asked on
PIX VPN Problem
I am trying to setup remote access VPN to our corporate PIX, which has 3 existing IPSEC tunnel to 3 branch locations. All the 3 tunnels are working perfectly fine, however I cant seem to get the remote access working. Attached is the sanitized PIX configuration:
--------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname CORPHQ
domain-name corporate.local
clock timezone CTS -6
clock summer-time CTS recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 66.67.68.40 Branch1
name 66.67.68.61 Branch2
name 66.67.68.80 Branch3
name 66.67.68.254 CORPHQ
access-list nonat permit ip 192.168.254.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list nonat permit ip 192.168.254.0 255.255.255.0 192.168.61.0 255.255.255.0
access-list nonat permit ip 192.168.254.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list nonat permit ip 192.168.254.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list out permit icmp any any
access-list crypto2 permit ip 192.168.254.0 255.255.255.0 192.168.61.0 255.255.255.0
access-list crypto3 permit ip 192.168.254.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list crypto4 permit ip 192.168.254.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list SplitVPN permit ip 192.168.254.0 255.255.255.0 192.168.99.0 255.255.255.0
pager lines 24
logging timestamp
logging console debugging
logging buffered debugging
logging trap informational
logging device-id ipaddress inside
logging host inside 192.168.254.100
mtu outside 1500
mtu inside 1500
ip address outside CORPHQ 255.255.255.240
ip address inside 192.168.254.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.99.1-192.168.99.25
arp timeout 14400
global (outside) 1 66.67.68.5
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 66.67.68.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.254.100 source inside
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.254.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set corpset esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 65535 set transform-set myset
crypto map uni 11 ipsec-isakmp
crypto map uni 11 match address crypto2
crypto map uni 11 set peer Branch2
crypto map uni 11 set transform-set corpset
crypto map uni 13 ipsec-isakmp
crypto map uni 13 match address crypto3
crypto map uni 13 set peer Branch3
crypto map uni 13 set transform-set corpset
crypto map uni 14 ipsec-isakmp
crypto map uni 14 match address crypto4
crypto map uni 14 set peer Branch1
crypto map uni 14 set transform-set corpset
crypto map uni 65535 ipsec-isakmp dynamic dynmap
crypto map uni client authentication LOCAL
crypto map uni interface outside
isakmp enable outside
isakmp key ******** address Branch1 netmask 255.255.255.255
isakmp key ******** address Branch3 netmask 255.255.255.255
isakmp key ******** address Branch2 netmask 255.255.255.255
isakmp identity address
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash sha
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
isakmp policy 99 authentication pre-share
isakmp policy 99 encryption des
isakmp policy 99 hash md5
isakmp policy 99 group 1
isakmp policy 99 lifetime 86400
vpngroup CorporateVPN address-pool VPNPOOL
vpngroup CorporateVPN dns-server 192.168.254.2 4.2.2.2
vpngroup CorporateVPN default-domain corporate.local
vpngroup CorporateVPN split-tunnel SplitVPN
vpngroup CorporateVPN idle-time 1800
vpngroup CorporateVPN password ********
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username tech1 password ***** encrypted privilege 15
terminal width 80
Cryptochecksum:8fbbb91ae91
: end
--------------------------
When I am trying to connect using Cisco VPN Client 4.8x, the logging says Inbound connections are not allowed. The error messages from the VPN Client are as follow:
28 19:47:57.433 04/10/08 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
29 19:47:57.433 04/10/08 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
30 19:48:02.527 04/10/08 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from 75.145.108.225. Inbound connections are not allowed.
On the PIX itself, the IPSec debugging says that its trying to use IKE Policy Priority 11 to establish the SAs? Any ideas on where I might have gone wrong? I have similar configuration for the remote branches and they all seem to be working fine. Each branch only has 1 active VPN tunnel to the corporate office. Any help is greatly appreciated. Thanks.
