Remote peer no longer responding -- please help
in [Cisco]
|
From: soup_or_power on 14 Dec 2006 21:59 Hi I am trying to connect to a PIX (a very old version) firewall and I get the dreaded 412 error (The remote peer is no longer responding). Googled it and no relevant posts. Can someone kindly help me figure this out? Cisco Systems VPN Client Version 4.0.5 (Rel) Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 2 1 21:52:59.515 12/14/06 Sev=Info/4 CM/0x63100002 Begin connection process 2 21:52:59.718 12/14/06 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet 3 21:52:59.718 12/14/06 Sev=Info/4 CM/0x63100024 Attempt connection with server "209.178.198.242" 4 21:53:02.781 12/14/06 Sev=Critical/1 CVPND/0xE3400003 Function SocketApiBind() failed with an error code of 0xFFFFFFF8(f:\temp\IPSecClient\Rel\PubKeyPK\SRC\ike-init-state.cpp:390) 5 21:53:02.781 12/14/06 Sev=Critical/1 CVPND/0x63400012 Unable to bind to IKE port. This could be because there is another VPN client installed or running. Please disable or uninstall all VPN Clients other than the Cisco VPN Client. 6 21:53:02.828 12/14/06 Sev=Info/4 CM/0xE3100003 Failure to Initialize IKE ports 7 21:53:02.828 12/14/06 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv 8 21:53:02.906 12/14/06 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started 9 21:53:02.906 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 10 21:53:02.906 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 11 21:53:02.906 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 12 21:53:02.906 12/14/06 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped 13 21:54:28.671 12/14/06 Sev=Info/4 CM/0x63100002 Begin connection process 14 21:54:28.765 12/14/06 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet 15 21:54:28.765 12/14/06 Sev=Info/4 CM/0x63100024 Attempt connection with server "209.178.198.242" 16 21:54:28.796 12/14/06 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 209.178.198.242. 17 21:54:29.109 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 209.178.198.242 18 21:54:29.453 12/14/06 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started 19 21:54:29.453 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 20 21:54:29.578 12/14/06 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 209.178.198.242 21 21:54:29.578 12/14/06 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), KE, ID, NON, HASH) from 209.178.198.242 22 21:54:29.578 12/14/06 Sev=Info/5 IKE/0x63000001 Peer is a Cisco-Unity compliant peer 23 21:54:29.578 12/14/06 Sev=Info/5 IKE/0x63000001 Peer supports DPD 24 21:54:29.578 12/14/06 Sev=Info/5 IKE/0x63000081 Received IOS Vendor ID with unknown capabilities flag 0x00000025 25 21:54:29.593 12/14/06 Sev=Info/6 IKE/0x63000001 IOS Vendor ID Contruction successful 26 21:54:29.593 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, VID(?), VID(Unity)) to 209.178.198.242 27 21:54:29.593 12/14/06 Sev=Info/4 IKE/0x63000082 IKE Port in use - Local Port = 0x01F4, Remote Port = 0x01F4 28 21:54:29.593 12/14/06 Sev=Info/4 CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system 29 21:54:29.593 12/14/06 Sev=Info/4 CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system 30 21:54:30.046 12/14/06 Sev=Info/5 IKE/0x6300005D Client sending a firewall request to concentrator 31 21:54:30.046 12/14/06 Sev=Info/5 IKE/0x6300005C Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy). 32 21:54:30.046 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 209.178.198.242 33 21:54:30.109 12/14/06 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 209.178.198.242 34 21:54:30.109 12/14/06 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 209.178.198.242 35 21:54:30.109 12/14/06 Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.99.1 36 21:54:30.109 12/14/06 Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.1.6 37 21:54:30.109 12/14/06 Sev=Info/5 IKE/0x63000010 MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 192.168.1.6 38 21:54:30.109 12/14/06 Sev=Info/5 IKE/0x6300000E MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = corp.iexpect.com 39 21:54:30.109 12/14/06 Sev=Info/4 CM/0x63100019 Mode Config data received 40 21:54:30.281 12/14/06 Sev=Info/4 IKE/0x63000055 Received a key request from Driver: Local IP = 192.168.99.1, GW IP = 209.178.198.242, Remote IP = 0.0.0.0 41 21:54:30.281 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 209.178.198.242 42 21:54:30.406 12/14/06 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 209.178.198.242 43 21:54:30.406 12/14/06 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 