- Cisco Community
- Technology and Support
- Networking
- Routing
- [Cisco 881] Problems configuring IPSec & Open Ports
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
[Cisco 881] Problems configuring IPSec & Open Ports
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2012 09:30 PM - edited 03-04-2019 06:24 PM
Hello Cisco Community,
I hope this message finds you well.
I am new to the whole Cisco world - and have just started configuring my first Cisco 881 Router. I work in Film Post Production, not IT, so this is a slightly new world for me - although I think I get the basic's. There seems to be a lot of people similar to me on these forums - so apologies in advance for asking the same old questions. I have search the forums as much as I can, and have done lots of experiments and tests, but I haven't been able to find a working configuration - so rather than go around in circles, I thought it was worth asking the community for help. I love that you can just "pull the plug" to go back to the last "saved" configuration on these routers. I must say - I've pulled the plug a LOT over the last few hours!
My two remaining issues are getting IPsec to work with our MacOS clients (ideally using the MacOS 10.7 and 10.8 built-in Cisco IPsec clients) and also opening three ports on the router so that external clients can access some of our internal resources. I'm using the following commands, but they're not working as expected. I'd imagine there's a security setting I'm missing, but I've tried a few different things without much luck. Here's the commands I've been using:
ip nat inside source static tcp 10.0.10.150 6113 <<EXTERNAL IP>> 6113 extendable
ip nat inside source static tcp 10.0.10.150 6116 <<EXTERNAL IP>> 6116 extendable
ip nat inside source static tcp 10.0.10.150 6117 <<EXTERNAL IP>> 6117 extendable
I also tried using PPTP instead of IPsec after spending a while trying to get IPsec work without any luck - which I could connect to without any problems, however I couldn't work out how to actually "talk" to the internal network. For some reason I couldn't ping the router when connected via the PPTP VPN. After a lot of playing around, I decided to try and get IPsec working again anyway, seeing as it's more modern and secure.
I have attached my current running configuration below, if anyone would be so kind as to have a quick look and see if I'm missing anything obvious.
I've been using a mixture of SSH on a Mac and Cisco CP Professional on an old PC to get things working.
I'm planning to run through the Security Audit on Cisco CP Pro once I get IPsec and the open ports working, so that I can lock things down a bit better, and get the Firewall up-and-running - however if you have any security suggestions, notes or recommendations, I'd love to hear them!
Thanks for taking the time to read this! Greatly appreciated.
Please let me know if you need any more information.
Best Regards, Chris!
----
Running Configuration:
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <<HOSTNAME>>
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 4 <<SECRET>>
enable password <<PASSWORD>>
!
aaa new-model
!
aaa authentication login default local
aaa authentication login local_authen local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization exec local_author local
aaa authorization network vpn_group_ml_1 local
!
aaa session-id common
!
memory-size iomem 10
clock timezone Sydney 10 0
clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2735032776
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2735032776
revocation-check none
rsakeypair TP-self-signed-2735032776
!
crypto pki certificate chain TP-self-signed-2735032776
certificate self-signed 01
<<ETC>>
quit
ip source-route
!
<<DHCP BINDINGS>>
!
ip dhcp excluded-address 10.0.10.1 10.0.10.169
ip dhcp excluded-address 10.0.10.190 10.0.10.254
!
ip cef
ip name-server <<DNS PRIMARY>>
ip name-server <<DNS SECONDARY>>
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn <<SN>>
license boot module c880-data level advipservices
!
username <<USERNAME>> privilege 15 secret 4 <<PASSWORD>>
username <<USERNAME>> secret 4 <<PASSWORD>>
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group CCLIENT-VPN
key <<KEY>>
dns 10.0.10.1
pool VPN-Pool
acl 120
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENT-VPN
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
<<DESCRIPTION>>
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1436
dialer pool 1
ppp chap hostname <<HOSTNAME>>
ppp chap password 0 <<PASSWORD>>
ppp pap sent-username <<USERNAME>> password 0 <<PASSWORD>>
!