--------------------------
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname CORPHQ
domain-name corporate.local
clock timezone CTS -6
clock summer-time CTS recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 66.67.68.40 Branch1
name 66.67.68.61 Branch2
name 66.67.68.80 Branch3
name 66.67.68.254 CORPHQ
access-list nonat permit ip 192.168.254.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list nonat permit ip 192.168.254.0 255.255.255.0 192.168.61.0 255.255.255.0
access-list nonat permit ip 192.168.254.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list nonat permit ip 192.168.254.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list out permit icmp any any
access-list crypto2 permit ip 192.168.254.0 255.255.255.0 192.168.61.0 255.255.255.0
access-list crypto3 permit ip 192.168.254.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list crypto4 permit ip 192.168.254.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list SplitVPN permit ip 192.168.254.0 255.255.255.0 192.168.99.0 255.255.255.0
pager lines 24
logging timestamp
logging console debugging
logging buffered debugging
logging trap informational
logging device-id ipaddress inside
logging host inside 192.168.254.100
mtu outside 1500
mtu inside 1500
ip address outside CORPHQ 255.255.255.240
ip address inside 192.168.254.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNPOOL 192.168.99.1-192.168.99.25
arp timeout 14400
global (outside) 1 66.67.68.5
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group out in interface outside
route outside 0.0.0.0 0.0.0.0 66.67.68.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.168.254.100 source inside
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.254.100 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set corpset esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 65535 set transform-set myset
crypto map uni 11 ipsec-isakmp
crypto map uni 11 match address crypto2
crypto map uni 11 set peer Branch2
crypto map uni 11 set transform-set corpset
crypto map uni 13 ipsec-isakmp
crypto map uni 13 match address crypto3
crypto map uni 13 set peer Branch3
crypto map uni 13 set transform-set corpset
crypto map uni 14 ipsec-isakmp
crypto map uni 14 match address crypto4
crypto map uni 14 set peer Branch1
crypto map uni 14 set transform-set corpset
crypto map uni 65535 ipsec-isakmp dynamic dynmap
crypto map uni client authentication LOCAL
crypto map uni interface outside
isakmp enable outside
isakmp key ******** address Branch1 netmask 255.255.255.255
isakmp key ******** address Branch3 netmask 255.255.255.255
isakmp key ******** address Branch2 netmask 255.255.255.255
isakmp identity address
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption des
isakmp policy 11 hash sha
isakmp policy 11 group 2
isakmp policy 11 lifetime 86400
isakmp policy 99 authentication pre-share
isakmp policy 99 encryption des
isakmp policy 99 hash md5
isakmp policy 99 group 1
isakmp policy 99 lifetime 86400
vpngroup CorporateVPN address-pool VPNPOOL
vpngroup CorporateVPN dns-server 192.168.254.2 4.2.2.2
vpngroup CorporateVPN default-domain corporate.local
vpngroup CorporateVPN split-tunnel SplitVPN
vpngroup CorporateVPN idle-time 1800
vpngroup CorporateVPN password ********
telnet 192.168.254.0 255.255.255.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
management-access inside
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username tech1 password ***** encrypted privilege 15
terminal width 80
Cryptochecksum:8fbbb91ae91
: end
--------------------------
When I am trying to connect using Cisco VPN Client 4.8x, the logging says Inbound connections are not allowed. The error messages from the VPN Client are as follow:
28 19:47:57.433 04/10/08 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
29 19:47:57.433 04/10/08 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
30 19:48:02.527 04/10/08 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from 75.145.108.225. Inbound connections are not allowed.
On the PIX itself, the IPSec debugging says that its trying to use IKE Policy Priority 11 to establish the SAs? Any ideas on where I might have gone wrong? I have similar configuration for the remote branches and they all seem to be working fine. Each branch only has 1 active VPN tunnel to the corporate office. Any help is greatly appreciated. Thanks.
NetworkingVPNCisco
Last Comment
skyefusion
ASKER
debuggerau, thanx for the link. However, if I change the ISAKMP policy 11 hash, wouldnt that disconnect all my existing VPN tunnels? Policy 11 is used for the VPN tunnels to the 3 sites. Is there a way around it?
Try adding the following statements:
access-list outside_cryptomap_dynamic permit ip any 192.168.99.0 255.255.255.0
crypto dynamic-map dynmap 65535 match address outside_cryptomap_dynamic
See if that helps...
access-list outside_cryptomap_dynamic permit ip any 192.168.99.0 255.255.255.0
crypto dynamic-map dynmap 65535 match address outside_cryptomap_dynamic
See if that helps...
ASKER
batry_boy,
I added the exact 2 lines in the PIX config. I am still getting the same error messages from the client side.
The PIX debug log are as follow:
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 11 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
ISAKMP (0): deleting SA: src x.x.x.x, dst CorpHQ
ISADB: reaper checking SA 0xdfb694, conn_id = 0
ISADB: reaper checking SA 0xf25eb4, conn_id = 0
ISADB: reaper checking SA 0xfc43f4, conn_id = 0
ISADB: reaper checking SA 0xfb806c, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for x.x.x.x/2511 not found - peers:3
ISADB: reaper checking SA 0xdfb694, conn_id = 0
ISADB: reaper checking SA 0xf25eb4, conn_id = 0
ISADB: reaper checking SA 0xfc43f4, conn_id = 0
ISADB: reaper checking SA 0xfb9704, conn_id = 0
ISADB: reaper checking SA 0xfb9e8c, conn_id = 0
ISADB: reaper checking SA 0xfb87f4, conn_id = 0
ISADB: reaper checking SA 0xfb8f7c, conn_id = 0
ISAKMP (0): deleting SA: src x.x.x.x, dst CorpHQ
ISADB: reaper checking SA 0xdfb694, conn_id = 0
ISADB: reaper checking SA 0xf25eb4, conn_id = 0
ISADB: reaper checking SA 0xfc43f4, conn_id = 0
ISADB: reaper checking SA 0xfb9704, conn_id = 0
ISADB: reaper checking SA 0xfb9e8c, conn_id = 0
ISADB: reaper checking SA 0xfb87f4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for x.x.x.x/2511 not found - peers:3
ISADB: reaper checking SA 0xdfb694, conn_id = 0
ISADB: reaper checking SA 0xf25eb4, conn_id = 0
ISADB: reaper checking SA 0xfc43f4, conn_id = 0
ISADB: reaper checking SA 0xfb9704, conn_id = 0
ISADB: reaper checking SA 0xfb9e8c, conn_id = 0
ISADB: reaper checking SA 0xfb8f7c, conn_id = 0
crypto_isakmp_process_bloc
:500
I added the exact 2 lines in the PIX config. I am still getting the same error messages from the client side.