209.178.198.242 44 21:54:30.406 12/14/06 Sev=Warning/3 IKE/0xA300004B Received a NOTIFY message with an invalid protocol id (0) 45 21:54:30.468 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 46 21:54:35.453 12/14/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 47 21:54:35.453 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(Retransmission) to 209.178.198.242 48 21:54:40.453 12/14/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 49 21:54:40.453 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(Retransmission) to 209.178.198.242 50 21:54:45.453 12/14/06 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 51 21:54:45.453 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK QM *(Retransmission) to 209.178.198.242 52 21:54:50.453 12/14/06 Sev=Info/4 IKE/0x6300002D Phase-2 retransmission count exceeded: MsgID=586F5A33 53 21:54:50.453 12/14/06 Sev=Info/6 IKE/0x6300003D Sending DPD request to 209.178.198.242, seq# = 3403392917 54 21:54:50.453 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 209.178.198.242 55 21:54:50.453 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 209.178.198.242 56 21:54:50.453 12/14/06 Sev=Info/4 IKE/0x63000048 Discarding IPsec SA negotiation, MsgID=586F5A33 57 21:54:50.500 12/14/06 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 209.178.198.242 58 21:54:50.500 12/14/06 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 209.178.198.242 59 21:54:50.500 12/14/06 Sev=Info/5 IKE/0x6300003F Received DPD ACK from 209.178.198.242, seq# received = 3403392918, seq# expected = 3403392918 60 21:55:20.453 12/14/06 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=37BCC08204AE4596 R_Cookie=4DFC26D470437156) reason = DEL_REASON_PEER_NOT_RESPONDING 61 21:55:20.453 12/14/06 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 209.178.198.242 62 21:55:20.953 12/14/06 Sev=Info/4 IKE/0x6300004A Discarding IKE SA negotiation (I_Cookie=37BCC08204AE4596 R_Cookie=4DFC26D470437156) reason = DEL_REASON_PEER_NOT_RESPONDING 63 21:55:20.953 12/14/06 Sev=Info/4 CM/0x63100012 Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_PEER_NOT_RESPONDING". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system 64 21:55:20.953 12/14/06 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv 65 21:55:20.984 12/14/06 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection 66 21:55:21.453 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 67 21:55:21.453 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 68 21:55:21.453 12/14/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 69 21:55:21.453 12/14/06 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped
From: Walter Roberson on 14 Dec 2006 22:30 In article <1166151599.639710.288540(a)73g2000cwn.googlegroups.com>, soup_or_power(a)yahoo.com <soup_or_power(a)yahoo.com> wrote: >I am trying to connect to a PIX (a very old version) firewall and I get >the dreaded 412 error (The remote peer is no longer responding). >Googled it and no relevant posts. Can someone kindly help me figure >this out? >35 21:54:30.109 12/14/06 Sev=Info/5 IKE/0x63000010 >MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = >192.168.99.1 >36 21:54:30.109 12/14/06 Sev=Info/5 IKE/0x63000010 >MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.1.6 Possibly your end 192.168.99.1 is not set to route properly to 192.168.1.6 . This could happen, for example, if you use an ip pool in the 192.168 range without specifying the netmask on the ip pool. (For 192.168.x, it -should- choose /24 but it is better to not leave it to chance if you don't need to.) >40 21:54:30.281 12/14/06 Sev=Info/4 IKE/0x63000055 >Received a key request from Driver: Local IP = 192.168.99.1, GW IP = >209.178.198.242, Remote IP = 0.0.0.0 >41 21:54:30.281 12/14/06 Sev=Info/4 IKE/0x63000013 >SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 209.178.198.242 >42 21:54:30.406 12/14/06 Sev=Info/5 IKE/0x6300002F >Received ISAKMP packet: peer = 209.178.198.242 >43 21:54:30.406 12/14/06 Sev=Info/4 IKE/0x63000014 >RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from >209.178.198.242 and everything quits after that. The NO_PROPOSAL_CHOSEN is why nothing else works after that point. You can have NO_PROPOSAL_CHOSEN if you have an isakmp key mismatch (because the two sides disagree on how to encrypt or decrypt) or if one only side wants RSA and the other only wants pre-shared. If you'd gotten further in the dialog, there would be another couple of places where NO_PROPOSAL_CHOSEN : those would indicate that the two sides disagreed on the transforms.
