remote access VPN

marc.reed — Fri, 21 Feb 2020 07:11:08 GMT

I have a site to site VPN currently in place. I am using a 2600 on my side. I now need to get remote access for home users implemented. I am getting error: 412: Secure VPN terminated by locally by client. Remote peer no longer responding.

Below is my config.

Current configuration : 3940 bytes

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname scpa

logging queue-limit 100

no logging console

enable secret xxx

enable password xxxx

username ***** password xxxx

memory-size iomem 15

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip source-route

ip inspect name scpa udp

ip audit notify log

ip audit po max-events 100

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 43200

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ********* address 128..x.x.x

crypto isakmp client configuration group sriclient

key sriremote

dns *******

domain ********

pool ippool

crypto ipsec transform-set menlo esp-3des esp-sha-hmac

crypto ipsec transform-set sriremote esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set sriremote

crypto map scpa client authentication list userauthen

crypto map scpa isakmp authorization list group

crypto map scpa client configuration address respond

crypto map scpa 1 ipsec-isakmp

set peer 128.x.x.x

set transform-set menlo

set pfs group1

match address 110

no voice hpi capture buffer

no voice hpi capture destination

mta receive maximum-recipients 0

interface FastEthernet0/0

description SCPA inside private address

ip address 192.168.0.1 255.255.255.0

ip access-group 102 out

ip nat inside

ip inspect scpa in

speed auto

half-duplex

interface FastEthernet0/1

description SCPA external address

ip address x.x.x.52 255.255.255.224

ip access-group 101 in

ip nat outside

no ip mroute-cache

speed auto

half-duplex

crypto map scpa

ip local pool ippool 10.0.0.1 10.0.0.20

ip nat pool ipsec x.x.x.57 199.234.154.57 netmask 255.255.255.224

ip nat inside source route-map internet interface FastEthernet0/1 overload

ip nat inside source route-map ipsec pool ipsec overload

ip nat inside source static tcp 192.168.0.5 80 interface FastEthernet0/1 80

ip nat inside source static tcp 192.168.0.5 25 interface FastEthernet0/1 25

ip nat inside source static tcp 192.168.0.5 443 interface FastEthernet0/1 443

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 199.234.154.33

access-list 100 deny ip 192.168.0.0 0.0.0.255 128.18.0.0 0.0.255.255

access-list 100 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 deny 53 any any

access-list 101 deny 55 any any

access-list 101 deny pim any any

access-list 101 deny ip host 10.0.0.0 any

access-list 101 deny ip host 192.168.0.0 any

access-list 101 permit tcp any host 199.234.154.52 eq www

access-list 101 permit tcp any host 199.234.154.52 eq smtp

access-list 101 permit tcp any host 199.234.154.52 eq 443

access-list 101 permit tcp any host 199.234.154.52 established

access-list 101 permit udp host 128.18.241.1 host 199.234.154.57 eq isakmp

access-list 101 permit ip 128.18.0.0 0.0.255.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp any any eq telnet

access-list 102 deny ip host 199.234.154.53 128.18.0.0 0.0.255.255

access-list 102 permit ip any any

access-list 105 permit ip 192.168.0.0 0.0.0.255 128.18.0.0 0.0.255.255

access-list 110 permit ip host 199.234.154.57 128.18.0.0 0.0.255.255

route-map internet permit 10

match ip address 100

route-map ipsec permit 10

match ip address 105

snmp-server community scpa_public RO

snmp-server enable traps tty

radius-server authorization permit missing Service-Type

call rsvp-sync

mgcp profile default

dial-peer cor custom

line con 0

line aux 0

line vty 0 4

password xxx

end

Can anybody tell what is wrong? I am using the VPN client 4.0

Re: remote access VPN

gfullage — Thu, 08 Jan 2004 02:49:18 GMT

First things first, I strongly suggest you change your key under the VPN group (key sriremote), since you have pasted your group name and password, and the IP address of your router in here. All someone has to do is guess the local username you have configured on this router (the password is easy to find) and they'll be into your network.

I think the problem here is your access-list 101 is not allowing these packets in. Try taking it off the interface temproraily and try a client connection. If it works then we know that's the problem.

To allow VPN clients in you'll have to add something like the following:

access-list 101 permit udp any host 199.234.154.52 eq isakmp

access-list 101 permit esp any host 199.234.154.52

and just in case the client and router negotiate UDP encapsulation (NAT-T):

access-list 101 permit udp any host 199.234.154.52 eq 4500

and also allow the unencrypted form of the traffic in:

access-list 101 permit ip 10.0.0.0 0.0.0.31 192.168.0.0 0.0.0.255

You have to specify "any" as the source address cause you don't know the IP address of the VPN client.

Re: remote access VPN

marc.reed — Thu, 08 Jan 2004 13:16:43 GMT

Thanks,

I have since got it working. Yes the VPN group, names etc, I just added in there to post here. I just used a simple word for this example. But good point! Thank you.

I also had to add the line

ip access-list extended protocol

ip access-list extended tunnele-password

Re: remote access VPN

marc.reed — Thu, 08 Jan 2004 18:39:13 GMT

Another question if anybody can help??

Yes the "VPN client" did initially work, but it

killed my tunnel for my site to site VPN. The other side of my VPN is a checkpoint NG. I have since placed my old original config back in, without the client VPN configurations.

topic remote access VPN in Network Security

remote access VPN

Re: remote access VPN

Re: remote access VPN

Re: remote access VPN