Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: VPN ERROR

from [Matt Ostiguy] Network Security [Permanent Link]
Subject: Re: VPN ERROR
Date: Tue, 22 Mar 2005 21:34:10 -0500 
crypto ipsec transform-set myset esp-des esp-md5-hmac

Any reason that line isn't 3des? I don't recall specifically if the
pix will not work if the crypto config and the isakmp config do not
match, but there is not reason to use des when you can legally use
3des.

crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond

Can almost assuredly be removed - I think they were necessary for the
cisco *secure* vpn client, which was its name in the 1.0 and 2.0
versions - you are using the 3.x or 4.x client, right? 4.6.x is the
latest.

The isakmp key ****** line should be able to be removed - for the
preshared key for software clients, it uses the vpngroup name and the
vpngroup password as the username and password. So, I don't think the
isakmp line is necessary.

Since you are editing both crypto and isakmp statements, after editing
them, reenter their respective isakmp enable outside and crypto map
mymap interface outside statements (or reboot the pix). That should do
it.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009442e.shtml

Appears to be what you want to do. Why the name of this doc has vpn
3000 in it when no such concentrator is in the topology is a mystery.
I think it would be in Cisco's interest to provide a doc detailing
basic pix to vpn client config, and in *it* show all of the different
authentication options - giving everyone the same vpngroup username
and password (no xauth), use the local pix user database with xauth,
config MS IAS for xauth auth, etc, rather than the current collection
of documents. And they also should move away all secure vpn client
(1.x and 2.x) specific stuff as who the heck is running it. Ok, I am
ranting now, but I think my changes will set you on the path to
happiness

Matt


On Tue, 22 Mar 2005 19:24:41 +0100, Hesperia DOS-IT Security
<itsecurity@hoteles-hesperia.es> wrote:

I get this error,

1      19:18:20.403  03/22/05  Sev=Warning/3    IKE/0xA300004B
Received a NOTIFY message with an invalid protocol id (0)

and the configuration is,

sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map mydynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local vpn_ip outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn_users address-pool vpn_ip
vpngroup vpn_users dns-server 62.81.0.1 62.81.16.129
vpngroup vpn_users idle-time 180
vpngroup vpn_users max-time 1800
vpngroup vpn_users password ********
nat (inside) 0 access-list vpn
access-list vpn permit ip 192.168.244.0 255.255.255.0 192.168.243.0
255.255.255.0
ip local pool vpn_ip 192.168.243.1-192.168.243.250
ip address inside 192.168.244.1 255.255.255.0

any ideas? I did a search in google but nothing found. Thanks a lot.

Eduardo Di Monte

--------------------------------------------------------------------------
FREE Download - The Future in Desktop Firewalls is Available Now

NEW NetOp Desktop Firewall, the world's first driver-centric
firewall software - protecting your laptops and corporate PCs at
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
--------------------------------------------------------------------------




--------------------------------------------------------------------------
FREE Download - The Future in Desktop Firewalls is Available Now
 
NEW NetOp Desktop Firewall, the world's first driver-centric 
firewall software - protecting your laptops and corporate PCs at  
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back 
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OpenBSD PF problems., Jason Dixon
Next by Date:  Re: Most secure small home office firewall under $700, Kevin
Previous by Thread:  VPN ERROR, Hesperia DOS-IT Security
Next by Thread:  Re: VPN ERROR, Aida Lumbreras
Indexes:  [Date] [Thread] [Top] [All Lists]