Remote Access VPN på PIX 525
Hejsa.Jeg er totalt grøn ud i VPN, men har fået en opgave, der går på at vi skal have lavet en VPN-adgang gennem vores Cisco PIX 525, sådan at vi kan gå på hjemmefra.
Jeg har downloaded en Cisco VPN klient (5.0.01.0600) og installeret denne på min Vista Business.
På PIX'en har jeg oprettet:
1. En bruger
2. En Tunnel Group, der benytter 'DefaultRAGroup' som group policy. Denne policy er der ikke ændret i.
3. Den tunnel group jeg har oprettet benytter en preshared key og der er valgt 'local' som authentication server group.
Under 'PPP' fanebladet er valgt samtlige autentifikerings protokoller - bare for at være sikker på at 'ramme' den rigtige.
Til Client Address Assignment er valgt en lokal adresse-pool bestående af et range med 3 lokale adresser og denne address pool er valgt under advanced under 'interface specific client ip address pool' på LAN interfacet.
Jeg har forsøgt med at ændre nogle settings løbende, men har så, hvis de ikke har virket, lavet dem om til default settings igen.
Når jeg forsøger at etablere en VPN-forbindelse via min Cisco klient, lykkes det i og for sig ok til at starte med.
Jeg får en logon boks frem, hvor jeg skal indtaste brugernavn og password. Hvis jeg taster forkert kommer boksen op med det samme igen, hvilket fortæller mig at der rent faktisk autentikeres med PIX'en.
Hvis jeg taster korrekt går der et stykke tid, hvor der står 'securing communication channel' i bunden af klienten, men så skriver den 'not connected'.
Jeg får det banner jeg har specificeret som welcome message, så jeg formoder igen, at jeg er kommet et godt stykke 'ind' til PIX'en.
Følgende log viser kommunikationen mellem Cisco klienten og PIX:
*******************************************************
Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6000
2907 15:16:02.115 11/14/07 Sev=Info/4 CM/0x63100002
Begin connection process
2908 15:16:02.130 11/14/07 Sev=Info/4 CM/0x63100004
Establish secure connection
2909 15:16:02.130 11/14/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
2910 15:16:02.130 11/14/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 217.157.30.2.
2911 15:16:02.130 11/14/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
2912 15:16:02.130 11/14/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
2913 15:16:02.130 11/14/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2914 15:16:02.193 11/14/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
2915 15:16:02.193 11/14/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from x.x.x.x
2916 15:16:02.193 11/14/07 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
2917 15:16:02.193 11/14/07 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
2918 15:16:02.193 11/14/07 Sev=Info/5 IKE/0x63000001
Peer supports DPD
2919 15:16:02.193 11/14/07 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
2920 15:16:02.193 11/14/07 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
2921 15:16:02.193 11/14/07 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
2922 15:16:02.193 11/14/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
2923 15:16:02.193 11/14/07 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
2924 15:16:02.193 11/14/07 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xE8FD, Remote Port = 0x1194
2925 15:16:02.193 11/14/07 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
2926 15:16:02.193 11/14/07 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
2927 15:16:02.224 11/14/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
2928 15:16:02.224 11/14/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
2929 15:16:02.224 11/14/07 Sev=Info/4 CM/0x63100015
Launch xAuth application
2930 15:16:07.341 11/14/07 Sev=Info/4 CM/0x63100017
xAuth application returned
2931 15:16:07.341 11/14/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
2932 15:16:07.372 11/14/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
2933 15:16:07.372 11/14/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 217.157.30.2
2934 15:16:07.372 11/14/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
2935 15:16:07.372 11/14/07 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
2936 15:16:07.372 11/14/07 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
2937 15:16:07.372 11/14/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
2938 15:16:07.403 11/14/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 217.157.30.2
2939 15:16:07.403 11/14/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
2940 15:16:07.403 11/14/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.120.0.56
2941 15:16:07.403 11/14/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0
2942 15:16:07.403 11/14/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.120.0.11
2943 15:16:07.403 11/14/07 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 10.120.0.13
2944 15:16:07.403 11/14/07 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_BANNER, value = Hejsa, og velkommen til KEA VPN.
Vi håber du må få en behagelig tid på vores netværk.
2945 15:16:07.403 11/14/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
2946 15:16:07.403 11/14/07 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = iebp.dk
2947 15:16:07.403 11/14/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
2948 15:16:07.403 11/14/07 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc PIX-525 Version 7.2(2) built by builders on Wed 22-Nov-06 14:16
2949 15:16:07.403 11/14/07 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
2950 15:16:07.403 11/14/07 Sev=Info/4 CM/0x63100019
Mode Config data received
2951 15:16:07.419 11/14/07 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.120.0.56, GW IP = x.x.x.x, Remote IP = 0.0.0.0
2952 15:16:07.419 11/14/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 217.157.30.2
2953 15:16:07.481 11/14/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
2954 15:16:07.481 11/14/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
2955 15:16:07.481 11/14/07 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
2956 15:16:07.481 11/14/07 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 5 seconds, setting expiry to 86395 seconds from now
2957 15:16:07.481 11/14/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
2958 15:16:07.481 11/14/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from x.x.x.x
2959 15:16:07.481 11/14/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x
2960 15:16:07.481 11/14/07 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=9396272F
2961 15:16:07.481 11/14/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=B78957B4143F8B46 R_Cookie=7380716B1DDA6D98) reason = DEL_REASON_IKE_NEG_FAILED
2962 15:16:07.481 11/14/07 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
2963 15:16:07.481 11/14/07 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=B78957B4143F8B46 R_Cookie=7380716B1DDA6D98
2964 15:16:07.481 11/14/07 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from x.x.x.x
2965 15:16:07.825 11/14/07 Sev=Info/6 CVPND/0x63400006
Service reports: "Running".
2966 15:16:07.840 11/14/07 Sev=Info/6 CVPND/0x63400006
Service reports: "Running".
2967 15:16:08.339 11/14/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2968 15:16:10.570 11/14/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=B78957B4143F8B46 R_Cookie=7380716B1DDA6D98) reason = DEL_REASON_IKE_NEG_FAILED
2969 15:16:10.570 11/14/07 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
2970 15:16:10.570 11/14/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
2971 15:16:11.584 11/14/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2972 15:16:11.584 11/14/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2973 15:16:11.584 11/14/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
2974 15:16:11.584 11/14/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
*******************************************************
Jeg har googlet på DEL_REASON_IKE_NEG_FAILED og - med min spinkle viden om VPN forstå at der er gået et eller andet galt med udvekslingen af noget nøgle-halløj/kryptering eller lignende.
Jeg håber der er nogle der har et godt råd til dette.
Med venlig hilsen,
Thomas
