the VPN Wizard to setup the remote access VPN.  I setup a preshared key and tunnel group name.  When I try to connect I get this in the VPN Client log:

Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED"
0
Comment
Question by:Florescu
  • 6
  • 5
  • 3
14 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 19997902
Can you post your configuration?
0
 

Author Comment

by:Florescu
ID: 19998079
Here's the client logs:

Cisco Systems VPN Client Version 4.0.4 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600

1 05:48:47.687 10/02/07 Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command

2 05:48:47.765 10/02/07 Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries

3 05:49:07.156 10/02/07 Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command

4 05:49:07.234 10/02/07 Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries

5 05:49:46.656 10/02/07 Sev=Info/4 CM/0x63100002
Begin connection process

6 05:49:46.671 10/02/07 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

7 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet

8 05:49:46.671 10/02/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"

9 05:49:47.671 10/02/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.

10 05:49:47.687 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 216.110.208.114

11 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

12 05:49:47.687 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

13 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

14 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from x.x.x.x

15 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

16 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

17 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

18 05:49:47.781 10/02/07 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

19 05:49:47.781 10/02/07 Sev=Warning/3 IKE/0xE3000056
The received HASH payload cannot be verified

20 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE300007D
Hash verification failed... may be configured with invalid group password.

21 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE3000099
Failed to authenticate peer (Navigator:903)

22 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to x.x.x.x

23 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to x.x.x.x

24 05:49:47.781 10/02/07 Sev=Warning/2 IKE/0xE30000A5
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2201)

25 05:49:47.781 10/02/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=DD5CB2F562AC2835 R_Cookie=8ABECB968B1F8D0F) reason = DEL_REASON_IKE_NEG_FAILED

26 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=DD5CB2F562AC2835 R_Cookie=8ABECB968B1F8D0F) reason = DEL_REASON_IKE_NEG_FAILED

27 05:49:48.671 10/02/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server because of "DEL_REASON_IKE_NEG_FAILED"

28 05:49:48.671 10/02/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

29 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

30 05:49:48.671 10/02/07 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

31 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

32 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

33 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

34 05:49:49.171 10/02/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
0
 
LVL 36

Expert Comment

by:grblades
ID: 19998111
Can you post the PIX configuration. From the command like type 'show run' and there should be an equivilent option from the web interface.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:Florescu
ID: 19999046
What exactly are you looking for and I can post just that config.  I don't feel that comfortable posting my entire PIX config in here.
0
 
LVL 36

Expert Comment

by:grblades
ID: 19999237
Mainly the lines starting with the following commands :-

crypto
sysopt
isakmp
vpngroup (remove any passwords listed here)

I intend to make sure the security settings in the crypto command match the isakmp commands.
Check you are using the correct group.
Check you have crypto setup for clients. Your mention of a preshared key concerns me as that is used for fixed LAN-LAN vpns.
0
 

Author Comment

by:Florescu
ID: 19999536

 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testvpn_splitTunnelAcl
group-policy testvpn_1 internal
group-policy testvpn_1 attributes
 dns-server value 172.x.x.x
 vpn-access-hours none
 vpn-simultaneous-logins 30
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testvpn_splitTunnelAcl
 default-domain value test.com
 split-dns value test.com
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass enable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
group-policy teststatic internal
group-policy teststatic attributes
 dns-server value 172.x.x.x
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testvpn_splitTunnelAcl
 default-domain value test.com
group-policy STATE internal
group-policy SSS internal
username sss1 password M90c5rCP2PtJM5u. encrypted
username test password P4ttSyrm33SV8TYp encrypted privilege 0
username test attributes
 vpn-group-policy dcipavpn_1
username gflorescu password w8mBXlD63mfCEpZv encrypted privilege 15
username gflorescu attributes
 vpn-group-policy testadmin
username efmmaint password cBd87LfKjBQpNg6I encrypted
username state password 0xIEpG//PP2OTuHh encrypted privilege 0
username state attributes
 vpn-group-policy STATE