The PIX debug log are as follow:
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 11 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 11 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth pre-share (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
ISAKMP (0): deleting SA: src x.x.x.x, dst CorpHQ
ISADB: reaper checking SA 0xdfb694, conn_id = 0
ISADB: reaper checking SA 0xf25eb4, conn_id = 0
ISADB: reaper checking SA 0xfc43f4, conn_id = 0
ISADB: reaper checking SA 0xfb806c, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for x.x.x.x/2511 not found - peers:3
ISADB: reaper checking SA 0xdfb694, conn_id = 0
ISADB: reaper checking SA 0xf25eb4, conn_id = 0
ISADB: reaper checking SA 0xfc43f4, conn_id = 0
ISADB: reaper checking SA 0xfb9704, conn_id = 0
ISADB: reaper checking SA 0xfb9e8c, conn_id = 0
ISADB: reaper checking SA 0xfb87f4, conn_id = 0
ISADB: reaper checking SA 0xfb8f7c, conn_id = 0
ISAKMP (0): deleting SA: src x.x.x.x, dst CorpHQ
ISADB: reaper checking SA 0xdfb694, conn_id = 0
ISADB: reaper checking SA 0xf25eb4, conn_id = 0
ISADB: reaper checking SA 0xfc43f4, conn_id = 0
ISADB: reaper checking SA 0xfb9704, conn_id = 0
ISADB: reaper checking SA 0xfb9e8c, conn_id = 0
ISADB: reaper checking SA 0xfb87f4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for x.x.x.x/2511 not found - peers:3
ISADB: reaper checking SA 0xdfb694, conn_id = 0
ISADB: reaper checking SA 0xf25eb4, conn_id = 0
ISADB: reaper checking SA 0xfc43f4, conn_id = 0
ISADB: reaper checking SA 0xfb9704, conn_id = 0
ISADB: reaper checking SA 0xfb9e8c, conn_id = 0
ISADB: reaper checking SA 0xfb8f7c, conn_id = 0
crypto_isakmp_process_bloc
:500
Post the output of the "sh ver" command, please.
ASKER
Here it is:
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(2)
Compiled on Thu 04-Aug-05 21:40 by morlee
CorpHQ up 3 hours 53 mins
Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0013.60e2.bb98, irq 10
1: ethernet1: address is 0013.60e2.bb99, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 4
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 809072808 (0x303978a8)
Running Activation Key: 0xfd1fd941 0x70fee065 0xc7be47d4 0x8a7524fb
Configuration last modified by enable_15 at 21:08:04.175 CTS Thu Apr 10 2008
Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(2)
Compiled on Thu 04-Aug-05 21:40 by morlee
CorpHQ up 3 hours 53 mins
Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB
0: ethernet0: address is 0013.60e2.bb98, irq 10
1: ethernet1: address is 0013.60e2.bb99, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 4
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited
This PIX has a Restricted (R) license.
Serial Number: 809072808 (0x303978a8)
Running Activation Key: 0xfd1fd941 0x70fee065 0xc7be47d4 0x8a7524fb
Configuration last modified by enable_15 at 21:08:04.175 CTS Thu Apr 10 2008
Add this line:
isakmp nat-traversal
Also, in your VPN client settings, make sure you are using UDP instead of TCP for the connection protocol.
isakmp nat-traversal
Also, in your VPN client settings, make sure you are using UDP instead of TCP for the connection protocol.
ASKER
I added that line and tried that (made sure its UDP). It is still acting the same way.
ASKER
Is it possible to use the ISAKMP policy 11 for both the IPSEC tunnels and remote access?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I removed ISAKMP policy 99 and changed the dynmap transform-set to use the same ones used for the L2L tunnels. Still same error. Tested it from 2 different locations and workstations. The VPN works for the branch offices though, just not the main HQ.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
debuggerau,
Funny thing when I tried to create another policy for vpn remotes, it is still not working. When I changed the hash of isakmp policy 11 to md5, BOOM! it started working. I've decided to keep it at md5 and made some changes to remote PIXes to ensure that tunnel is working fine, as well as remote access clients.
Funny thing when I tried to create another policy for vpn remotes, it is still not working. When I changed the hash of isakmp policy 11 to md5, BOOM! it started working. I've decided to keep it at md5 and made some changes to remote PIXes to ensure that tunnel is working fine, as well as remote access clients.
https://www.experts-exchange.com/questions/20988665/Getting-Client-VPN-working-on-PIX-515.html
my suspicion is:
no isakmp policy 11 hash sha
isakmp policy 11 hash md5