cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1673
Views
0
Helpful
14
Replies
haithamnofal
Participant

RAVPN is not working!!

Hi,

I have PIX with OS ver 7.2 and I am trying to setup RAVPN, however it keeps failing and I get the following error on the PIX when enabling the crypto debug commands:

Apr 05 01:47:15 [IKEv1]: Group = ccie, IP = 192.1.24.114, Error: Unable to remov

e PeerTblEntry

Apr 05 01:47:20 [IKEv1]: Group = ccie, IP = 192.1.24.114, Removing peer from pee

r table failed, no match!

And the following error is from my VPN client ver 4.8.01:

The remote peer is no longer responding

01:53:32.493 04/05/08 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

Here is my PIX VPN config:

crypto ipsec transform-set ccie esp-des esp-md5-hmac

crypto dynamic-map ccie 1 set transform-set ccie

crypto dynamic-map ccie 1 set reverse-route

crypto map cciemap 1 ipsec-isakmp dynamic ccie

crypto map cciemap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group ccie type ipsec-ra

tunnel-group ccie general-attributes

address-pool ccie

tunnel-group ccie ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication (outside) none

Any idea of why the VPN is failing?

R/ Haitham

1 ACCEPTED SOLUTION

Accepted Solutions

Haitham,

I have seen times that NAT statements cause that "no match" trouble. But after a deep look, it is about your transform set hash and isakmp policy hash mismatch. Issue the following

crypto isakmp policy 1

hash md5

Do not forget to apply your NAT statements. After ACL change, following is also missing.

nat (inside) 0 access-list inside_nat0_outbound

Please attach the latest config.

Regards

View solution in original post

14 REPLIES 14
husycisco
Rising star

Hi Haitham,

First of all, Your VPN IP pool does not meet RFC 1918. Please create a new pool according to section "3. Private Address Space" in following link

http://www.faqs.org/rfcs/rfc1918.html

If too lazy to read, just choose a pool in 192.168.x.x not 192.x.x.x

Second and most probably, check your Exempt NAT statement for VPN pool. Or post the related config for me to check

Also try restarting the PIX after your config is done

Regards

Hi Husycisco, Well I understand of your above answers but is it required NAT exemption rule as what I understand can we use NAT/PAT to allow VPN network traffic for Inside/DMZ Zone whatever you want to allow. Thanks

Hi Richard,

Exempt NAT is not a must, but is the widely used NAT type for simple RA VPN. But in scenarios where required, like in spoke to spoke topology, NAT/PAT can be implemented instead exempt NAT.

Regards

Hi husycisco,

I agree on the private addressing and on the NAT points, however would creating a non-private IP pool and not configuring NAT, really prevent the RAVPN from coming up?

R/Haitham

Haitham,

Your IP addressing does not actually end up with the error you are encountering right now, but missing/wrong NAT statements may cause this. Please attach your sanitized config.

Husycisco,

I added the NAT config as you suggested and also changed the NAT as you advised but this also didnt bring this into working environment! Please note that this configuration is in the lab, so don't beat me on using some public addresses:)

Attached please find the full PIX config file.

Appreciate your feedback on how to make the RAVPN work!

R/ Haitham

Haitham,

There are some simple configuration steps missing in your config.

First of all, you do not have a default route. X is your default gateway for PIX

route outside 0.0.0.0 0.0.0.0 192.1.24.x

Second, basic NAT and global statements. If you want to proceed without them, which is not the best practice in fact, you should disable nat-control. Following would be the best practice for NAT statements. Btw there are two configs in txt you attach, in one the VPN pool is 1.1.1.0 and in other 192.168.1.0. I am assuming 1.1.1.0 is active in following config suggestion. Also keep in mind that 192.168.1.0 is the default IP config of the most off the shelve internet modem/routers, so that would make a conflict with VPN user's local network. Stick with RFC 1918, but do not use widely used ranges like this.

no static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

nat (inside) 0 inside_nat0_outbound

nat (inside) 1 0 0

global (outside) 1 interface

access-list inside_nat0_outbound permit ip 10.10.10.0 255.255.255.0 1.1.1.0 255.255.255.224

Third, for the sake of simplicty, apply the following

no crypto dynamic-map ccie 1 set reverse-route

tunnel-group ccie ipsec-attributes

no isakmp ikev1-user-authentication (outside) none

And last, use the latest version of Cisco VPN client, or at least version 5.x

Regards

Hi Husycisco, May i know whats a meaning of this coomand no static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 in above configuration.

husycisco,

Thanks for your response but still same problem!!

Please check attached the updated config!!

R/ Haitham

Haitham,

I assumed you were using 1.1.1.0 as the VPN pool in my previous suggestion but I see that you use 192.168.1.0. Then you should make the following modification

no access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

huskcisco,

I changed it but still giving the same error!

I am not sure whether the NAT has anything to do with failing the tunnel to get established, it should has more to do with the communications after the establishement! Should we look somewhere else!

R/ Haitham

Haitham,

I have seen times that NAT statements cause that "no match" trouble. But after a deep look, it is about your transform set hash and isakmp policy hash mismatch. Issue the following

crypto isakmp policy 1

hash md5

Do not forget to apply your NAT statements. After ACL change, following is also missing.

nat (inside) 0 access-list inside_nat0_outbound

Please attach the latest config.

Regards

View solution in original post

Thanks husycisco, and now it finally worked!

So it was due to the hash mismatch between Phase I and Phase II!!

Thanks for your support and patience.

R/ Haitham

Haitham,

You are welcome. Nice to hear that issue is resolved.

Regards

Content for Community-Ad