gnurph
asked on
Having difficulty configuring PIX 501 with VPN
I picked up a PIX 501 at a yard sale, and I've got the thing configured - with one exception. I can't get a VPN client to authenticate correctly. I've searched via google, but haven't found the solution. Anybody out there remember? I've attached both the configuration and the log file from the VPN client. (Note...I got this "working" once - it connected - but I couldn't ping anything inside my network. I saw an article that said the VPN network had to be different from the 'inside' network, so I changed it to 192.168.2.X/24 - and it hasn't connected since then.)
***
: Saved
: Written by enable_15 at 20:43:02.614 EDT Thu Sep 16 2010
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password DELETED encrypted
passwd DELETED encrypted
hostname pix
domain-name local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ctiqbe 2748
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.5.41.40 tick.usno.navy.mil
name 4.2.2.2 DNS_2
name 4.2.2.1 DNS_1
name 69.72.255.20 no-ip.org_host_server
access-list inside_in permit ip 192.168.1.0 255.255.255.0 any
access-list inside_in permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_donat permit ip 192.168.1.0 255.255.255.0 any
access-list denyall deny ip any any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in deny ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.248
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.248
pager lines 24
logging buffered notifications
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.1.99 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool VPN-Pool 192.168.2.100-192.168.2.10 5 mask 255.255.255.0
pdm location DNS_1 255.255.255.255 outside
pdm location DNS_2 255.255.255.255 outside
pdm location tick.usno.navy.mil 255.255.255.255 outside
pdm location no-ip.org_host_server 255.255.255.255 outside
pdm location 192.168.1.48 255.255.255.248 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
access-group outside_access_in in interface outside
access-group inside_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server tick.usno.navy.mil source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup diamond address-pool VPN-Pool
vpngroup diamond dns-server DNS_2 4.2.2.3
vpngroup diamond default-domain local
vpngroup diamond idle-time 1800
vpngroup diamond password DELETED
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.1.100-192.168.1.12 0 inside
dhcpd dns DNS_2 4.2.2.3
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain local
dhcpd auto_config outside
dhcpd enable inside
***
Cisco Systems VPN Client Version 5.0.04.0300
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
53 20:59:00.234 09/16/10 Sev=Info/4 CM/0x63100002
Begin connection process
54 20:59:00.265 09/16/10 Sev=Info/4 CM/0x63100004
Establish secure connection
55 20:59:00.265 09/16/10 Sev=Info/4 CM/0x63100024
Attempt connection with server "gnurph.no-ip.org"
56 20:59:17.140 09/16/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 68.54.168.63.
57 20:59:17.140 09/16/10 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
58 20:59:17.156 09/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 68.54.168.63
59 20:59:17.187 09/16/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
60 20:59:17.187 09/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
61 20:59:17.187 09/16/10 Sev=Info/4 IPSEC/0x6370000D
Key(s) deleted by Interface (25.209.7.41)
62 20:59:18.515 09/16/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63
63 20:59:18.515 09/16/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from 68.54.168.63
64 20:59:18.515 09/16/10 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
65 20:59:18.515 09/16/10 Sev=Info/5 IKE/0x63000001
Peer supports DPD
66 20:59:18.515 09/16/10 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
67 20:59:18.515 09/16/10 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025
68 20:59:18.531 09/16/10 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
69 20:59:18.531 09/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT ACT, VID(?), VID(Unity)) to 68.54.168.63
70 20:59:18.531 09/16/10 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x050F, Remote Port = 0x01F4
71 20:59:18.531 09/16/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
72 20:59:18.531 09/16/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
73 20:59:18.578 09/16/10 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
74 20:59:18.578 09/16/10 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
75 20:59:18.578 09/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 68.54.168.63
76 20:59:18.687 09/16/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63
77 20:59:18.687 09/16/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIM E) from 68.54.168.63
78 20:59:18.687 09/16/10 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
79 20:59:18.687 09/16/10 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
80 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63
81 20:59:18.734 09/16/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 68.54.168.63
82 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.100
83 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
84 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 4.2.2.2
85 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 4.2.2.3
86 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = local
87 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
88 20:59:18.734 09/16/10 Sev=Info/4 CM/0x63100019
Mode Config data received
89 20:59:18.750 09/16/10 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.100, GW IP = 68.54.168.63, Remote IP = 0.0.0.0
90 20:59:18.750 09/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 68.54.168.63
91 20:59:19.062 09/16/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63
92 20:59:19.062 09/16/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 68.54.168.63
93 20:59:19.062 09/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 68.54.168.63
94 20:59:19.062 09/16/10 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=756AE1DA
95 20:59:19.062 09/16/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=F93198044BF6973A R_Cookie=7AC37329E9EEBDDF) reason = DEL_REASON_IKE_NEG_FAILED
96 20:59:19.203 09/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
97 20:59:22.203 09/16/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=F93198044BF6973A R_Cookie=7AC37329E9EEBDDF) reason = DEL_REASON_IKE_NEG_FAILED
98 20:59:22.203 09/16/10 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED ". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
99 20:59:22.203 09/16/10 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
100 20:59:22.218 09/16/10 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
101 20:59:22.218 09/16/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
102 20:59:22.218 09/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
103 20:59:22.218 09/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
104 20:59:22.218 09/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
105 20:59:22.218 09/16/10 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
***
: Saved
: Written by enable_15 at 20:43:02.614 EDT Thu Sep 16 2010
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password DELETED encrypted
passwd DELETED encrypted
hostname pix
domain-name local
