• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 855
  • Last Modified:

Remote Access VPN via Cisco PDM

Hi there.

I've been struggling with this for almost a day now and I've tried everything possible to get it to work.
Basically, my problem is as follows:

Using the VPN Wizard, I followed the following steps:

1. Selected "Remote Access VPN"
2. Selected "Outside" interface.
3. Selected "Cisco VPN Client, Release 3.x or higher .........."
4. Defined Group name "VPNTEST2"
5. Defined password for group.
6. Selected "LOCAL" AAA Server.
7. Defined user details for connectivity.
8. Created VPN Pool called "VPNPOOL2"
9. Selected Range Start Address of "10.1.12.1"
10. Selected Range Start Address of "10.1.12.254"
11. Defined no DNS Server, WINS Server or Default Domain.
12. Chose 3DES / MD5 / DH Group 2 for the IKE Policy.
13. Chose 3DES / MD5 for the Transform Set.
14. Left all fields as default for "Address Translation Exemption" which, according to my understanding means that the entire internal network will be displayed to the client without being NAT'd.
15. Clicked "Finish"

Now, here's where I stand:
Using the Cisco VPN Client (any version) I am able to connect and authenticate to the PIX.
The tunnel itself even appears to be active and I'm allocated an IP within the pool I specified.
However, I'm unable to access anything on the network itself.
Checking the statistics of the local client, I can see traffic being sent and encrypted but get nothing back from the PIX.

If I do a "debug crypto isakmp" from the CLI, everything appears to be perfectly fine.
However, if I do a "debug crypto ipsec" I don't get anything at all.

I've attached the output from the "debug crypto isakmp" below.
I've also seperated each section and given a basic description of how I understand what is taking place.
The only thing I'm a little confused about is the line near the bottom where it mentions the assigned IP being proxied to 0.0.0.0.
I'm not sure if that's normal, to be honest so it may be a non issue.

Just to clarify, I've also enable nat-traversal
FS-CAPETOWN-FW(config)# debug crypto isakmp
FS-CAPETOWN-FW(config)#
 
 
===============CONNECTION INITIATED===================
ISADB: reaper checking SA 0xfdadec, conn_id = 0
ISADB: reaper checking SA 0xff37ec, conn_id = 0
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
 
 
 
==========CHECKING AGAINST THE VARIOUS ISAKMP POLICIES============
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
 
 
 
 
===============FINDS THE ISAKMP POLICY THAT APPLIES====================
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are acceptable.
 
 
 
===================DOES THE CRYPTO POLICY EXCHANGE======================
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
        spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACT
ISADB: reaper checking SA 0xffb9d4, conn_id = 0
ISADB: reaper checking SA 0xfdadec, conn_id = 0
ISADB: reaper checking SA 0xff37ec, conn_id = 0
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc my hash for NAT-D
ISAKMP (0:0): NAT match MINE hash
ISAKMP (0:0): Detected NAT-D payload
ISAKMP (0:0): recalc his hash for NAT-D
ISAKMP (0:0): NAT match HIS hash
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): speaking to another IOS box!
 
ISAKMP (0): processing vendor id payload
 
ISAKMP (0): speaking to a Unity client
 
 
 
==================AUTHENTICATES SA=========================
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for 41.2.X.X, peer port 62465
return status is IKMP_NO_ERROR
 
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
 
VPN Peer: ISAKMP: Added new peer: ip:41.2.X.X/500 Total VPN Peers:3
VPN Peer: ISAKMP: Peer ip:41.2.X.X/500 Ref cnt incremented to:1 Total VPN Peers:3
ISAKMP: peer is a remote access client
 
 
==================REQUESTS AUTHENTICATION=======================
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to 41.2.X.X. ID = 3941991974 (0xeaf60626)
ISAKMP (0): retransmitting Config Mode Request...
ISAKMP (0): retransmitting Config Mode Request...
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 41.2.X.X. message ID = 15806988
ISAKMP: Config payload CFG_REPLY
ISAKMP (0:0): initiating peer config to 41.2.X.X. ID = 1576577399 (0x5df8a977)
 
 
 
 
===================NOT SURE WHAT THIS NEXT LINE MEANS===================
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 41.2.X.X. message ID = 15806988
ISAKMP: Config payload CFG_ACK
return status is IKMP_NO_ERROR
 
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from 41.2.X.X. message ID = 15806988
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
 
 
 
 
====================CHECKS VARIOUS ATTRIBUTES===================
ISAKMP: attribute    IP4_ADDRESS (1)
ISAKMP: attribute    IP4_NETMASK (2)
ISAKMP: attribute    IP4_DNS (3)
ISAKMP: attribute    IP4_NBNS (4)
ISAKMP: attribute    ADDRESS_EXPIRY (5)
        Unsupported Attr: 5
ISAKMP: attribute    UNKNOWN (28672)
        Unsupported Attr: 28672
ISAKMP: attribute    UNKNOWN (28673)
        Unsupported Attr: 28673
ISAKMP: attribute    ALT_DEF_DOMAIN (28674)
ISAKMP: attribute    ALT_SPLIT_INCLUDE (28676)
ISAKMP: attribute    ALT_SPLITDNS_NAME (28675)
ISAKMP: attribute    ALT_PFS (28679)
ISAKMP: attribute    UNKNOWN (28683)
        Unsupported Attr: 28683
ISAKMP: attribute    ALT_BACKUP_SERVERS (28681)
ISAKMP: attribute    APPLICATION_VERSION (7)
ISAKMP: attribute    UNKNOWN (28680)
        Unsupported Attr: 28680
ISAKMP: attribute    UNKNOWN (28682)
        Unsupported Attr: 28682
ISAKMP: attribute    UNKNOWN (28677)
        Unsupported Attr: 28677
 
