IPSEC to PIX 515

Hi -

i'm running a 515 with the 6.3.3 code. I am trying to get the cisco
IPSEC client connected to the pix . I've followed the instructions on
cisco's site, and had this working, but after a recent change it just
wont finish the ISAKMP negotiation.

I also have PPTP enabled to the pix, which is working fine (so I know
theres no RAIDUS/Auth problem)

Client side logs show:

18 09:43:23.015 04/14/06 Sev=Info/4 IKE/0x63000014 RECEIVING <<<
ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x

19 09:43:23.015 04/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>>
ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x

20 09:43:23.015 04/14/06 Sev=Info/4 IKE/0x63000017 Marking IKE SA
for deletion (I_Cookie=A2FA4A64ADDC7FD0 R_Cookie=DF2DA2372657AB00)
reason = DEL_REASON_WE_FAILED_AUTH

21 09:43:23.015 04/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>>
ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x

22 09:43:23.750 04/14/06 Sev=Info/4 IKE/0x6300004B Discarding IKE
SA negotiation (I_Cookie=A2FA4A64ADDC7FD0 R_Cookie=DF2DA2372657AB00)
reason = DEL_REASON_WE_FAILED_AUTH

23 09:43:23.750 04/14/06 Sev=Info/4 CM/0x63100014 Unable to
establish Phase 1 SA with server "x.x.x.x" because of
"DEL_REASON_WE_FAILED_AUTH"

24 09:43:23.750 04/14/06 Sev=Info/4 IKE/0x63000001 IKE received
signal to terminate VPN connection

25 09:43:23.750 04/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all
keys
============================
sanitized Pix config is below:

interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 savvist security0

fixup protocol dns maximum-length 512
fixup protocol domain 53
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside permit icmp any any echo-reply
access-list outside permit icmp any any unreachable
access-list outside permit icmp any any source-quench
access-list outside permit icmp any any time-exceeded

access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.10.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.11.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.12.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.13.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.20.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.21.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.22.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 192.168.23.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.1.0.0 255.255.255.0

access-list nonat permit ip 10.0.0.0 255.255.0.0 10.253.58.0
255.255.255.0
access-list nonat permit ip 10.0.0.0 255.255.0.0 10.0.0.0 255.255.0.0

pager lines 24
logging on
logging timestamp
logging trap informational
logging facility 23
logging device-id hostname
logging host inside 10.0.0.42
no logging message 305012
icmp deny any outside
mtu outside 1500
mtu inside 1500
mtu savvist 1500

ip audit info action alarm
ip audit attack action alarm

ip local pool vpn 10.0.15.100-10.0.15.254
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (savvist) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 2 10.0.0.2 255.255.255.255 0 0
nat (inside) 1 10.0.0.0 255.255.0.0 0 0
access-group outside in interface outside
access-group savvist in interface savvist

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.0.0.42 LehMePo23HHHee timeout 10
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.0.0.10 k10D3* timeout 10
aaa-server LOCAL protocol local
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
TACACS+

floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp

crypto ipsec transform-set kiodex esp-3des esp-md5-hmac
crypto dynamic-map dynmap 5 set transform-set kiodex
crypto map outside 1 ipsec-isakmp
crypto map outside 1 match address savvis
crypto map outside 1 set peer 216.74.163.199
crypto map outside 1 set transform-set kiodex
crypto map outside 2 ipsec-isakmp
crypto map outside 2 match address houston
crypto map outside 2 set peer 209.163.128.71
crypto map outside 2 set transform-set kiodex
crypto map outside 3 ipsec-isakmp
crypto map outside 3 match address att
crypto map outside 3 set peer 63.240.29.99
crypto map outside 3 set transform-set kiodex
crypto map outside 4 ipsec-isakmp
crypto map outside 4 match address pune
crypto map outside 4 set peer 59.160.68.2
crypto map outside 4 set transform-set kiodex
crypto map outside 5 ipsec-isakmp dynamic dynmap
crypto map outside client authentication RADIUS
crypto map outside interface outside
isakmp enable outside
isakmp key ******** address 216.74.163.199 netmask 255.255.255.255
isakmp key ******** address 209.163.128.71 netmask 255.255.255.255
isakmp key ******** address 63.240.29.99 netmask 255.255.255.255
isakmp key ******** address 59.160.68.2 netmask 255.255.255.255
no-xauth
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup 628vpn address-pool vpn
vpngroup 628vpn dns-server 10.0.0.10 10.0.0.204
vpngroup 628vpn wins-server 10.0.0.10 10.0.0.204
vpngroup 628vpn default-domain vpn.kiodex.com
vpngroup 628vpn split-tunnel nonat
vpngroup 628vpn idle-time 1800
vpngroup 628vpn password ********

vpdn group 628pptp accept dialin pptp
vpdn group 628pptp ppp authentication mschap
vpdn group 628pptp ppp encryption mppe auto
vpdn group 628pptp client configuration address local vpn
vpdn group 628pptp client configuration dns 10.0.0.10 10.0.0.204
vpdn group 628pptp client configuration wins 10.0.0.10 10.0.0.204
vpdn group 628pptp client authentication aaa RADIUS
vpdn group 628pptp pptp echo 60
vpdn enable outside
=================
any help appreciated. thanks

.

Relevant Pages

  • Re: IPSEC to PIX 515
    ... ISAKMP OAK TRANS *from x.x.x.x ... fixup protocol dns maximum-length 512 ... crypto map outside 1 match address savvis ... vpdn group 628pptp ppp authentication mschap ...
    (comp.dcom.sys.cisco)
  • pix 525 & bdcom 2621 ipsec error!
    ... crypto isakmp key ciscobdcom 2621 10.10.20.138 255.255.255.224 ... crypto map 1 1 ipsec-isakmp ... interface FastEthernet0/0 ... fixup protocol dns maximum-length 512 ...
    (comp.security.firewalls)
  • Re: How do I configure VPN passthrough with a PIX 501
    ... 6.3has several known security problems. ... client on another client. ... I've read in other newgroups about NAT transversal, enabling isakmp, ... any transform-sets or crypto map, isakmp in order to make this to ...
    (comp.security.firewalls)
  • Re: PIX to PIX VPN problem
    ... crypto map CRYPTO_MAP 5 match address CHICAGO ... vpngroup VPN split-tunnel VPNSPLIT ... fixup protocol dns maximum-length 700 ... access-list PERMIT_IN permit tcp any host vpn-evn eq ssh ...
    (comp.dcom.sys.cisco)
  • Help With 1710 to Pix 501 VPN Tunnel
    ... I am having trouble establishing a tunnel between two sites. ... fixup protocol http 80 ... Crypto map Houston 120 ipsec-isakmp ... Isakmp policy 100 authentication pre-share ...
    (comp.dcom.sys.cisco)