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ctiqbe 2748
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol icmp error
no fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
no fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.5.41.40 tick.usno.navy.mil
name 4.2.2.2 DNS_2
name 4.2.2.1 DNS_1
name 69.72.255.20 no-ip.org_host_server
access-list inside_in permit ip 192.168.1.0 255.255.255.0 any
access-list inside_in permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_donat permit ip 192.168.1.0 255.255.255.0 any
access-list denyall deny ip any any
access-list outside_access_in permit icmp any any echo-reply
access-list outside_access_in permit icmp any any time-exceeded
access-list outside_access_in deny ip any any
access-list inside_outbound_nat0_acl permit ip any 192.168.1.48 255.255.255.248
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.48 255.255.255.248
pager lines 24
logging buffered notifications
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute retry 4
ip address inside 192.168.1.99 255.255.255.0
ip verify reverse-path interface outside
ip audit info action alarm drop
ip audit attack action alarm drop
ip local pool VPN-Pool 192.168.2.100-192.168.2.10
pdm location DNS_1 255.255.255.255 outside
pdm location DNS_2 255.255.255.255 outside
pdm location tick.usno.navy.mil 255.255.255.255 outside
pdm location no-ip.org_host_server 255.255.255.255 outside
pdm location 192.168.1.48 255.255.255.248 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
access-group outside_access_in in interface outside
access-group inside_in in interface inside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server tick.usno.navy.mil source outside prefer
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup diamond address-pool VPN-Pool
vpngroup diamond dns-server DNS_2 4.2.2.3
vpngroup diamond default-domain local
vpngroup diamond idle-time 1800
vpngroup diamond password DELETED
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd address 192.168.1.100-192.168.1.12
dhcpd dns DNS_2 4.2.2.3
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain local
dhcpd auto_config outside
dhcpd enable inside
***
Cisco Systems VPN Client Version 5.0.04.0300
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
53 20:59:00.234 09/16/10 Sev=Info/4 CM/0x63100002
Begin connection process
54 20:59:00.265 09/16/10 Sev=Info/4 CM/0x63100004
Establish secure connection
55 20:59:00.265 09/16/10 Sev=Info/4 CM/0x63100024
Attempt connection with server "gnurph.no-ip.org"
56 20:59:17.140 09/16/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 68.54.168.63.
57 20:59:17.140 09/16/10 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
58 20:59:17.156 09/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 68.54.168.63
59 20:59:17.187 09/16/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
60 20:59:17.187 09/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
61 20:59:17.187 09/16/10 Sev=Info/4 IPSEC/0x6370000D
Key(s) deleted by Interface (25.209.7.41)
62 20:59:18.515 09/16/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63
63 20:59:18.515 09/16/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, HASH) from 68.54.168.63
64 20:59:18.515 09/16/10 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
65 20:59:18.515 09/16/10 Sev=Info/5 IKE/0x63000001
Peer supports DPD
66 20:59:18.515 09/16/10 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
67 20:59:18.515 09/16/10 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025
68 20:59:18.531 09/16/10 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
69 20:59:18.531 09/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT
70 20:59:18.531 09/16/10 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x050F, Remote Port = 0x01F4
71 20:59:18.531 09/16/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
72 20:59:18.531 09/16/10 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
73 20:59:18.578 09/16/10 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
74 20:59:18.578 09/16/10 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
75 20:59:18.578 09/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 68.54.168.63
76 20:59:18.687 09/16/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63
77 20:59:18.687 09/16/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIM
78 20:59:18.687 09/16/10 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
79 20:59:18.687 09/16/10 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
80 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63
81 20:59:18.734 09/16/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 68.54.168.63
82 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.2.100
83 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
84 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 4.2.2.2
85 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 4.2.2.3
86 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = local
87 20:59:18.734 09/16/10 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
88 20:59:18.734 09/16/10 Sev=Info/4 CM/0x63100019
Mode Config data received
89 20:59:18.750 09/16/10 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.2.100, GW IP = 68.54.168.63, Remote IP = 0.0.0.0
90 20:59:18.750 09/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 68.54.168.63
91 20:59:19.062 09/16/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 68.54.168.63
92 20:59:19.062 09/16/10 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
93 20:59:19.062 09/16/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 68.54.168.63
94 20:59:19.062 09/16/10 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=756AE1DA
95 20:59:19.062 09/16/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=F93198044BF6973A
96 20:59:19.203 09/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
97 20:59:22.203 09/16/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=F93198044BF6973A
98 20:59:22.203 09/16/10 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED
99 20:59:22.203 09/16/10 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
100 20:59:22.218 09/16/10 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
101 20:59:22.218 09/16/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
102 20:59:22.218 09/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
103 20:59:22.218 09/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
104 20:59:22.218 09/16/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
105 20:59:22.218 09/16/10 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm using Cisco VPN Client version 5.0.04.0300, which seems to provide exactly ZERO options for encryption / authentication - I had to guess at the 3DES / MD5 parameters, which seem to be the standard. I'm not even sure how to check, though.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a00800bd991.html seems to indicate that
CiscoVPNClient-3DES-MD5 Preshared Keys (XAUTH) MD5/HMAC-128 3DES-168 Group 2 (1024 bits) is valid, as is
IKE-3DES-MD5 with the same parameters.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a00800bd991.html seems to indicate that
CiscoVPNClient-3DES-MD5 Preshared Keys (XAUTH) MD5/HMAC-128 3DES-168 Group 2 (1024 bits) is valid, as is
IKE-3DES-MD5 with the same parameters.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Double-check your client/box security parameters; both the encryption and authentication settings.