[VPN] Cisco VPN Client can't connect to Pix 515 with rsa-sig

Hart, Kevin KHart at helixtechnology.com
Wed May 5 16:22:11 EDT 2004


Have you tried using "ISAKMP identity hostname" instead of using "ISAKMP
identity address" ?

Kevin



Hi,

I have a problem with connect Cisco VPN Client(4.0.3 A) to a Firewall
PIX 515 (6.3): when I connect bye "pre-shared key" I' don't have problem,
but if i connect bye "rsa-sig" I can't establish a session.

The client Log is:

275    10:11:47.332  05/05/04  Sev=Info/4	CERT/0x63600014
Cert (cn=Marco Losa,ou=Information
Technology,o=Sefin,st=Italy,c=IT,e=marco.losa at sefin.it) verification
succeeded.

276    10:11:47.362  05/05/04  Sev=Info/4	CM/0x63100002
Begin connection process

277    10:11:47.362  05/05/04  Sev=Info/4	CM/0x63100004
Establish secure connection using Ethernet

278    10:11:47.362  05/05/04  Sev=Info/4	CM/0x63100024
Attempt connection with server "xxx.xxx.xxx.xxx"

279    10:11:47.362  05/05/04  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.

280    10:11:47.412  05/05/04  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T),
VID(Frag),
VID(Unity)) to xxx.xxx.xxx.xxx

281    10:11:47.693  05/05/04  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

282    10:11:47.693  05/05/04  Sev=Warning/2	IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)

283    10:11:47.693  05/05/04  Sev=Info/4	IKE/0xE30000A4
Invalid payload: Stated payload length, 1032, is not sufficient for
Notification:(PayloadList:148)

284    10:11:47.693  05/05/04  Sev=Warning/3	IKE/0xA3000058
Received malformed message or negotiation no longer active (message id:
0x00000000)

285    10:11:48.224  05/05/04  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started

286    10:11:48.224  05/05/04  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

287    10:11:52.720  05/05/04  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

288    10:11:52.720  05/05/04  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to xxx.xxx.xxx.xxx

289    10:11:52.980  05/05/04  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

290    10:11:52.980  05/05/04  Sev=Warning/2	IKE/0xA3000062
Attempted incoming connection from xxx.xxx.xxx.xxx. Inbound connections
are not
allowed.

291    10:11:57.727  05/05/04  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

292    10:11:57.727  05/05/04  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to xxx.xxx.xxx.xxx

293    10:12:02.734  05/05/04  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

294    10:12:02.734  05/05/04  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to xxx.xxx.xxx.xxx

295    10:12:07.742  05/05/04  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=F3725439D795810F
R_Cookie=7D458C05DEA530C1) reason = DEL_REASON_PEER_NOT_RESPONDING

296    10:12:08.242  05/05/04  Sev=Info/4	IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=F3725439D795810F
R_Cookie=7D458C05DEA530C1) reason = DEL_REASON_PEER_NOT_RESPONDING

297    10:12:08.242  05/05/04  Sev=Info/4	CM/0x63100014
Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of
"DEL_REASON_PEER_NOT_RESPONDING"

298    10:12:08.242  05/05/04  Sev=Info/5	CM/0x63100025
Initializing CVPNDrv

299    10:12:08.252  05/05/04  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection

300    10:12:08.743  05/05/04  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

301    10:12:08.743  05/05/04  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

302    10:12:08.743  05/05/04  Sev=Info/4	IPSEC/0x63700014
Deleted all keys

303    10:12:08.743  05/05/04  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped

And the debug PIX is:


OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 5
ISAKMP:      extended auth RSA sig (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 5
ISAKMP:      extended auth RSA sig (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 5
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 5
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth RSA sig (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth RSA sig (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 5
ISAKMP:      extended auth RSA sig (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
crypto_isakmp_process_block:src:62.10.15.142, dest:212.31.235.254 spt:500
dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 5
ISAKMP:      extended auth RSA sig (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 5
ISAKMP:      extended auth RSA sig (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 5
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 5
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth RSA sig (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth RSA sig (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth RSA sig
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 5
ISAKMP:      extended auth RSA sig (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
crypto_isakmp_process_block:src:62.10.15.142, dest:xxx.xxx.xxx.xxx spt:500
dpt:500
VPN Peer:ISAKMP: Peer Info for 62.10.15.142/500 not found - peers:1

ISAKMP: larval sa found
crypto_isakmp_process_block:src:62.10.15.142, dest:xxx.xxx.xxx.xxx spt:500
dpt:500
VPN Peer:ISAKMP: Peer Info for 62.10.15.142/500 not found - peers:1

ISAKMP: larval sa found

Any Idea ?

Thanks
Marck


-----Original Message-----
From: Losa Marco [mailto:marco.losa at sefin.it]
Sent: Wednesday, May 05, 2004 5:32 AM
To: vpn at lists.shmoo.com
Subject: [VPN] Cisco VPN Client can't connect to Pix 515 with rsa-sig


_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn



More information about the VPN mailing list