come da titolo sono alle prese con una vpn client-to-site verso un Pix 501.
Modifico la config del Pix (precedentemente sbiancato per l'occasione), installo il client su un pc, lo configuro e tento la connessione.
Il Pix risponde, e chiede le credenziali per l'autenticazione dell'utente, ma una volta inserite il vpn client mi segnala -dopo qualche secondo- che la connessione è fallita. E le credenziali vanno bene, perchè se le sbaglio me lo notifica prima di disconnettermi. Il problema si manifesta dopo l'autenticazione, credo.
Ho visionato i log del vpn client, ma non riesco a capire che cosa non gli vada bene. Li allego di seguito, magari qualcuno può illuminarmi:
Codice: Seleziona tutto
Cisco Systems VPN Client Version 5.0.04.0300
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6001 Service Pack 1
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 22:30:33.357 02/07/09 Sev=Info/4 CM/0x63100002
Begin connection process
2 22:30:33.389 02/07/09 Sev=Info/4 CM/0x63100004
Establish secure connection
3 22:30:33.389 02/07/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "IP PUBBLICO DEL PIX"
4 22:30:33.389 02/07/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with IP PUBBLICO DEL PIX.
5 22:30:33.404 02/07/09 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
6 22:30:33.482 02/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to IP PUBBLICO DEL PIX
7 22:30:33.482 02/07/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
8 22:30:33.498 02/07/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
9 22:30:36.243 02/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = IP PUBBLICO DEL PIX
10 22:30:36.243 02/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from IP PUBBLICO DEL PIX
11 22:30:36.243 02/07/09 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
12 22:30:36.243 02/07/09 Sev=Info/5 IKE/0x63000001
Peer supports DPD
13 22:30:36.243 02/07/09 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14 22:30:36.243 02/07/09 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x000000A5
15 22:30:36.243 02/07/09 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
16 22:30:36.243 02/07/09 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
17 22:30:36.243 02/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to IP PUBBLICO DEL PIX
18 22:30:36.243 02/07/09 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
19 22:30:36.243 02/07/09 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xFAB8, Remote Port = 0x1194
20 22:30:36.243 02/07/09 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end IS behind a NAT device
This end IS behind a NAT device
21 22:30:36.243 02/07/09 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
22 22:30:36.992 02/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = IP PUBBLICO DEL PIX
23 22:30:36.992 02/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from IP PUBBLICO DEL PIX
24 22:30:36.992 02/07/09 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
25 22:30:36.992 02/07/09 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now
26 22:30:37.023 02/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = IP PUBBLICO DEL PIX
27 22:30:37.023 02/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from IP PUBBLICO DEL PIX
28 22:30:37.023 02/07/09 Sev=Info/4 CM/0x63100015
Launch xAuth application
29 22:30:41.891 02/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = IP PUBBLICO DEL PIX
30 22:30:41.891 02/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from IP PUBBLICO DEL PIX
31 22:30:46.446 02/07/09 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
32 22:30:46.680 02/07/09 Sev=Info/4 CM/0x63100017
xAuth application returned
33 22:30:46.680 02/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to IP PUBBLICO DEL PIX
34 22:30:46.883 02/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = IP PUBBLICO DEL PIX
35 22:30:46.883 02/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from IP PUBBLICO DEL PIX
36 22:30:46.883 02/07/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
37 22:30:46.883 02/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to IP PUBBLICO DEL PIX
38 22:30:47.413 02/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = IP PUBBLICO DEL PIX
39 22:30:47.413 02/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from IP PUBBLICO DEL PIX
40 22:30:47.413 02/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to IP PUBBLICO DEL PIX
41 22:30:47.413 02/07/09 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
42 22:30:47.413 02/07/09 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
43 22:30:47.413 02/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to IP PUBBLICO DEL PIX
44 22:30:47.897 02/07/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = IP PUBBLICO DEL PIX
45 22:30:47.897 02/07/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from IP PUBBLICO DEL PIX
46 22:30:47.897 02/07/09 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
47 22:30:47.897 02/07/09 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
48 22:30:47.897 02/07/09 Sev=Warning/2 IKE/0xE3000023
No private IP address was assigned by the peer
49 22:30:47.897 02/07/09 Sev=Warning/2 IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)
50 22:30:47.897 02/07/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=1157AD0136801353 R_Cookie=7513F4E8288E6C37) reason = DEL_REASON_IKE_NEG_FAILED
51 22:30:47.897 02/07/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to IP PUBBLICO DEL PIX
52 22:30:51.017 02/07/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=1157AD0136801353 R_Cookie=7513F4E8288E6C37) reason = DEL_REASON_IKE_NEG_FAILED
53 22:30:51.017 02/07/09 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
54 22:30:51.017 02/07/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
55 22:30:51.032 02/07/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
56 22:30:51.032 02/07/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
57 22:30:52.031 02/07/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
58 22:30:52.031 02/07/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
59 22:30:52.031 02/07/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
60 22:30:52.031 02/07/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Andrea.
Buon appetito!
