VPN Zugang

[scorpion0815 10]

Hallo,

 

Ich hab ein Problem mit einem VPN Zugang in mein Netzwerk.

Bei Herstellung der Verbindung wird mir von der PIX gesagt das ein IKE Tunnel da ist, aber kein IPSEC Tunnel. Der Cisco VPN Client Ver. 4.0.3D gibt mir immer Fehlermeldungen.

 

Configuration :

 

Router Cisco 826:

 

Using 3894 out of 131072 bytes

!

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname DSL-Gate

!

boot-start-marker

boot system flash c820-oy6-mz.123-3.bin

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret 5 XXXXXXXXXXXXXXXXXXXXXX

!

username admin password 7 XXXXXXXXXXXXXXXXXXXXX

no aaa new-model

ip subnet-zero

no ip source-route

ip domain name secure.lan

!

no ip bootp server

ip cef

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

!

!

!

interface Null0

no ip unreachables

!

interface Ethernet0

description INSIDE

ip address 10.10.10.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

ip tcp adjust-mss 1452

no cdp enable

hold-queue 100 out

!

interface ATM0

description DSL

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode annexb-ur2

!

interface ATM0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

pvc 1/32

pppoe-client dial-pool-number 1

!

!

interface Dialer0

description OUTSIDE

ip address negotiated

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip inspect DEFAULT100 out

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username t-online-com/XXXXXXXXXXXXXXXXXXXX

4450560358545F

!

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static udp 10.10.10.10 500 interface Dialer0 500

ip nat inside source static udp 10.10.10.10 4500 interface Dialer0 4500

ip nat inside source static esp 10.10.10.10 interface Dialer0

ip nat inside source static tcp 10.10.10.100 3389 interface Dialer0 3389

ip nat inside source static tcp 10.10.10.100 5631 interface Dialer0 5631

ip nat inside source static tcp 10.10.10.100 5632 interface Dialer0 5632

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

ip http access-class 2

!

logging trap debugging

access-list 1 remark Allowed_NAT

access-list 1 permit 10.10.10.10

access-list 23 remark Telnet_Access

access-list 23 permit 10.10.10.0 0.0.0.255

access-list 100 remark Inside_In

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark Outside_In

access-list 101 permit tcp any any eq 3389

access-list 101 permit tcp any any range 5631 5632

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 deny ip any any

dialer-list 1 protocol ip permit

no cdp run

banner motd ^CC

***********************************************************

* *

* If you're not authorized, log out immediately ! *

* *

***********************************************************

^C

!

line con 0

exec-timeout 0 0

login local

transport preferred all

transport output telnet

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 0 0

login local

transport preferred all

transport input all

transport output all

!

scheduler max-task-time 5000

scheduler interval 500

!

end

[scorpion0815 10]

Configuration:

 

: Saved

: Written by enable_15 at 06:31:24.333 UTC Thu Mar 4 2004

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password XXXXXXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXXXXXX encrypted

hostname PIXFW

domain-name secure.lan

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

no fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.10.10.1 DSL-Gate

name 192.168.80.0 LAN-Vahlbruch

name 192.168.81.0 LAN-Olbernhau

name 192.168.80.2 WFSRV02

object-group service LAN_to_Internet tcp

description LAN access to internet-services

port-object eq ftp

port-object eq pop3

port-object eq imap4

port-object eq https

port-object eq www

port-object eq smtp

access-list inside_access_in permit tcp LAN-Olbernhau 255.255.255.0 any object-g

roup LAN_to_Internet

access-list inside_access_in permit udp LAN-Olbernhau 255.255.255.0 any eq domai

n

access-list inside_access_in permit tcp LAN-Vahlbruch 255.255.255.0 any object-g

roup LAN_to_Internet

access-list inside_access_in permit udp LAN-Vahlbruch 255.255.255.0 any eq domai

n

access-list inside_access_in permit tcp LAN-Olbernhau 255.255.255.0 host DSL-Gat

e eq telnet

access-list inside_access_in permit tcp LAN-Vahlbruch 255.255.255.0 host DSL-Gat

e eq telnet

access-list inside_access_in deny ip any any

access-list outside_access_in permit tcp any host 10.10.10.100 eq 3389

access-list outside_access_in permit tcp any host 10.10.10.100 range pcanywhere-

data 5632

access-list outside_access_in deny ip any any

access-list inside_outbound_nat0_acl permit ip host WFSRV02 192.168.80.240 255.2

55.255.240

access-list inside_outbound_nat0_acl permit ip LAN-Vahlbruch 255.255.255.0 192.1

68.81.224 255.255.255.224

access-list inside_outbound_nat0_acl permit ip LAN-Olbernhau 255.255.255.0 192.1

68.81.224 255.255.255.224

access-list inside_outbound_nat0_acl permit ip any 192.168.81.192 255.255.255.19

2

access-list outside_cryptomap_dyn_20 permit ip any 192.168.81.192 255.255.255.19

2

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 10.10.10.10 255.255.255.0

ip address inside 192.168.81.72 255.255.255.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool ipvpn 192.168.81.200-192.168.81.239

pdm location DSL-Gate 255.255.255.255 outside

pdm location 10.10.11.250 255.255.255.255 inside

pdm location LAN-Vahlbruch 255.255.255.0 inside

pdm location WFSRV02 255.255.255.255 inside

pdm location 192.168.80.240 255.255.255.240 outside

pdm location 192.168.81.224 255.255.255.224 outside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 10.10.10.100 WFSRV02 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 DSL-Gate 1

route inside 10.10.11.250 255.255.255.255 192.168.81.61 1

route inside LAN-Vahlbruch 255.255.255.0 192.168.81.61 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host WFSRV02 WFSRV02 timeout 10

