topic Re: RAVPN is not working!! in Network Security

RAVPN is not working!!

haithamnofal — Mon, 11 Mar 2019 12:27:39 GMT

Hi,

I have PIX with OS ver 7.2 and I am trying to setup RAVPN, however it keeps failing and I get the following error on the PIX when enabling the crypto debug commands:

Apr 05 01:47:15 [IKEv1]: Group = ccie, IP = 192.1.24.114, Error: Unable to remov

e PeerTblEntry

Apr 05 01:47:20 [IKEv1]: Group = ccie, IP = 192.1.24.114, Removing peer from pee

r table failed, no match!

And the following error is from my VPN client ver 4.8.01:

The remote peer is no longer responding

01:53:32.493 04/05/08 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

Here is my PIX VPN config:

crypto ipsec transform-set ccie esp-des esp-md5-hmac

crypto dynamic-map ccie 1 set transform-set ccie

crypto dynamic-map ccie 1 set reverse-route

crypto map cciemap 1 ipsec-isakmp dynamic ccie

crypto map cciemap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group ccie type ipsec-ra

tunnel-group ccie general-attributes

address-pool ccie

tunnel-group ccie ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication (outside) none

Any idea of why the VPN is failing?

R/ Haitham

Re: RAVPN is not working!!

Alan Huseyin Kayahan — Fri, 04 Apr 2008 23:28:20 GMT

Hi Haitham,

First of all, Your VPN IP pool does not meet RFC 1918. Please create a new pool according to section "3. Private Address Space" in following link

http://www.faqs.org/rfcs/rfc1918.html

If too lazy to read, just choose a pool in 192.168.x.x not 192.x.x.x

Second and most probably, check your Exempt NAT statement for VPN pool. Or post the related config for me to check

Also try restarting the PIX after your config is done

Regards

Re: RAVPN is not working!!

ray_stone — Fri, 04 Apr 2008 23:38:31 GMT

Hi Husycisco, Well I understand of your above answers but is it required NAT exemption rule as what I understand can we use NAT/PAT to allow VPN network traffic for Inside/DMZ Zone whatever you want to allow. Thanks

Re: RAVPN is not working!!

Alan Huseyin Kayahan — Sat, 05 Apr 2008 07:40:49 GMT

Hi Richard,

Exempt NAT is not a must, but is the widely used NAT type for simple RA VPN. But in scenarios where required, like in spoke to spoke topology, NAT/PAT can be implemented instead exempt NAT.

Regards

Re: RAVPN is not working!!

haithamnofal — Sat, 05 Apr 2008 08:49:44 GMT

Hi husycisco,

I agree on the private addressing and on the NAT points, however would creating a non-private IP pool and not configuring NAT, really prevent the RAVPN from coming up?

R/Haitham

Re: RAVPN is not working!!

Alan Huseyin Kayahan — Sat, 05 Apr 2008 13:54:22 GMT

Haitham,

Your IP addressing does not actually end up with the error you are encountering right now, but missing/wrong NAT statements may cause this. Please attach your sanitized config.

Re: RAVPN is not working!!

haithamnofal — Sat, 05 Apr 2008 21:20:02 GMT

Husycisco,

I added the NAT config as you suggested and also changed the NAT as you advised but this also didnt bring this into working environment! Please note that this configuration is in the lab, so don't beat me on using some public addresses:)

Attached please find the full PIX config file.

Appreciate your feedback on how to make the RAVPN work!

R/ Haitham

Re: RAVPN is not working!!

Alan Huseyin Kayahan — Sat, 05 Apr 2008 21:58:42 GMT

Haitham,

There are some simple configuration steps missing in your config.

First of all, you do not have a default route. X is your default gateway for PIX

route outside 0.0.0.0 0.0.0.0 192.1.24.x

Second, basic NAT and global statements. If you want to proceed without them, which is not the best practice in fact, you should disable nat-control. Following would be the best practice for NAT statements. Btw there are two configs in txt you attach, in one the VPN pool is 1.1.1.0 and in other 192.168.1.0. I am assuming 1.1.1.0 is active in following config suggestion. Also keep in mind that 192.168.1.0 is the default IP config of the most off the shelve internet modem/routers, so that would make a conflict with VPN user's local network. Stick with RFC 1918, but do not use widely used ranges like this.

no static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

nat (inside) 0 inside_nat0_outbound

nat (inside) 1 0 0

global (outside) 1 interface

access-list inside_nat0_outbound permit ip 10.10.10.0 255.255.255.0 1.1.1.0 255.255.255.224

Third, for the sake of simplicty, apply the following

no crypto dynamic-map ccie 1 set reverse-route

tunnel-group ccie ipsec-attributes

no isakmp ikev1-user-authentication (outside) none

And last, use the latest version of Cisco VPN client, or at least version 5.x

Regards

Re: RAVPN is not working!!

ray_stone — Sat, 05 Apr 2008 23:31:32 GMT

Hi Husycisco, May i know whats a meaning of this coomand no static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 in above configuration.

Re: RAVPN is not working!!

haithamnofal — Sun, 06 Apr 2008 21:15:22 GMT

husycisco,

Thanks for your response but still same problem!!

Please check attached the updated config!!

R/ Haitham

Re: RAVPN is not working!!

Alan Huseyin Kayahan — Mon, 07 Apr 2008 02:15:00 GMT

Haitham,

I assumed you were using 1.1.1.0 as the VPN pool in my previous suggestion but I see that you use 192.168.1.0. Then you should make the following modification

no access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

Re: RAVPN is not working!!

haithamnofal — Mon, 07 Apr 2008 05:31:40 GMT

huskcisco,

I changed it but still giving the same error!

I am not sure whether the NAT has anything to do with failing the tunnel to get established, it should has more to do with the communications after the establishement! Should we look somewhere else!

R/ Haitham

Re: RAVPN is not working!!

Alan Huseyin Kayahan — Mon, 07 Apr 2008 16:47:48 GMT

Haitham,

I have seen times that NAT statements cause that "no match" trouble. But after a deep look, it is about your transform set hash and isakmp policy hash mismatch. Issue the following

crypto isakmp policy 1

hash md5

Do not forget to apply your NAT statements. After ACL change, following is also missing.

nat (inside) 0 access-list inside_nat0_outbound

Please attach the latest config.

Regards

Re: RAVPN is not working!!

haithamnofal — Mon, 07 Apr 2008 18:42:10 GMT

Thanks husycisco, and now it finally worked!

So it was due to the hash mismatch between Phase I and Phase II!!

Thanks for your support and patience.

R/ Haitham

Re: RAVPN is not working!!

Alan Huseyin Kayahan — Mon, 07 Apr 2008 18:53:50 GMT

Haitham,

You are welcome. Nice to hear that issue is resolved.

Regards