local user authentication for remote vpn client users on pix

local user authentication for remote vpn client users on pix

Post by Bill » Tue, 02 Nov 2004 12:47:44



Here's what I think is the relevant cfg parts.

aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
.....
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup hulavpn address-pool ippool
vpngroup hulavpn dns-server ns1-in
vpngroup hulavpn wins-server ns1-in
vpngroup hulavpn default-domain hulanetworks.com
vpngroup hulavpn split-tunnel 80
vpngroup hulavpn split-dns hulanetworks.com
vpngroup hulavpn idle-time 1800
vpngroup hulavpn password ********
.....
username ....
#########################3

Here's the error I'm getting from a 4.x client.  Peer Info Not Found.

crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are not acceptable.
crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x
spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0

ISAKMP: larval sa found
crypto_isakmp_process_block:src:68.121.111.24, dest:69.224.21.130
spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0

ISAKMP: larval sa found
crypto_isakmp_process_block:src:68.121.111.24, dest:69.224.21.130
spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0

 
 
 

local user authentication for remote vpn client users on pix

Post by Walter Robers » Tue, 02 Nov 2004 13:55:45




:Here's what I think is the relevant cfg parts.

:aaa-server LOCAL protocol local

:crypto ipsec transform-set myset esp-des esp-sha-hmac
:crypto dynamic-map dynmap 10 set transform-set myset
:crypto map mymap 10 ipsec-isakmp dynamic dynmap

:crypto map mymap client authentication LOCAL

:isakmp policy 10 encryption des
:isakmp policy 10 hash sha
:isakmp policy 10 group 2

:Here's the error I'm getting from a 4.x client.  Peer Info Not Found.

:ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
:ISAKMP:      encryption 3DES-CBC
:ISAKMP:      hash SHA
:ISAKMP:      default group 2
:ISAKMP:      extended auth pre-share (init)
:ISAKMP:      life type in seconds
:ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
:ISAKMP (0): atts are not acceptable.
:crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
:VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0

Notice that you never get an 'atts acceptable' message.
The VPN client is not offering to allow a transform that the PIX
has been configured to accept. The PIX only wants DES SHA-HMAC Group 2,
and the VPN client isn't offering anything less than 3DES.

Your problem is thus not to do with local authentication, but rather
to do with the transforms.

I would suggest that if you are not one of the State Department
banned persons (the list of which is fairly small), and you are
not working for one of the 6 or so banned countries (e.g., Cuba),
then you apply for a free 3DES key for your PIX. For
information on the process, please see

https://tools.cisco.com/SWIFT/Licensing/jsp/formGenerator/Pix3DesMsgD...

--
Ceci, ce n'est pas une ide.

 
 
 

local user authentication for remote vpn client users on pix

Post by Bill » Tue, 02 Nov 2004 14:10:06


Thanks for the response.  Yeah, I know we can get the 3des license for
free, but, I was going to do that later.  So, the 4.x client simply
doesn't support single des?



> :Here's what I think is the relevant cfg parts.

> :aaa-server LOCAL protocol local

> :crypto ipsec transform-set myset esp-des esp-sha-hmac
> :crypto dynamic-map dynmap 10 set transform-set myset
> :crypto map mymap 10 ipsec-isakmp dynamic dynmap

> :crypto map mymap client authentication LOCAL

> :isakmp policy 10 encryption des
> :isakmp policy 10 hash sha
> :isakmp policy 10 group 2

> :Here's the error I'm getting from a 4.x client.  Peer Info Not Found.

> :ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
> :ISAKMP:      encryption 3DES-CBC
> :ISAKMP:      hash SHA
> :ISAKMP:      default group 2
> :ISAKMP:      extended auth pre-share (init)
> :ISAKMP:      life type in seconds
> :ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> :ISAKMP (0): atts are not acceptable.
> :crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
> :VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0

> Notice that you never get an 'atts acceptable' message.
> The VPN client is not offering to allow a transform that the PIX
> has been configured to accept. The PIX only wants DES SHA-HMAC Group 2,
> and the VPN client isn't offering anything less than 3DES.

> Your problem is thus not to do with local authentication, but rather
> to do with the transforms.

> I would suggest that if you are not one of the State Department
> banned persons (the list of which is fairly small), and you are
> not working for one of the 6 or so banned countries (e.g., Cuba),
> then you apply for a free 3DES key for your PIX. For
> information on the process, please see

> https://tools.cisco.com/SWIFT/Licensing/jsp/formGenerator/Pix3DesMsgD...

 
 
 

local user authentication for remote vpn client users on pix

Post by Walter Robers » Tue, 02 Nov 2004 14:50:10




:Thanks for the response.  Yeah, I know we can get the 3des license for
:free, but, I was going to do that later.  So, the 4.x client simply
:doesn't support single des?

