Having difficulty configuring PIX 501 with VPN

I picked up a PIX 501 at a yard sale, and I've got the thing configured - with one exception.  I can't get a VPN client to authenticate correctly.  I've searched via google, but haven't found the solution.  Anybody out there remember?  I've attached both the configuration and the log file from the VPN client.  (Note...I got this "working" once - it connected - but I couldn't ping anything inside my network.  I saw an article that said the VPN network had to be different from the 'inside' network, so I changed it to 192.168.2.X/24 - and it hasn't connected since then.)


: Saved
: Written by enable_15 at 20:43:02.614 EDT Thu Sep 16 2010
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password DELETED encrypted
passwd DELETED encrypted
hostname pix
domain-name local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ctiqbe 2748
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
name tick.usno.navy.mil
name DNS_2
name DNS_1
name no-ip.org_host_server
access-list inside_in permit ip any
access-list inside_in permit icmp any
access-list inside_donat permit ip any
access-list denyall deny ip any any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in deny ip any any
access-list inside_outbound_nat0_acl permit ip any
access-list outside_cryptomap_dyn_20 permit ip any
pager lines 24
logging buffered notifications
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside
ip verify reverse-path interface outside
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool VPN-Pool mask
pdm location DNS_1 outside
pdm location DNS_2 outside
pdm location tick.usno.navy.mil outside
pdm location no-ip.org_host_server outside
pdm location outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 dns 0 0
access-group outside_access_in in interface outside
access-group inside_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server tick.usno.navy.mil source outside prefer
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup diamond address-pool VPN-Pool
vpngroup diamond dns-server DNS_2
vpngroup diamond default-domain local
vpngroup diamond idle-time 1800
vpngroup diamond password DELETED
telnet inside
telnet timeout 5
ssh inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address inside
dhcpd dns DNS_2
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain local
dhcpd auto_config outside
dhcpd enable inside


Cisco Systems VPN Client Version
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

53     20:59:00.234  09/16/10  Sev=Info/4      CM/0x63100002
Begin connection process

54     20:59:00.265  09/16/10  Sev=Info/4      CM/0x63100004
Establish secure connection

55     20:59:00.265  09/16/10  Sev=Info/4      CM/0x63100024
Attempt connection with server "gnurph.no-ip.org"

56     20:59:17.140  09/16/10  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with

57     20:59:17.140  09/16/10  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

58     20:59:17.156  09/16/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to

59     20:59:17.187  09/16/10  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

60     20:59:17.187  09/16/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

61     20:59:17.187  09/16/10  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (

62     20:59:18.515  09/16/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

63     20:59:18.515  09/16/10  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from

64     20:59:18.515  09/16/10  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

65     20:59:18.515  09/16/10  Sev=Info/5      IKE/0x63000001
Peer supports DPD

66     20:59:18.515  09/16/10  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

67     20:59:18.515  09/16/10  Sev=Info/5      IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025

68     20:59:18.531  09/16/10  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

69     20:59:18.531  09/16/10  Sev=Info/4      IKE/0x63000013

70     20:59:18.531  09/16/10  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x050F, Remote Port = 0x01F4

71     20:59:18.531  09/16/10  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

72     20:59:18.531  09/16/10  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

73     20:59:18.578  09/16/10  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

74     20:59:18.578  09/16/10  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

75     20:59:18.578  09/16/10  Sev=Info/4      IKE/0x63000013

76     20:59:18.687  09/16/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

77     20:59:18.687  09/16/10  Sev=Info/4      IKE/0x63000014

78     20:59:18.687  09/16/10  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

79     20:59:18.687  09/16/10  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

80     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

81     20:59:18.734  09/16/10  Sev=Info/4      IKE/0x63000014

82     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x63000010

83     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x63000010

84     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value =

85     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value =

86     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = local

87     20:59:18.734  09/16/10  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

88     20:59:18.734  09/16/10  Sev=Info/4      CM/0x63100019
Mode Config data received

89     20:59:18.750  09/16/10  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP =, GW IP =, Remote IP =

90     20:59:18.750  09/16/10  Sev=Info/4      IKE/0x63000013

91     20:59:19.062  09/16/10  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer =

92     20:59:19.062  09/16/10  Sev=Info/4      IKE/0x63000014

93     20:59:19.062  09/16/10  Sev=Info/4      IKE/0x63000013

94     20:59:19.062  09/16/10  Sev=Info/4      IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=756AE1DA

95     20:59:19.062  09/16/10  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=F93198044BF6973A R_Cookie=7AC37329E9EEBDDF) reason = DEL_REASON_IKE_NEG_FAILED

96     20:59:19.203  09/16/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

97     20:59:22.203  09/16/10  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=F93198044BF6973A R_Cookie=7AC37329E9EEBDDF) reason = DEL_REASON_IKE_NEG_FAILED

98     20:59:22.203  09/16/10  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

99     20:59:22.203  09/16/10  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

100    20:59:22.218  09/16/10  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

101    20:59:22.218  09/16/10  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

102    20:59:22.218  09/16/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

103    20:59:22.218  09/16/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

104    20:59:22.218  09/16/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

105    20:59:22.218  09/16/10  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
Who is Participating?
kuohConnect With a Mentor Commented:
Cisco VPN troubleshooting docs recommend against using crypto ACLs with remote access clients.  Try making the following changes.

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

access-list inside_outbound_nat0_acl permit ip any

access-list inside_outbound_nat0_acl permit ip any
gnurphConnect With a Mentor Author Commented:
I think the solution lies in the "crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20" and the address outside_cryptomap_dyn_20 appears to (I have no idea why...PDM put it there.)  I'm not sure what that actually means, which might be my problem.
From the client side the  "RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from" tells me your client and Pix don't get along;
Double-check your client/box security parameters; both the encryption and authentication  settings.
gnurphAuthor Commented:
I'm using Cisco VPN Client version, which seems to provide exactly ZERO options for encryption / authentication - I had to guess at the 3DES / MD5 parameters, which seem to be the standard.  I'm not even sure how to check, though.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a00800bd991.html seems to indicate that

CiscoVPNClient-3DES-MD5   Preshared Keys (XAUTH)   MD5/HMAC-128   3DES-168 Group 2 (1024 bits) is valid, as is
IKE-3DES-MD5  with the same parameters.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.