Cisco Pix 515 5.0(2) IOS DES encryption -> Cisco Secure Clien t.... HELP!

Nick Bryant nick.bryant at IPCENTA.COM
Thu Feb 3 09:44:08 EST 2000 

Duh!

Just figured it!

crypto map **nemap** 10 ipsec-isakmp dynamic mydynmap
crypto map newmap interface outside

Sorry!

Nick

> -----Original Message-----
> From: Nick Bryant
> Sent: 03 February 2000 14:25
> To: VPN at SECURITYFOCUS.COM
> Subject: Cisco Pix 515 5.0(2) IOS DES encryption -> Cisco Secure
> Client.... HELP!
>
>
>
> Help!!!
>
> Ok i have a pix 515 that im trying to get talking to some
> remote machines i have running the cisco secure client - to no avail!
>
> My problem:
>
> I can get past phase 1 negotiation no problem so the
> pre-shared keys are working ok. But phase 2 is failing. Here
> is my debug from the pix:
>
> <<<<<<<<<<<<<<<<START>>>>>>>>>>>>>>>>>>>
> ISAKMP (0): processing SA payload. message ID = 0
>
> ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
> ISAKMP:      encryption DES-CBC
> ISAKMP:      hash MD5
> ISAKMP:      default group 1
> ISAKMP:      auth pre-share
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (basic) of 1000
> ISAKMP (0): atts are acceptable. Next payload is 0
> ISAKMP (0): SA is doing pre-shared key authentication using
> id type ID_IPV4_ADDR
>
> ISAKMP (0): processing KE payload. message ID = 0
>
> ISAKMP (0): processing NONCE payload. message ID = 0
>
> ISAKMP (0): processing ID payload. message ID = 0
> ISAKMP (0): processing HASH payload. message ID = 0
> ISAKMP (0): SA has been authenticated
>
> ISAKMP (0): ID payload
>         next-payload : 8
>         type         : 1
>         protocol     : 17
>         port         : 500
>         length       : 8
> ISAKMP (0): Total payload length: 12
> ISAKMP (0): processing SA payload. message ID = -1262545779
>
> ISAKMP : Checking IPSec proposal 1
>
> ISAKMP: transform 1, ESP_DES
> ISAKMP:   attributes in transform:
> ISAKMP:      authenticator is HMAC-MD5
> ISAKMP:      encaps is 1IPSEC(validate_proposal): no IPSEC
> cryptomap exists for local address 10.0.0.50
>
> ISAKMP (0): atts not acceptable. Next payload is 0
> ISAKMP (0): SA not acceptable!
> <<<<<<<<<<<<<<<<<END>>>>>>>>>>>>>>>>>>
>
> So clearly its the crypto maps?? But i have tried every damn
> combination possible!
>
>
> Here is my config:
>
> 10.0.0.50 outside global address of pix (i know it isnt
> actually gloabl! ;))
> 10.0.0.51 global address of 192.168.100.10 on inside
> 10.0.0.12 Host thats running Cisco Secure Client
>
>
> Building configuration...
> : Saved
> :
> PIX Version 5.0(2)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> enable password 8Ry2YjIyt7RRXU24 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname pixfirewall
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol smtp 25
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol sqlnet 1521
> names
> pager lines 24
> no logging timestamp
> no logging standby
> no logging console
> no logging monitor
> no logging buffered
> no logging trap
> logging facility 20
> logging queue 512
> interface ethernet0 auto
> interface ethernet1 auto
> mtu outside 1500
> mtu inside 1500
> ip address outside 10.0.0.50 255.255.255.192
> ip address inside 192.168.100.1 255.255.255.0
> no failover
> failover timeout 0:00:00
> failover ip address outside 0.0.0.0
> failover ip address inside 0.0.0.0
> arp timeout 14400
> nat (inside) 0 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) 10.0.0.51 192.168.100.10 netmask
> 255.255.255.255 0 0
> access-list 80 permit ip host 10.0.0.50 host 10.0.0.12
> access-list 80 permit ip host 10.0.0.51 host 10.0.0.50
> access-list 80 permit ip host 10.0.0.50 host 10.0.0.51
> access-list 80 permit ip host 10.0.0.50 any
> access-list 80 permit ip host 10.0.0.12 host 10.0.0.50
> access-list 80 permit ip host 10.0.0.12 host 10.0.0.51
> access-list 80 permit ip host 10.0.0.51 host 10.0.0.12
> conduit permit icmp any any
> conduit permit tcp host 10.0.0.51 eq telnet any
> no rip outside passive
> no rip outside default
> no rip inside passive
> no rip inside default
> route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
> timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> timeout rpc 0:10:00 h323 0:05:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> no floodguard enable
> sysopt connection permit-ipsec
> crypto ipsec transform-set myset esp-des esp-md5-hmac
> crypto dynamic-map mydynmap 10 match address 80
> crypto dynamic-map mydynmap 10 set transform-set myset
> crypto map nemap 10 ipsec-isakmp dynamic mydynmap
> crypto map newmap interface outside
> isakmp enable outside
> isakmp key 1234567890 address 0.0.0.0 netmask 0.0.0.0
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 1
> isakmp policy 10 lifetime 1000
> telnet timeout 5
> terminal width 80
> Cryptochecksum:e917a68f549501fd95a913b4018f8e43
> : end
> [OK]
>
>
> ANY help MASSIVLY appreciated.
>
> Cheers
>
> Nick
>

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list