[VPN] Cisco VPN Client can't connect to Pix 515 with rsa-sig
Losa Marco
marco.losa at sefin.it
Wed May 5 05:31:31 EDT 2004
Hi,
I have a problem with connect Cisco VPN Client(4.0.3 A) to a Firewall
PIX 515 (6.3): when I connect bye "pre-shared key" I' don't have problem,
but if i connect bye "rsa-sig" I can't establish a session.
The client Log is:
275 10:11:47.332 05/05/04 Sev=Info/4 CERT/0x63600014
Cert (cn=Marco Losa,ou=Information
Technology,o=Sefin,st=Italy,c=IT,e=marco.losa at sefin.it) verification
succeeded.
276 10:11:47.362 05/05/04 Sev=Info/4 CM/0x63100002
Begin connection process
277 10:11:47.362 05/05/04 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
278 10:11:47.362 05/05/04 Sev=Info/4 CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.xxx"
279 10:11:47.362 05/05/04 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.
280 10:11:47.412 05/05/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T),
VID(Frag),
VID(Unity)) to xxx.xxx.xxx.xxx
281 10:11:47.693 05/05/04 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
282 10:11:47.693 05/05/04 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)
283 10:11:47.693 05/05/04 Sev=Info/4 IKE/0xE30000A4
Invalid payload: Stated payload length, 1032, is not sufficient for
Notification:(PayloadList:148)
284 10:11:47.693 05/05/04 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id:
0x00000000)
285 10:11:48.224 05/05/04 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
286 10:11:48.224 05/05/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
287 10:11:52.720 05/05/04 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
288 10:11:52.720 05/05/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to xxx.xxx.xxx.xxx
289 10:11:52.980 05/05/04 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx
290 10:11:52.980 05/05/04 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from xxx.xxx.xxx.xxx. Inbound connections
are not
allowed.
291 10:11:57.727 05/05/04 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
292 10:11:57.727 05/05/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to xxx.xxx.xxx.xxx
293 10:12:02.734 05/05/04 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
294 10:12:02.734 05/05/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to xxx.xxx.xxx.xxx
295 10:12:07.742 05/05/04 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=F3725439D795810F
R_Cookie=7D458C05DEA530C1) reason = DEL_REASON_PEER_NOT_RESPONDING
296 10:12:08.242 05/05/04 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=F3725439D795810F
R_Cookie=7D458C05DEA530C1) reason = DEL_REASON_PEER_NOT_RESPONDING
297 10:12:08.242 05/05/04 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of
"DEL_REASON_PEER_NOT_RESPONDING"
298 10:12:08.242 05/05/04 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
299 10:12:08.252 05/05/04 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
300 10:12:08.743 05/05/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
301 10:12:08.743 05/05/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
302 10:12:08.743 05/05/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
303 10:12:08.743 05/05/04 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
And the debug PIX is:
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
crypto_isakmp_process_block:src:62.10.15.142, dest:212.31.235.254 spt:500
dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
crypto_isakmp_process_block:src:62.10.15.142, dest:xxx.xxx.xxx.xxx spt:500
dpt:500
VPN Peer:ISAKMP: Peer Info for 62.10.15.142/500 not found - peers:1
ISAKMP: larval sa found
crypto_isakmp_process_block:src:62.10.15.142, dest:xxx.xxx.xxx.xxx spt:500
dpt:500
VPN Peer:ISAKMP: Peer Info for 62.10.15.142/500 not found - peers:1
ISAKMP: larval sa found
Any Idea ?
Thanks
Marck
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4421 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20040505/e3d43fbd/attachment.bin
More information about the VPN
mailing list