From: soup_or_power on 15 Dec 2006 10:09 The PIX has these rules: crypto ipsec transform-set iexpect esp-des esp-md5-hmac crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map corp 1 ipsec-isakmp crypto map corp 1 match address ipsec crypto map corp 1 set peer 216.74.138.157 crypto map corp 1 set transform-set iexpect crypto map corp 10 ipsec-isakmp dynamic dynmap crypto map corp client configuration address initiate crypto map corp client configuration address respond crypto map corp interface outside isakmp enable outside isakmp key ******** address 216.74.138.157 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 86400 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup corphome address-pool corp-home vpngroup corphome dns-server 192.168.1.6 vpngroup corphome wins-server 192.168.1.6 vpngroup corphome default-domain corp.iexpect.com vpngroup corphome idle-time 1800 vpngroup corphome password ******** How can I configure the Cisco Client 4.0.5 to use key share? Thanks Walter Roberson wrote: > In article <1166151599.639710.288540(a)73g2000cwn.googlegroups.com>, > soup_or_power(a)yahoo.com <soup_or_power(a)yahoo.com> wrote: > > >I am trying to connect to a PIX (a very old version) firewall and I get > >the dreaded 412 error (The remote peer is no longer responding). > >Googled it and no relevant posts. Can someone kindly help me figure > >this out? > > >35 21:54:30.109 12/14/06 Sev=Info/5 IKE/0x63000010 > >MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = > >192.168.99.1 > > > >36 21:54:30.109 12/14/06 Sev=Info/5 IKE/0x63000010 > >MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.1.6 > > Possibly your end 192.168.99.1 is not set to route properly to > 192.168.1.6 . This could happen, for example, if you use an ip pool > in the 192.168 range without specifying the netmask on the > ip pool. (For 192.168.x, it -should- choose /24 but it is better to > not leave it to chance if you don't need to.) > > >40 21:54:30.281 12/14/06 Sev=Info/4 IKE/0x63000055 > >Received a key request from Driver: Local IP = 192.168.99.1, GW IP = > >209.178.198.242, Remote IP = 0.0.0.0 > > >41 21:54:30.281 12/14/06 Sev=Info/4 IKE/0x63000013 > >SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 209.178.198.242 > > >42 21:54:30.406 12/14/06 Sev=Info/5 IKE/0x6300002F > >Received ISAKMP packet: peer = 209.178.198.242 > > >43 21:54:30.406 12/14/06 Sev=Info/4 IKE/0x63000014 > >RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from > >209.178.198.242 > > and everything quits after that. The NO_PROPOSAL_CHOSEN is why > nothing else works after that point. > > You can have NO_PROPOSAL_CHOSEN if you have an isakmp key mismatch > (because the two sides disagree on how to encrypt or decrypt) > or if one only side wants RSA and the other only wants pre-shared. > > > If you'd gotten further in the dialog, there would be another > couple of places where NO_PROPOSAL_CHOSEN : those would indicate > that the two sides disagreed on the transforms.
From: soup_or_power on 15 Dec 2006 20:52 Here is the debug from the PIX. I'd appreciate if Walter or someone can comment. Thanks crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 VPN Peer: ISAKMP: Added new peer: ip:72.79.125.235 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:72.79.125.235 Ref cnt incremented to:1 Total VPN Peers:1 OAK_AG exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 7 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 8 against priority 1 policy ISAKMP: encryption... What? 7? ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: attribute 3584 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: extended auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 OAK_AG exchange ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): processing NOTIFY payload 24578 protocol 1 spi 0, message ID = 0 ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 72.79.125.235 ISAKMP (0): processing vendor id payload ISAKMP (0): speaking to another IOS box! ISAKMP (0): processing vendor id payload ISAKMP (0): speaking to a Unity client ISAKMP (0): SA has been authenticated return status is IKMP_NO_ERROR crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 72.79.125.235. message ID = 0 ISAKMP: Config payload CFG_REQUEST ISAKMP (0:0): checking request: ISAKMP: attribute IP4_ADDRESS (1) ISAKMP: attribute IP4_NETMASK (2) ISAKMP: attribute IP4_DNS (3) ISAKMP: attribute IP4_NBNS (4) ISAKMP: attribute ADDRESS_EXPIRY (5) Unsupported Attr: 5 ISAKMP: attribute UNKNOWN (28672) Unsupported Attr: 28672 ISAKMP: attribute UNKNOWN (28673) Unsupported Attr: 28673 ISAKMP: attribute UNKNOWN (28674) ISAKMP: attribute UNKNOWN (28676) ISAKMP: attribute UNKNOWN (28675) Unsupported Attr: 28675 ISAKMP: attribute UNKNOWN (28679) Unsupported Attr: 28679 ISAKMP: attribute UNKNOWN (28681) Unsupported Attr: 28681 ISAKMP: attribute APPLICATION_VERSION (7) Unsupported Attr: 7 ISAKMP: attribute UNKNOWN (28680) Unsupported Attr: 28680 ISAKMP: attribute UNKNOWN (28682) Unsupported Attr: 28682 ISAKMP: attribute UNKNOWN (28677) Unsupported Attr: 28677 ISAKMP: attribute UNKNOWN (28678) Unsupported Attr: 28678 ISAKMP (0:0): responding to peer config from 72.79.125.235. ID = 3561348378 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 3146087570 ISAKMP : Checking IPSec proposal 1 ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 256 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): skipping next ANDed proposal (1) ISAKMP : Checking IPSec proposal 2 ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 256 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): skipping next ANDed proposal (2) ISAKMP : Checking IPSec proposal 3 ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 128 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): skipping next ANDed proposal (3) ISAKMP : Checking IPSec proposal 4 ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): skipping next ANDed proposal (4) ISAKMP : Checking IPSec proposal 5 ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 256 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP : Checking IPSec proposal 6 ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 256 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP : Checking IPSec proposal 7 ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-MD5 ISAKMP: key length is 128 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242 ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP : Checking IPSec proposal 8 ISAKMP: unknown ESP transform! ISAKMP: attributes in transform: ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b IPSEC(validate_proposal): invalid local address 209.178.198.242 crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0): processing NOTIFY payload 36136 protocol 1 spi 0, message ID = 4224895108 ISAMKP (0): received DPD_R_U_THERE from peer 72.79.125.235 ISAKMP (0): sending NOTIFY message 36137 protocol 1 return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0): processing DELETE payload. message ID = 2699998900IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP return status is IKMP_NO_ERR_NO_TRANS crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 ISAKMP (0): processing DELETE payload. message ID = 3651836985 ISAKMP (0): deleting SA: src 72.79.125.235, dst 209.178.198.242 ISAKMP (0): deleting IPSEC SAs with peer at 72.79.125.235IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 72.79.125.235 return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0x80c91590, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:72.79.125.235 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:72.79.125.235 Total VPN peers:0IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 72.79.125.235
From: soup_or_power on 16 Dec 2006 18:46 I downloaded the GreenBow VPN client and tested the encryption. The PIX expects DES and MD5 for encryption and authentication respectively. The GreenBow VPN client passed the phase 1 and phase 2 but alas, it doesn't connect when a password is challenged. I have to make extensive changes on the PIX to make the GreenBow VPN client work. It is not a viable option to me. Also the GreenBow VPN client is not free. Now if I can replicate the limited success I had with GreenBow VPN client using Cisco VPN Client 4.0.5 that will be great. Can anyone please tell me what are the encryption and authentication schemes for the Cisco 4.0.5 VPN client? How can I set the options on Cisco 4.0.5. VPN client? Kindly note that the PIX firewall is very old and there is no way to change the encryption and authentication schemes. Many thanks for your kind help. soup_or_power(a)yahoo.com wrote: > Here is the debug from the PIX. I'd appreciate if Walter or someone > can comment. > > Thanks > > > crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 > VPN Peer: ISAKMP: Added new peer: ip:72.79.125.235 Total VPN Peers:1 > VPN Peer: ISAKMP: Peer ip:72.79.125.235 Ref cnt incremented to:1 Total > VPN Peers:1 > OAK_AG exchange > ISAKMP (0): processing SA payload. message ID = 0 > > ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy > ISAKMP: encryption... What? 7? > ISAKMP: hash SHA > ISAKMP: default group 2 > ISAKMP: extended auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b > ISAKMP: attribute 3584 > ISAKMP (0): atts are not acceptable. Next payload is 3 > ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy > ISAKMP: encryption... What? 7? > ISAKMP: hash MD5 > ISAKMP: default group 2 > ISAKMP: extended auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b > ISAKMP: attribute 3584 > ISAKMP (0): atts are not acceptable. Next payload is 3 > ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy > ISAKMP: encryption... What? 7? > ISAKMP: hash SHA > ISAKMP: default group 2 > ISAKMP: auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b > ISAKMP: attribute 3584 > ISAKMP (0): atts are not acceptable. Next payload is 3 > ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy > ISAKMP: encryption... What? 7? > ISAKMP: hash MD5 > ISAKMP: default group 2 > ISAKMP: auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b > ISAKMP: attribute 3584 > ISAKMP (0): atts are not acceptable. Next payload is 3 > ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy > ISAKMP: encryption... What? 7? > ISAKMP: hash SHA > ISAKMP: default group 2 > ISAKMP: extended auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b > ISAKMP: attribute 3584 > ISAKMP (0): atts are not acceptable. Next payload is 3 > ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy > ISAKMP: encryption... What? 7? > ISAKMP: hash MD5 > ISAKMP: default group 2 > ISAKMP: extended auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b > ISAKMP: attribute 3584 > ISAKMP (0): atts are not acceptable. Next payload is 3 > ISAKMP (0): Checking ISAKMP transform 7 against priority 1 policy > ISAKMP: encryption... What? 7? > ISAKMP: hash SHA > ISAKMP: default group 2 > ISAKMP: auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b > ISAKMP: attribute 3584 > ISAKMP (0): atts are not acceptable. Next payload is 3 > ISAKMP (0): Checking ISAKMP transform 8 against priority 1 policy > ISAKMP: encryption... What? 7? > ISAKMP: hash MD5 > ISAKMP: default group 2 > ISAKMP: auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b > ISAKMP: attribute 3584 > ISAKMP (0): atts are not acceptable. Next payload is 3 > ISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy > ISAKMP: encryption 3DES-CBC > ISAKMP: hash SHA > ISAKMP: default group 2 > ISAKMP: extended auth pre-share > ISAKMP: life type in seconds > ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 > crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 > OAK_AG exchange > ISAKMP (0): processing HASH payload. message ID = 0 > ISAKMP (0): processing NOTIFY payload 24578 protocol 1 > spi 0, message ID = 0 > ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a > queue event... > IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP > IPSEC(key_engine_delete_sas): delete all SAs shared with > 72.79.125.235 > > ISAKMP (0): processing vendor id payload > > ISAKMP (0): speaking to another IOS box! > > ISAKMP (0): processing vendor id payload > > ISAKMP (0): speaking to a Unity client > > ISAKMP (0): SA has been authenticated > return status is IKMP_NO_ERROR > crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 > ISAKMP_TRANSACTION exchange > ISAKMP (0:0): processing transaction payload from 72.79.125.235. > message ID = 0 > ISAKMP: Config payload CFG_REQUEST > ISAKMP (0:0): checking request: > ISAKMP: attribute IP4_ADDRESS (1) > ISAKMP: attribute IP4_NETMASK (2) > ISAKMP: attribute IP4_DNS (3) > ISAKMP: attribute IP4_NBNS (4) > ISAKMP: attribute ADDRESS_EXPIRY (5) > Unsupported Attr: 5 > ISAKMP: attribute UNKNOWN (28672) > Unsupported Attr: 28672 > ISAKMP: attribute UNKNOWN (28673) > Unsupported Attr: 28673 > ISAKMP: attribute UNKNOWN (28674) > ISAKMP: attribute UNKNOWN (28676) > ISAKMP: attribute UNKNOWN (28675) > Unsupported Attr: 28675 > ISAKMP: attribute UNKNOWN (28679) > Unsupported Attr: 28679 > ISAKMP: attribute UNKNOWN (28681) > Unsupported Attr: 28681 > ISAKMP: attribute APPLICATION_VERSION (7) > Unsupported Attr: 7 > ISAKMP: attribute UNKNOWN (28680) > Unsupported Attr: 28680 > ISAKMP: attribute UNKNOWN (28682) > Unsupported Attr: 28682 > ISAKMP: attribute UNKNOWN (28677) > Unsupported Attr: 28677 > ISAKMP: attribute UNKNOWN (28678) > Unsupported Attr: 28678 > ISAKMP (0:0): responding to peer config from 72.79.125.235. ID = > 3561348378 > return status is IKMP_NO_ERROR > crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 > OAK_QM exchange > oakley_process_quick_mode: > OAK_QM_IDLE > ISAKMP (0): processing SA payload. message ID = 3146087570 > > ISAKMP : Checking IPSec proposal 1 > > ISAKMP: unknown ESP transform! > ISAKMP: attributes in