ISAKMP (0:0): responding to peer config from 41.2.X.X. ID = 2255564301
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2539463438
 
 
 
 
 
==================CHECKING TRANSFORM SETS======================
ISAKMP : Checking IPSec proposal 1
 
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (1)
ISAKMP : Checking IPSec proposal 2
 
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (2)
ISAKMP : Checking IPSec proposal 3
 
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (3)
ISAKMP : Checking IPSec proposal 4
 
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): skipping next ANDed proposal (4)
ISAKMP : Checking IPSec proposal 5
 
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 6
 
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 256
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 7
 
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 8
 
ISAKMP: transform 1, ESP_AES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      key length is 128
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP : Checking IPSec proposal 9
 
 
 
 
 
==============FINDS TRANSFORM SET THAT APPLIES===================
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-MD5
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are acceptable.
ISAKMP (0): bad SPI size of 2 octets!
ISAKMP : Checking IPSec proposal 10
 
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_AUTH_AWAIT
 
 
 
 
================THE PROXY BIT THAT I'M NOT SURE ABOUT==================
ISAKMP (0): Creating IPSec SAs
        inbound SA from    41.2.X.X to     66.8.X.X (proxy       10.1.12.1 to         0.0.0.0)
        has spi 18778767 and conn_id 7 and flags 4
        lifetime of 2147483 seconds
        outbound SA from     66.8.X.X to    41.2.X.X (proxy         0.0.0.0 to       10.1.12.1)
        has spi 1426856205 and conn_id 8 and flags 4
        lifetime of 2147483 seconds
 
 
 
 
============ACCEPTS CONNECTION AND INCREMENTS PEER COUNT=============
VPN Peer: IPSEC: Peer ip:41.2.157.249/500 Ref cnt incremented to:2 Total VPN Peers:3
VPN Peer: IPSEC: Peer ip:41.2.157.249/500 Ref cnt incremented to:3 Total VPN Peers:3
return status is IKMP_NO_ERROR
ISAKMP (0): sending NOTIFY message 11 protocol 3
 
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 3282244753
 
 
 
 
 
===================KEEPALIVE STATEMENTS??????????=====================
ISAMKP (0): received DPD_R_U_THERE from peer 41.2.X.X
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1613321657
ISAMKP (0): received DPD_R_U_THERE from peer 41.2.X.X
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 1705281763
ISAMKP (0): received DPD_R_U_THERE from peer 41.2.X.X
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 3618262099
ISAMKP (0): received DPD_R_U_THERE from peer 41.2.X.X
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:41.2.X.X, dest:66.8.X.X spt:500 dpt:500
ISAKMP (0): processing NOTIFY payload 36136 protocol 1
        spi 0, message ID = 878043848
ISAMKP (0): received DPD_R_U_THERE from peer 41.2.X.X
ISAKMP (0): sending NOTIFY message 36137 protocol 1
return status is IKMP_NO_ERR_NO_TRANS
etc
etc
etc
etc
etc
etc

Open in new window

0
ddsteam
Asked:
ddsteam
  • 4
  • 3
1 Solution
 
wilsjCommented:
have you tried adding an access-list to your no-nat ACL? Also if you want to be able to access the internet from the local PC then you need to create a split tunnel ACL. And also specify the split tunnel in the vpngroup. This should do it.

access-list no-nat permit ip 192.168.1.0 255.255.255.0 10.1.12.0 255.255.255.0
access-list  VPNTEST2_splitTunnelAcl permit ip 192.168.1.0 255.255.255.0 10.1.12.0 255.255.255.0

vpngroup VPNTEST2 split-tunnel VPNTEST2_splitTunnelAcl

0
 
wilsjCommented:
Of course  change your networks to fit your needs.
0
 
ddsteamAuthor Commented:
The nonat access-list is automatically created.
Ordinarily, I would just create everything using the CLI and I never have any problems.
This particular client's policy is that we do not make changes via the CLI but use the PDM instead. I know that there have been instances when using the CLI in conjunction with the PDM has caused problems in the past.

However, I'm at a bit of a loss so I'm going to paste the running config as it currently stands.
For the sake of simplicity, I'm going to leave out all the unnecessary stuff.

OH FOR CRYING OUT LOUD:

While pasting the running config here, I spotted the problem myself.
Can anybody else see it? :P
==================NONAT ACCESS LIST==========================
access-list acl_nonat permit ip object-group FS-CAPETOWN object-group FSGLOBAL
access-list acl_nonat permit ip any 10.1.6.192 255.255.255.192
access-list acl_nonat permit ip any 10.1.6.64 255.255.255.240
access-list acl_nonat deny ip any any
access-list acl_nonat permit ip any host 10.1.6.71
access-list acl_nonat permit ip any host 10.1.6.72
access-list acl_nonat permit ip any host 10.1.6.73
access-list acl_nonat permit ip any host 10.1.6.74
access-list acl_nonat permit ip any host 10.1.6.75
access-list acl_nonat permit ip any 10.1.11.0 255.255.255.0
access-list acl_nonat permit ip any 10.1.12.0 255.255.255.0

Open in new window

0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
ddsteamAuthor Commented:
As a matter of interest, the reason I didn't spot this before is because of the client's irrational policy of not connecting via the CLI.

The problem with that is that the PDM not not show the actual layout and content of the acl_nonat access-list, which in my opinion, is a little retarded.
0
 
ddsteamAuthor Commented:
I'm going to close this as the problem was found.
0
 
ddsteamAuthor Commented:
Your information was really helpful but the problem existed as a result of a deny statement higher up in the no-nat acl. However I would not have found the problem had you not pointed me in the right direction.
Thanks
0
 
wilsjCommented:
The deny statement is in the wrong place. lol
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now