The 4.x client does support single DES [according to the 4.0 release
notes], but the PIX gives up after 10 proposals. There is no way
to modify the number of proposals that PIX will pay attention to,
and there is no way to alter the order or varieties of proposals
the 4.0 client offers [with the exception that you can modify
the default DH group away from 2.]
--
   The image data is transmitted back to Earth at the speed of light
   and usually at 12 bits per pixel.

 
 
 

local user authentication for remote vpn client users on pix

Post by Jyri Korhone » Tue, 02 Nov 2004 17:01:00



> The 4.x client does support single DES [according to
> the 4.0 release notes]...

Yes, it does, but the 3.5 client was the last to support
DES + SHA combination. So in order to use DES you must
switch to MD5.
 
 
 

local user authentication for remote vpn client users on pix

Post by Bill » Thu, 04 Nov 2004 05:06:55


Ok 3des is now enabled and configured and still atts not acceptable??
I'm curious about the extended auth pre-share.  I'm attempting to
authenticate users against the local database.  Here's the config again

....
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
......

sysopt connection permit-ipsec
.....
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup hulavpn address-pool ippool
vpngroup hulavpn dns-server ns1-in
vpngroup hulavpn wins-server ns1-in
vpngroup hulavpn default-domain hulanetworks.com
vpngroup hulavpn split-tunnel 80
vpngroup hulavpn split-dns hulanetworks.com
vpngroup hulavpn idle-time 1800
vpngroup hulavpn password ********

crypto_isakmp_process_block:src:68.x.x.24, dest:69.x.x.130 spt:500 dpt:500
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP:      encryption AES-CBC
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP:      keylength of 128
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP:      extended auth pre-share (init)
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
ISAKMP (0): atts are acceptable.
crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
ISAKMP: error, msg not encrypted
ISAKMP (0): deleting SA: src 68.121.111.24, dst x.x.x.x

ISADB: reaper checking SA 0x1120c84, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0



>> The 4.x client does support single DES [according to
>> the 4.0 release notes]...

> Yes, it does, but the 3.5 client was the last to support
> DES + SHA combination. So in order to use DES you must
> switch to MD5.

 
 
 

local user authentication for remote vpn client users on pix

Post by Bill » Thu, 04 Nov 2004 05:25:11


On closer look, I see atts are acceptable, and then a msg not encrypted
error???

ISAKMP (0): atts are acceptable.
crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
ISAKMP: error, msg not encrypted
crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
ISAKMP: error, msg not encrypted
ISAKMP (0): deleting SA: src 68.121.111.24, dst x.x.x.x

ISADB: reaper checking SA 0x1120c84, conn_id = 0  DELETE IT!

VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0


> Ok 3des is now enabled and configured and still atts not acceptable??
> I'm curious about the extended auth pre-share.  I'm attempting to
> authenticate users against the local database.  Here's the config again

> ....
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ max-failed-attempts 3
> aaa-server TACACS+ deadtime 10
> aaa-server RADIUS protocol radius
> aaa-server RADIUS max-failed-attempts 3
> aaa-server RADIUS deadtime 10
> aaa-server LOCAL protocol local
> aaa authentication ssh console LOCAL
> aaa authorization command LOCAL
> ......

> sysopt connection permit-ipsec
> .....
> crypto ipsec transform-set myset esp-3des esp-sha-hmac
> crypto dynamic-map dynmap 10 set transform-set myset
> crypto map mymap 10 ipsec-isakmp dynamic dynmap
> crypto map mymap client configuration address initiate
> crypto map mymap client configuration address respond
> crypto map mymap client authentication LOCAL
> crypto map mymap interface outside
> isakmp enable outside
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash sha
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> vpngroup hulavpn address-pool ippool
> vpngroup hulavpn dns-server ns1-in
> vpngroup hulavpn wins-server ns1-in
> vpngroup hulavpn default-domain hulanetworks.com
> vpngroup hulavpn split-tunnel 80
> vpngroup hulavpn split-dns hulanetworks.com
> vpngroup hulavpn idle-time 1800
> vpngroup hulavpn password ********

> crypto_isakmp_process_block:src:68.x.x.24, dest:69.x.x.130 spt:500 dpt:500
> OAK_AG exchange
> ISAKMP (0): processing SA payload. message ID = 0

> ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
> ISAKMP:      encryption AES-CBC
> ISAKMP:      hash SHA
> ISAKMP:      default group 2
> ISAKMP:      extended auth pre-share (init)
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> ISAKMP:      keylength of 256
> ISAKMP (0): atts are not acceptable. Next payload is 3
> ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
> ISAKMP:      encryption AES-CBC
> ISAKMP:      hash MD5
> ISAKMP:      default group 2
> ISAKMP:      extended auth pre-share (init)
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> ISAKMP:      keylength of 256
> ISAKMP (0): atts are not acceptable. Next payload is 3
> ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
> ISAKMP:      encryption AES-CBC
> ISAKMP:      hash SHA
> ISAKMP:      default group 2
> ISAKMP:      auth pre-share
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> ISAKMP:      keylength of 256
> ISAKMP (0): atts are not acceptable. Next payload is 3
> ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
> ISAKMP:      encryption AES-CBC
> ISAKMP:      hash MD5
> ISAKMP:      default group 2
> ISAKMP:      auth pre-share
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> ISAKMP:      keylength of 256
> ISAKMP (0): atts are not acceptable. Next payload is 3
> ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
> ISAKMP:      encryption AES-CBC
> ISAKMP:      hash SHA
> ISAKMP:      default group 2
> ISAKMP:      extended auth pre-share (init)
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> ISAKMP:      keylength of 128
> ISAKMP (0): atts are not acceptable. Next payload is 3
> ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
> ISAKMP:      encryption AES-CBC
> ISAKMP:      hash MD5
> ISAKMP:      default group 2
> ISAKMP:      extended auth pre-share (init)
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> ISAKMP:      keylength of 128
> ISAKMP (0): atts are not acceptable. Next payload is 3
> ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
> ISAKMP:      encryption AES-CBC
> ISAKMP:      hash SHA
> ISAKMP:      default group 2
> ISAKMP:      auth pre-share
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> ISAKMP:      keylength of 128
> ISAKMP (0): atts are not acceptable. Next payload is 3
> ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
> ISAKMP:      encryption AES-CBC
> ISAKMP:      hash MD5
> ISAKMP:      default group 2
> ISAKMP:      auth pre-share
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> ISAKMP:      keylength of 128
> ISAKMP (0): atts are not acceptable. Next payload is 3
> ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
> ISAKMP:      encryption 3DES-CBC
> ISAKMP:      hash SHA
> ISAKMP:      default group 2
> ISAKMP:      extended auth pre-share (init)
> ISAKMP:      life type in seconds
> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
> ISAKMP (0): atts are acceptable.
> crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
> ISAKMP: error, msg not encrypted
> crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
> ISAKMP: error, msg not encrypted
> ISAKMP (0): deleting SA: src 68.121.111.24, dst x.x.x.x

> ISADB: reaper checking SA 0x1120c84, conn_id = 0  DELETE IT!

> VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0



>>> The 4.x client does support single DES [according to
>>> the 4.0 release notes]...

>> Yes, it does, but the 3.5 client was the last to support
>> DES + SHA combination. So in order to use DES you must
>> switch to MD5.

 
 
 

local user authentication for remote vpn client users on pix

Post by Bill » Thu, 04 Nov 2004 06:28:10


It's working now. typo on vpngroup command

> On closer look, I see atts are acceptable, and then a msg not encrypted
> error???

> ISAKMP (0): atts are acceptable.
> crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
> ISAKMP: error, msg not encrypted
> crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500 dpt:500
> ISAKMP: error, msg not encrypted
> ISAKMP (0): deleting SA: src 68.121.111.24, dst x.x.x.x

> ISADB: reaper checking SA 0x1120c84, conn_id = 0  DELETE IT!

> VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0


>> Ok 3des is now enabled and configured and still atts not acceptable??
>> I'm curious about the extended auth pre-share.  I'm attempting to
>> authenticate users against the local database.  Here's the config again

>> ....
>> aaa-server TACACS+ protocol tacacs+
>> aaa-server TACACS+ max-failed-attempts 3
>> aaa-server TACACS+ deadtime 10
>> aaa-server RADIUS protocol radius
>> aaa-server RADIUS max-failed-attempts 3
>> aaa-server RADIUS deadtime 10
>> aaa-server LOCAL protocol local
>> aaa authentication ssh console LOCAL
>> aaa authorization command LOCAL
>> ......