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 80 set reverse-route
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-AES-192-SHA
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-AES-256-SHA
crypto map outside_map 140 match address outside_cryptomap_140_1
crypto map outside_map 140 set peer 216.110.199.90
crypto map outside_map 140 set transform-set ESP-3DES-MD5
crypto map outside_map 220 match address outside_cryptomap_220
crypto map outside_map 220 set peer 66.213.240.53
crypto map outside_map 220 set transform-set ESP-3DES-MD5
crypto map outside_map 240 match address outside_cryptomap_240
crypto map outside_map 240 set pfs
crypto map outside_map 240 set peer 199.34.6.30
crypto map outside_map 240 set transform-set ESP-3DES-SHA
crypto map outside_map 260 match address outside_cryptomap_260_1
crypto map outside_map 260 set peer 67.133.62.65
crypto map outside_map 260 set transform-set ESP-3DES-MD5
crypto map outside_map 280 match address outside_cryptomap_280
crypto map outside_map 280 set peer 12.5.170.131
crypto map outside_map 280 set transform-set ESP-3DES-MD5
crypto map outside_map 300 match address outside_cryptomap_300
crypto map outside_map 300 set peer 66.105.34.178
crypto map outside_map 300 set transform-set ESP-3DES-SHA
crypto map outside_map 320 match address outside_cryptomap_320
crypto map outside_map 320 set peer 205.158.190.163
crypto map outside_map 320 set transform-set ESP-3DES-MD5
crypto map outside_map 340 match address outside_cryptomap_340_1
crypto map outside_map 340 set peer 216.110.209.146
crypto map outside_map 340 set transform-set ESP-AES-256-MD5
crypto map outside_map 360 match address outside_cryptomap_360
crypto map outside_map 360 set peer 66.178.152.34
crypto map outside_map 360 set transform-set ESP-DES-MD5
crypto map outside_map 380 match address outside_cryptomap_380
crypto map outside_map 380 set peer 71.216.44.116
crypto map outside_map 380 set transform-set ESP-DES-MD5
crypto map outside_map 400 match address outside_cryptomap_400_1
crypto map outside_map 400 set peer 12.39.198.46
crypto map outside_map 400 set transform-set ESP-3DES-SHA
crypto map outside_map 420 match address outside_cryptomap_420
crypto map outside_map 420 set pfs
crypto map outside_map 420 set peer 67.131.15.186
crypto map outside_map 420 set transform-set ESP-3DES-MD5
crypto map outside_map 440 match address outside_cryptomap_440
crypto map outside_map 440 set peer 67.133.62.54
crypto map outside_map 440 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 5
isakmp policy 50 lifetime 86400
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption aes-256
isakmp policy 70 hash md5
isakmp policy 70 group 5
isakmp policy 70 lifetime 86400
isakmp policy 90 authentication pre-share
isakmp policy 90 encryption des
isakmp policy 90 hash md5
isakmp policy 90 group 2
isakmp policy 90 lifetime 86400
isakmp policy 110 authentication pre-share
isakmp policy 110 encryption aes-192
isakmp policy 110 hash sha
isakmp policy 110 group 5
isakmp policy 110 lifetime 86400
isakmp nat-traversal  20
tunnel-group 216.110.199.90 type ipsec-l2l
tunnel-group 216.110.199.90 ipsec-attributes
 pre-shared-key *
tunnel-group 12.5.170.131 type ipsec-l2l
tunnel-group 12.5.170.131 ipsec-attributes
 pre-shared-key *
tunnel-group 67.133.62.65 type ipsec-l2l
tunnel-group 67.133.62.65 ipsec-attributes
 pre-shared-key *
tunnel-group 67.133.62.54 type ipsec-l2l
tunnel-group 67.133.62.54 ipsec-attributes
 pre-shared-key *
tunnel-group 66.213.240.53 type ipsec-l2l
tunnel-group 66.213.240.53 ipsec-attributes
 pre-shared-key *
tunnel-group 199.34.6.30 type ipsec-l2l
tunnel-group 199.34.6.30 ipsec-attributes
 pre-shared-key *
tunnel-group testvpn type ipsec-ra
tunnel-group testvpn general-attributes
 address-pool VPN-pool-1
 authentication-server-group RADIUS LOCAL
 default-group-policy dcipavpn_1
tunnel-group testvpn ipsec-attributes
 pre-shared-key *
tunnel-group TS-TEST type ipsec-ra
tunnel-group TS-TEST general-attributes
 address-pool VPN-pool-1
 authentication-server-group RADIUS
 default-group-policy TS-TEST
tunnel-group TS-TEST ipsec-attributes
 pre-shared-key *
tunnel-group 66.105.34.178 type ipsec-l2l
tunnel-group 66.105.34.178 ipsec-attributes
 pre-shared-key *
tunnel-group testadmin type ipsec-ra
tunnel-group testadmin general-attributes
 address-pool VPN-pool-1
 authentication-server-group RADIUS
 default-group-policy testadmin
tunnel-group testadmin ipsec-attributes
 pre-shared-key *
tunnel-group 205.158.190.163 type ipsec-l2l
tunnel-group 205.158.190.163 ipsec-attributes
 pre-shared-key *
tunnel-group 216.110.209.146 type ipsec-l2l
tunnel-group 216.110.209.146 ipsec-attributes
 pre-shared-key *
tunnel-group 66.178.152.34 type ipsec-l2l
tunnel-group 66.178.152.34 ipsec-attributes
 pre-shared-key *
tunnel-group 71.216.44.116 type ipsec-l2l
tunnel-group 71.216.44.116 ipsec-attributes
 pre-shared-key *
tunnel-group 12.39.198.46 type ipsec-l2l
tunnel-group 12.39.198.46 ipsec-attributes
 pre-shared-key *
tunnel-group teststatic type ipsec-ra
tunnel-group teststatic general-attributes
 address-pool static-1
 default-group-policy teststatic
tunnel-group teststatic ipsec-attributes
 pre-shared-key *
tunnel-group 67.131.15.186 type ipsec-l2l
tunnel-group 67.131.15.186 ipsec-attributes
 pre-shared-key *
tunnel-group EFM type ipsec-ra
tunnel-group EFM general-attributes
 address-pool VPN-pool-1
tunnel-group EFM ipsec-attributes
 pre-shared-key *
tunnel-group STATE type ipsec-ra
tunnel-group STATE general-attributes
 address-pool VPN-pool-1
 default-group-policy STATE
tunnel-group STATE ipsec-attributes
 pre-shared-key *
tunnel-group SSS type ipsec-ra
tunnel-group SSS general-attributes
 address-pool VPN-pool-1
 default-group-policy SSS
tunnel-group SSS ipsec-attributes
 pre-shared-key *
0
 