transform: > ISAKMP: authenticator is HMAC-MD5 > ISAKMP: key length is 256 > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b > IPSEC(validate_proposal): invalid local address 209.178.198.242 > > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): skipping next ANDed proposal (1) > ISAKMP : Checking IPSec proposal 2 > > ISAKMP: unknown ESP transform! > ISAKMP: attributes in transform: > ISAKMP: authenticator is HMAC-SHA > ISAKMP: key length is 256 > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b > IPSEC(validate_proposal): invalid local address 209.178.198.242 > > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): skipping next ANDed proposal (2) > ISAKMP : Checking IPSec proposal 3 > > ISAKMP: unknown ESP transform! > ISAKMP: attributes in transform: > ISAKMP: authenticator is HMAC-MD5 > ISAKMP: key length is 128 > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b > IPSEC(validate_proposal): invalid local address 209.178.198.242 > > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): skipping next ANDed proposal (3) > ISAKMP : Checking IPSec proposal 4 > > ISAKMP: unknown ESP transform! > ISAKMP: attributes in transform: > ISAKMP: authenticator is HMAC-SHA > ISAKMP: key length is 128 > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b > IPSEC(validate_proposal): invalid local address 209.178.198.242 > > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP (0): skipping next ANDed proposal (4) > ISAKMP : Checking IPSec proposal 5 > > ISAKMP: unknown ESP transform! > ISAKMP: attributes in transform: > ISAKMP: authenticator is HMAC-MD5 > ISAKMP: key length is 256 > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b > IPSEC(validate_proposal): invalid local address 209.178.198.242 > > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP : Checking IPSec proposal 6 > > ISAKMP: unknown ESP transform! > ISAKMP: attributes in transform: > ISAKMP: authenticator is HMAC-SHA > ISAKMP: key length is 256 > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b > IPSEC(validate_proposal): invalid local address 209.178.198.242 > > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP : Checking IPSec proposal 7 > > ISAKMP: unknown ESP transform! > ISAKMP: attributes in transform: > ISAKMP: authenticator is HMAC-MD5 > ISAKMP: key length is 128 > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b > IPSEC(validate_proposal): invalid local address 209.178.198.242 > > ISAKMP (0): atts not acceptable. Next payload is 0 > ISAKMP : Checking IPSec proposal 8 > > ISAKMP: unknown ESP transform! > ISAKMP: attributes in transform: > ISAKMP: authenticator is HMAC-SHA > ISAKMP: key length is 128 > ISAKMP: encaps is 1 > ISAKMP: SA life type in seconds > ISAKMP: SA life duration (VPI) of 0x0 0x20 0xc4 0x9b > IPSEC(validate_proposal): invalid local address 209.178.198.242 > crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. > crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. > crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 > ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. > crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 > ISAKMP (0): processing NOTIFY payload 36136 protocol 1 > spi 0, message ID = 4224895108 > ISAMKP (0): received DPD_R_U_THERE from peer 72.79.125.235 > ISAKMP (0): sending NOTIFY message 36137 protocol 1 > return status is IKMP_NO_ERR_NO_TRANS > crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 > ISAKMP (0): processing DELETE payload. message ID = > 2699998900IPSEC(key_engine): got a queue event... > IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP > > return status is IKMP_NO_ERR_NO_TRANS > crypto_isakmp_process_block: src 72.79.125.235, dest 209.178.198.242 > ISAKMP (0): processing DELETE payload. message ID = 3651836985 > ISAKMP (0): deleting SA: src 72.79.125.235, dst 209.178.198.242 > ISAKMP (0): deleting IPSEC SAs with peer at > 72.79.125.235IPSEC(key_engine): got a queue event... > IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP > IPSEC(key_engine_delete_sas): delete all SAs shared with > 72.79.125.235 > > return status is IKMP_NO_ERR_NO_TRANS > ISADB: reaper checking SA 0x80c91590, conn_id = 0 DELETE IT! > > VPN Peer: ISAKMP: Peer ip:72.79.125.235 Ref cnt decremented to:0 Total > VPN Peers:1 > VPN Peer: ISAKMP: Deleted peer: ip:72.79.125.235 Total VPN > peers:0IPSEC(key_engine): got a queue event... > IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP > IPSEC(key_engine_delete_sas): delete all SAs shared with 72.79.125.235
|
Next
|
Last
Pages: 1 2 Prev: PIX vs. Nokia Mobile VPN Client Next: 2924 Switch: where is the CVSM ? |