>> sysopt connection permit-ipsec
>> .....
>> crypto ipsec transform-set myset esp-3des esp-sha-hmac
>> crypto dynamic-map dynmap 10 set transform-set myset
>> crypto map mymap 10 ipsec-isakmp dynamic dynmap
>> crypto map mymap client configuration address initiate
>> crypto map mymap client configuration address respond
>> crypto map mymap client authentication LOCAL
>> crypto map mymap interface outside
>> isakmp enable outside
>> isakmp identity address
>> isakmp policy 10 authentication pre-share
>> isakmp policy 10 encryption 3des
>> isakmp policy 10 hash sha
>> isakmp policy 10 group 2
>> isakmp policy 10 lifetime 86400
>> vpngroup hulavpn address-pool ippool
>> vpngroup hulavpn dns-server ns1-in
>> vpngroup hulavpn wins-server ns1-in
>> vpngroup hulavpn default-domain hulanetworks.com
>> vpngroup hulavpn split-tunnel 80
>> vpngroup hulavpn split-dns hulanetworks.com
>> vpngroup hulavpn idle-time 1800
>> vpngroup hulavpn password ********

>> crypto_isakmp_process_block:src:68.x.x.24, dest:69.x.x.130 spt:500
>> dpt:500
>> OAK_AG exchange
>> ISAKMP (0): processing SA payload. message ID = 0

>> ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
>> ISAKMP:      encryption AES-CBC
>> ISAKMP:      hash SHA
>> ISAKMP:      default group 2
>> ISAKMP:      extended auth pre-share (init)
>> ISAKMP:      life type in seconds
>> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
>> ISAKMP:      keylength of 256
>> ISAKMP (0): atts are not acceptable. Next payload is 3
>> ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
>> ISAKMP:      encryption AES-CBC
>> ISAKMP:      hash MD5
>> ISAKMP:      default group 2
>> ISAKMP:      extended auth pre-share (init)
>> ISAKMP:      life type in seconds
>> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
>> ISAKMP:      keylength of 256
>> ISAKMP (0): atts are not acceptable. Next payload is 3
>> ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
>> ISAKMP:      encryption AES-CBC
>> ISAKMP:      hash SHA
>> ISAKMP:      default group 2
>> ISAKMP:      auth pre-share
>> ISAKMP:      life type in seconds
>> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
>> ISAKMP:      keylength of 256
>> ISAKMP (0): atts are not acceptable. Next payload is 3
>> ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
>> ISAKMP:      encryption AES-CBC
>> ISAKMP:      hash MD5
>> ISAKMP:      default group 2
>> ISAKMP:      auth pre-share
>> ISAKMP:      life type in seconds
>> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
>> ISAKMP:      keylength of 256
>> ISAKMP (0): atts are not acceptable. Next payload is 3
>> ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
>> ISAKMP:      encryption AES-CBC
>> ISAKMP:      hash SHA
>> ISAKMP:      default group 2
>> ISAKMP:      extended auth pre-share (init)
>> ISAKMP:      life type in seconds
>> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
>> ISAKMP:      keylength of 128
>> ISAKMP (0): atts are not acceptable. Next payload is 3
>> ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
>> ISAKMP:      encryption AES-CBC
>> ISAKMP:      hash MD5
>> ISAKMP:      default group 2
>> ISAKMP:      extended auth pre-share (init)
>> ISAKMP:      life type in seconds
>> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
>> ISAKMP:      keylength of 128
>> ISAKMP (0): atts are not acceptable. Next payload is 3
>> ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
>> ISAKMP:      encryption AES-CBC
>> ISAKMP:      hash SHA
>> ISAKMP:      default group 2
>> ISAKMP:      auth pre-share
>> ISAKMP:      life type in seconds
>> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
>> ISAKMP:      keylength of 128
>> ISAKMP (0): atts are not acceptable. Next payload is 3
>> ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
>> ISAKMP:      encryption AES-CBC
>> ISAKMP:      hash MD5
>> ISAKMP:      default group 2
>> ISAKMP:      auth pre-share
>> ISAKMP:      life type in seconds
>> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
>> ISAKMP:      keylength of 128
>> ISAKMP (0): atts are not acceptable. Next payload is 3
>> ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
>> ISAKMP:      encryption 3DES-CBC
>> ISAKMP:      hash SHA
>> ISAKMP:      default group 2
>> ISAKMP:      extended auth pre-share (init)
>> ISAKMP:      life type in seconds
>> ISAKMP:      life duration (VPI) of  0x0 0x20 0xc4 0x9b
>> ISAKMP (0): atts are acceptable.
>> crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500
>> dpt:500
>> ISAKMP: error, msg not encrypted
>> crypto_isakmp_process_block:src:68.121.111.24, dest:x.x.x.x spt:500
>> dpt:500
>> ISAKMP: error, msg not encrypted
>> ISAKMP (0): deleting SA: src 68.121.111.24, dst x.x.x.x

>> ISADB: reaper checking SA 0x1120c84, conn_id = 0  DELETE IT!

>> VPN Peer:ISAKMP: Peer Info for 68.121.111.24/500 not found - peers:0



>>>> The 4.x client does support single DES [according to
>>>> the 4.0 release notes]...

>>> Yes, it does, but the 3.5 client was the last to support
>>> DES + SHA combination. So in order to use DES you must
>>> switch to MD5.