[VPN] A problem in a Cisco VPN client connection to a Cisco Pixusing X509 certificates
Andrew Prince
Andrew.Prince at TrinitySecurity.com
Tue Feb 24 14:02:14 EST 2004
Youssef,
You have to configure the following:-
isakmp enable outside
isakmp identity address
crypto map <vpn client crypto map> interface outside
sysopt connection permit-ipsec
ISAKMP & IPSEC transform sets for vpn client access????
_____
From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com
[mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On
Behalf Of Benkirane Youssef
Sent: 24 February 2004 14:07
To: vpn at lists.shmoo.com
Subject: [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates
Hi,
I have a cisco Pix 515. The wan interface is connected behind an internet
Link.
When I try to connect with a cisco VPN client 3.6.3 to the PIX using
certificate. The ISAKMP authentication blocks.
The IPSEC log viewer shows that the message SENDING >>> ISAKMP OAK MM *(ID,
CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77, has
no response from the PIX.
Does someone have a diagnostic for this problem?
Thank you by advance
Youssef
Those are the whole logs of the VPN client.
1 11:58:33.134 02/24/04 Sev=Info/6 DIALER/0x63300002
Initiating connection.
2 11:58:33.134 02/24/04 Sev=Info/4 CM/0x63100002
Begin connection process
3 11:58:33.144 02/24/04 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
4 11:58:33.144 02/24/04 Sev=Info/4 CM/0x63100026
Attempt connection with server "217.128.150.77"
5 11:58:33.144 02/24/04 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 217.128.150.77.
6 11:58:33.204 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID, VID, VID, VID, VID) to 217.128.150.77
7 11:58:34.035 02/24/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
8 11:58:38.241 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77
9 11:58:43.248 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77
10 11:58:48.256 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77
11 11:58:48.306 02/24/04 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 217.128.150.77
12 11:58:48.306 02/24/04 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA, VID, VID) from 217.128.150.77
13 11:58:48.316 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 7D9419A65310CA6F2C179D9215529D56
14 11:58:48.316 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 90CB80913EBB696E086381B5EC427B1F
15 11:58:48.316 02/24/04 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
16 11:58:48.316 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D) to 217.128.150.77
17 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 217.128.150.77
18 11:58:48.416 02/24/04 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID, VID, VID, VID, NAT-D,
NAT-D) from 217.128.150.77
19 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 09002689DFD6B712
20 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
21 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100
22 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000001
Peer supports DPD
23 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100
24 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
25 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = B11B2FEEE3184CADFA563C07828BFA2F
26 11:58:48.506 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG,
NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77
27 11:58:53.513 02/24/04 Sev=Warning/2 IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding
28 11:58:53.513 02/24/04 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "217.128.150.77" because of
"DEL_REASON_PEER_NOT_RESPONDING"
29 11:58:53.513 02/24/04 Sev=Info/5 CM/0x63100029
Initializing CVPNDrv
30 11:58:53.563 02/24/04 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).
31 11:58:54.575 02/24/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040224/3234afc3/attachment.htm
More information about the VPN
mailing list