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http LAN-Olbernhau 255.255.255.0 inside

http LAN-Vahlbruch 255.255.255.0 inside

http 10.10.11.250 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

auth-prompt prompt Bitte anmelden

auth-prompt accept Anmeldung erfolgreich

auth-prompt reject Anmeldung fehlerhatf / Administrator benachrichtigen

[scorpion0815 10]

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map inside_map interface inside

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication TACACS+

crypto map outside_map interface outside

 

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

vpngroup Weser address-pool ipvpn

vpngroup Weser dns-server 194.25.2.129

vpngroup Weser wins-server 192.168.81.4 192.168.80.1

vpngroup Weser default-domain WFV

vpngroup Weser idle-time 1800

vpngroup Weser password XXXXXXXXXXXXXXXXXX

telnet LAN-Olbernhau 255.255.255.0 inside

telnet LAN-Vahlbruch 255.255.255.0 inside

telnet 10.10.11.250 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

 

VPN CLient meldet mir:

 

Secure VPN Connection terminated locally by the Client Reason 412. The remote peer is no longer responding.

 

Cisco Systems VPN Client Version 4.0.3 (D)

Copyright © 1998-2003 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 4.0.1381

 

1 15:32:42.618 03/04/04 Sev=Info/4 PPP/0x63200015

Processing enumerate phone book entries command

 

2 15:32:42.628 03/04/04 Sev=Info/4 PPP/0x6320000D

Retrieved 2 dial entries

 

3 15:32:59.122 03/04/04 Sev=Info/4 CM/0x63100002

Begin connection process

 

4 15:32:59.282 03/04/04 Sev=Info/4 CM/0x63100003

Establish secure connection using dialup services

 

5 15:32:59.522 03/04/04 Sev=Info/4 PPP/0x63200014

Dialing "DUN" "MSN".

 

6 15:32:59.542 03/04/04 Sev=Info/4 PPP/0x63200023

RAS connection entry has 1 subentries

 

7 15:32:59.542 03/04/04 Sev=Info/4 PPP/0x63200002

PPP session is already up

 

8 15:32:59.542 03/04/04 Sev=Info/4 CM/0x6310000B

PPP session established

 

9 15:32:59.563 03/04/04 Sev=Info/4 CM/0x63100024

Attempt connection with server "xxx.xxx.xxx.xxx"

 

10 15:32:59.563 03/04/04 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with xxx.xxx.xxx.xxx.

 

11 15:32:59.833 03/04/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to xxx.xxx.xxx.xxx

 

12 15:32:59.843 03/04/04 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

 

13 15:32:59.843 03/04/04 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

 

14 15:33:00.163 03/04/04 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

 

15 15:33:00.163 03/04/04 Sev=Warning/2 IKE/0xE3000099

Invalid SPI size (PayloadNotify:116)

 

16 15:33:00.163 03/04/04 Sev=Info/4 IKE/0xE30000A4

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:148)

 

17 15:33:00.163 03/04/04 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

 

18 15:33:05.181 03/04/04 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

 

19 15:33:05.181 03/04/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx

20 15:33:10.188 03/04/04 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

 

21 15:33:10.188 03/04/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx

 

22 15:33:15.195 03/04/04 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

 

23 15:33:15.195 03/04/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.xxx

 

24 15:33:20.202 03/04/04 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=0BC62AED3D0802E3 R_Cookie=627CCD637F7BA057) reason = DEL_REASON_PEER_NOT_RESPONDING

 

25 15:33:20.703 03/04/04 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=0BC62AED3D0802E3 R_Cookie=627CCD637F7BA057) reason = DEL_REASON_PEER_NOT_RESPONDING

 

26 15:33:20.703 03/04/04 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of "DEL_REASON_PEER_NOT_RESPONDING"

 

27 15:33:20.703 03/04/04 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

 

28 15:33:20.763 03/04/04 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

 

 

Wer kann mir hier weiterhelfen ??

 

Ich versuch schon seid Tagen diesen Fehler zu beheben.

 

sry für die 3 Posts, aber anders hats nicht gepasst

[scorpion0815 10]

Hallo,

 

weiß keiner der Cico Profis hier eine Lösung für mein Problem ?

 

Ich habs jetzt auch schon mit einem anderen PC als Client probiert, allerdings krieg ich da den selben Fehler. :(

 

Bitte, wer weiß hier Rat ?

Ich bin bald am verzweifeln, das sollte eigentlich schon seid 1 Woche laufen.

[scorpion0815 10]

Hallo,

 

dies Problem hat sich erledigt, hab den Fehler gefunden

[satyr 10]

Und wie hast Du es geschaft.

[scorpion0815 10]

So hier mal die Lösung zu obigem Problem:

 

1. Update der IOS in Router und Firewall

2. Neukonfiguration des NAT in Router und Firewall

3. Einrichtung eines RADIUS Servers zur Identifikation

4. Einrichtung PIX über Assistent für VPN im PDM

 

Das Update des IOS in der PIX waren notwendig, da sonst die VPN-Funktion nicht funktioniert. Benötigte Version ist:PIX Version 6.3(3), da die andere IOS-Version Fehler im VPN Bereich hatte.

 

PS: Ich hoffe, das ich jetzt nicht was vergessen habe.