LVL 36

Expert Comment

by:grblades
ID: 20000124
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
This specifies which crypto_map is to be used for dynamic connections (software vpn clients)

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 80 set reverse-route
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-AES-192-SHA
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 160 match address outside_cryptomap_dyn_160
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-AES-256-SHA
You have loads of them defined. You should really only have one.
I would keep the first one and delete the others.

The following web page gives you a guide on how to set it up.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml
Let me know how you get on.
0
 

Author Comment

by:Florescu
ID: 20001756
Our network is pretty complex and we need all of those.  What am I missing in my config?  

I have other tunnel groups that work just fine.  
0
 
LVL 36

Expert Comment

by:grblades
ID: 20001833
'crypto map outside_map ' defines all the crypto maps for your fixed VPN connections between networks. The 'crypto dynamic-map' is just for dynamic connections where the other end has a dynamic IP address i.e a software vpn client or a site with a dynamic IP address that is setup in easyvpn mode.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20002653
>VPN Client Version 4.0.4 (Rel)
Highly suggest updating to at least 4.8 with XP/SP2

>Hash verification failed... may be configured with invalid group password.
This says it all.

>group-policy testvpn_1 internal
Is this the group that you are using for this test?
If yes, I don't see the following matching required commands:

tunnel-group testvpn_1 ipsec-attributes
 pre-shared-key *
tunnel-group testvpn_1 general-attributes
 address-pool VPN-pool-1

0
 

Author Comment

by:Florescu
ID: 20002891
No, the group I'm using is called SSS.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20002968
OK...
>tunnel-group SSS ipsec-attributes
 pre-shared-key *

Are you sure you are using the right group authentication with groupname SSS and password same as the pre-shared key?

0
 

Author Comment

by:Florescu
ID: 20006817
I figured out what was wrong.  I didn't realize the tunnel group was case sensitive.  I was using sss, instead of SSS.  

My next problem with it that I got it to work now is that I can vpn in but I can access every resource.  I thought I had restricted it to only 1 host.  Where can I check that?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 20007064
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question