[VPN] A problem in a Cisco VPN client connection to a Cisco Pixusing X509 certificates

Andrew Prince Andrew.Prince at TrinitySecurity.com
Tue Feb 24 14:02:14 EST 2004 

Youssef,
 
You have to configure the following:-
 
isakmp enable outside
isakmp identity address
crypto map <vpn client crypto map> interface outside
sysopt connection permit-ipsec
 
ISAKMP & IPSEC transform sets for vpn client access????


  _____  

From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com
[mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On
Behalf Of Benkirane Youssef
Sent: 24 February 2004 14:07
To: vpn at lists.shmoo.com
Subject: [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates



Hi,

 

I have a cisco Pix 515. The wan interface is connected behind an internet
Link.

When I try to connect with a cisco VPN client 3.6.3 to the PIX using
certificate. The ISAKMP authentication blocks.

The IPSEC log viewer shows that the message SENDING >>> ISAKMP OAK MM *(ID,
CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77, has
no response from the PIX.

Does someone have a diagnostic for this problem? 

 

Thank you by advance

Youssef

 

Those are the whole logs of the VPN client.

 

 

 

1      11:58:33.134  02/24/04  Sev=Info/6           DIALER/0x63300002

Initiating connection.

 

2      11:58:33.134  02/24/04  Sev=Info/4           CM/0x63100002

Begin connection process

 

3      11:58:33.144  02/24/04  Sev=Info/4           CM/0x63100004

Establish secure connection using Ethernet

 

4      11:58:33.144  02/24/04  Sev=Info/4           CM/0x63100026

Attempt connection with server "217.128.150.77"

 

5      11:58:33.144  02/24/04  Sev=Info/6           IKE/0x6300003B

Attempting to establish a connection with 217.128.150.77.

 

6      11:58:33.204  02/24/04  Sev=Info/4           IKE/0x63000013

SENDING >>> ISAKMP OAK MM (SA, VID, VID, VID, VID, VID) to 217.128.150.77

 

7      11:58:34.035  02/24/04  Sev=Info/4           IPSEC/0x63700014

Deleted all keys

 

8      11:58:38.241  02/24/04  Sev=Info/4           IKE/0x63000013

SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77

 

9      11:58:43.248  02/24/04  Sev=Info/4           IKE/0x63000013

SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77

 

10     11:58:48.256  02/24/04  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77

 

11     11:58:48.306  02/24/04  Sev=Info/5          IKE/0x6300002F

Received ISAKMP packet: peer = 217.128.150.77

 

12     11:58:48.306  02/24/04  Sev=Info/4          IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (SA, VID, VID) from 217.128.150.77

 

13     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = 7D9419A65310CA6F2C179D9215529D56

 

14     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = 90CB80913EBB696E086381B5EC427B1F

 

15     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000001

Peer supports NAT-T

 

16     11:58:48.316  02/24/04  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D) to 217.128.150.77

 

17     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x6300002F

Received ISAKMP packet: peer = 217.128.150.77

 

18     11:58:48.416  02/24/04  Sev=Info/4          IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID, VID, VID, VID, NAT-D,
NAT-D) from 217.128.150.77

 

19     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = 09002689DFD6B712

 

20     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001

Peer supports XAUTH

 

21     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100

 

22     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001

Peer supports DPD

 

23     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100

 

24     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001

Peer is a Cisco-Unity compliant peer

 

25     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = B11B2FEEE3184CADFA563C07828BFA2F

 

26     11:58:48.506  02/24/04  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG,
NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77

 

27     11:58:53.513  02/24/04  Sev=Warning/2   IKE/0xE300007C

Exceeded 3 IKE SA negotiation retransmits... peer is not responding

 

28     11:58:53.513  02/24/04  Sev=Info/4          CM/0x63100014

Unable to establish Phase 1 SA with server "217.128.150.77" because of
"DEL_REASON_PEER_NOT_RESPONDING"

 

29     11:58:53.513  02/24/04  Sev=Info/5          CM/0x63100029

Initializing CVPNDrv

 

30     11:58:53.563  02/24/04  Sev=Warning/3   DIALER/0xE3300008

GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).

 

31     11:58:54.575  02/24/04  Sev=Info/4          IPSEC/0x63700014

Deleted all keys

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040224/3234afc3/attachment.htm

More information about the VPN mailing list