ip local pool VPN-Pool 10.0.10.160 10.0.10.169
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source static tcp 10.0.10.150 6113 <<EXTERNAL IP>> 6113 extendable
ip nat inside source static tcp 10.0.10.150 6116 <<EXTERNAL IP>> 6116 extendable
ip nat inside source static tcp 10.0.10.150 6117 <<EXTERNAL IP>> 6117 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.0.10.0 0.0.0.255
access-list 23 permit 10.0.10.0 0.0.0.255
access-list 55 permit <<EXTERNAL>>
access-list 55 permit <<EXTERNAL>>
access-list 55 permit <<EXTERNAL>>
access-list 55 permit <<EXTERNAL>>
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.0.10.150
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 150 permit tcp any host <<EXTERNAL>> eq 443
access-list 150 remark INBOUND VPN
access-list 150 permit ip host 10.0.10.160 any
access-list 150 permit ip host 10.0.10.161 any
access-list 150 permit ip host 10.0.10.162 any
access-list 150 permit ip host 10.0.10.163 any
access-list 150 permit ip host 10.0.10.164 any
access-list 150 permit ip host 10.0.10.165 any
access-list 150 permit ip host 10.0.10.166 any
access-list 150 permit ip host 10.0.10.167 any
access-list 150 permit ip host 10.0.10.168 any
access-list 150 permit ip host 10.0.10.169 any
no cdp run
!
<<REMOVED SNMP SERVER>>
!
control-plane
!
<<REMOVED BANNER LOGIN>>
!
line con 0
transport output telnet
line aux 0
line vty 0 4
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
end
Error Log from MacOS Client when connecting via IPSec:
configd[21]: IPSec connecting to server <<EXTERNAL>>
configd[21]: SCNC: start, triggered by System Preferen, type IPSec, status 0
configd[21]: IPSec Phase1 starting.
racoon[595]: IPSec connecting to server <<EXTERNAL>>
racoon[595]: Connecting.
racoon[595]: IPSec Phase1 started (Initiated by me).
racoon[595]: IKE Packet: transmit success. (Initiator, Main-Mode message 1).
racoon[595]: IKE Packet: receive success. (Information message).
racoon[595]: IKE Packet: receive failed. (Information message).
racoon[595]: IKE Packet: transmit success. (Phase1 Retransmit).
racoon[595]: IKE Packet: transmit success. (Phase1 Retransmit).
racoon[595]: IKE Packet: transmit success. (Phase1 Retransmit).
configd[21]: IPSec disconnecting from server <<EXTERNAL>>
racoon[595]: IPSec disconnecting from server <<EXTERNAL>>
racoon[595]: IPSec disconnecting from server <<EXTERNAL>>
- Labels:
-
Routing Protocols
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2012 04:30 AM
Hi Chris, your bound to find much helpful clues in the debug output on the Cisco router. Do that along with 'show crypto session detail'
Here's the debug command to use, there's 2:
debug crypto isakmp
debug crypto ipsec
Execute these commands and then attempt initiating a VPN connection from the client. Paste the output so that its visible to all.
After the client fails to establish a VPN connection, you would have gathered enough of very useful data - after which you should disable debugging by executing undebug all.
Cheers,
Roger
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-14-2012 04:41 AM
Great suggestion - thank you!
I won't be in front of the router for a few days - however next week I'll test it out and see what I find. Stay tuned...
Have a great weekend Roger! Thanks for your fast reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2012 01:31 AM
Hi Roger,
I finally had a chance to run the debug command.
I've had a look at the results, and I can see there's obviously a problem - but I'm still not sure of the best way to tackle it.
I'll continue to search around these forums for some ideas - but if you have any thoughts, I'd love to hear them!
Also... do you have any ideas about the 2nd part of my original question in regards to "open ports" is there a debug command that will help in that case?
Thanks in advance!
Best Regards, Chris!
---
debug crypto isakmp & debug crypto ipsec:
ISAKMP (0): received packet from <
ISAKMP: Created a peer struct for <
ISAKMP: New peer created peer = 0x877FA8D0 peer_handle = 0x80000006
ISAKMP: Locking peer struct 0x877FA8D0, refcount 1 for crypto_isakmp_process_block
ISAKMP: local port 500, remote port 500
ISAKMP:(0):insert sa successfully sa = 878D5224
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
ISAKMP:(0): vendor ID is XAUTH
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is Unity
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): processing IKE frag vendor id payload
ISAKMP:(0): vendor ID is IKE Fragmentation
ISAKMP:(0): MM Fragmentation supported
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0):No pre-shared key with <
ISAKMP : Scanning profiles for xauth ... vpn-ike-profile-1
ISAKMP:(0): Authentication by xauth preshared
ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Hash algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Hash algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):no offers accepted!
ISAKMP:(0): phase 1 SA policy not acceptable! (local <
ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
ISAKMP:(0): Failed to construct AG informational message.
ISAKMP:(0): sending packet to <
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):peer does not do paranoid keepalives.
ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer <
ISAKMP (0): FSM action returned error: 2
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer <
ISAKMP: Unlocking peer struct 0x877FA8D0 for isadb_mark_sa_deleted(), count 0
ISAKMP: Deleting peer node by peer_reap for <
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP (0): received packet from <
ISAKMP (0): received packet from <
ISAKMP (0): received packet from <
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2012 08:09 PM
Hi Chris,
Thanks for posting the debug output. Your jigsaw is slowly falling into order. I am also hoping that someone much more experienced/knowledgable than me looks at the config and shares some insight too. One of the drawbacks of configuring thru an SDM (cisco GUI) is that you don't get a clean config, but I understand why you have to use the SDM
From the running config in your original post - it appears that your VPN config is applied to router interface FastEthernet0. I noticed that FastEthernet0 is dead [not used], so there's one major problem.
If you are trying to remotely establish a VPN tunnel from a client PC to your office from an external network, then the VPN config should be applied to the Dialer1 interface.
To verify this run the following command 'show crypto map' and paste your output.
You can also run 'show ip interface brief' and analyse the output for your own reference (you don't have to paste it here).
There could be other things wrong with the config, so hopefully someone else offers their expert advise soon.
-----------------------------------------------------
With regards to Port forwarding, replace this...
ip nat inside source static tcp 10.0.10.150 6113 <
ip nat inside source static tcp 10.0.10.150 6116 <
ip nat inside source static tcp 10.0.10.150 6117 <
...with
ip nat inside source static tcp 10.0.10.150 6113 Dialer1 6113
ip nat inside source static tcp 10.0.10.150 6116 Dialer1 6116
ip nat inside source static tcp 10.0.10.150 6117 Dialer1 6117
Let me know if it works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-16-2012 09:16 PM
Thanks for your fast reply Roger!
Yes, I was really only using the Cisco CP Pro interface because the wizards seem to be a good starting point for beginners. Once I get the basic's working, I hope to clean up the configuration manually (and properly secure everything!). In future I'll only be using SSH to configure things. For someone new to IOS however - Cisco CP is really handy, as it's a bit daunting looking at a terminal shell when you have no idea what all the commands are, or even what's possible.
Strangly enough - the port forwarding seems to be working now without any changing of the configuration, so it must have just been a propogation issue, so I'll leave that alone for now. Thanks for your suggestion though!
In regards to the VPN issues - FastEthernet0 is the port I use to connect the 881 to the rest of the LAN, and I'm sure I read somewhere that you could just bound the Virtual Interface to any physical interface. However, as the physical interface doesn't have a specific IP address, that's probably the issue! Thanks for the suggestion. Should I just give FastEthernet0 the same IP address as VLAN1, or should I just re-bound the VPN to the Dialer1 interface?
When I run show crypto map it returns:
Crypto Map IPv4 "Virtual-Template2-head-0" 65536 ipsec-isakmp
Profile name: VPN-Profile-1
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
encrypt-method-1: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map Virtual-Template2-head-0:
Virtual-Template2
When I run show ip interface brief it returns:
Interface IP-Address OK? Method Status Protocol
Dialer1 <
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 unassigned YES NVRAM up up
NVI0 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset up up
Virtual-Template2 unassigned NO unset up down
Vlan1 <
The fact that Virtual-Template2 is not OK, is probably the issue!
Thanks for your help!
Best Regards, Chris!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2012 03:30 PM
Hi Chris,
See if this diagram makes sense.
* Remote clients (attempting to VPN into your office LAN through the internet)--------(INTERNET CLOUD)----------->Cisco881--------LAN (your internal office network)
The arrow pointing to the Cisco router is your WAN interface, which is your DSL link - and virtually your Dialer1 interface. This interface is your 'gateway' to the internet.
Hence, you need to apply your VPN config to the Dialer1 interface, so that external clients tunneling into your private LAN get access through this gateway interface (Dialer1).
Hope this explaination helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2012 04:22 AM
I don't believe you can give the FastEthernet ports an IP in this router. Essentially, VLAN 1 IP address takes care of all your LAN switchports.
Sent from Cisco Technical Support iPhone App
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2012 04:17 PM
Thanks Elton & Roger.
Yes, that diagram looks correct Roger.
When I get a chance I'll try apply the VPN config to the Dialer1 interface and see what happens!
Thanks for help patience and help! Greatly appreciated!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2012 02:00 PM
Thanks for your continued help and advice Elton.
It's still not working after changing the VPN config to Dialer1, but I knew there'd be other issues!
The problem seems to be this, but I'm just not sure how to fix it. Any ideas?
Sorry to keep dragging this out. I'm trying to learn as much as I go!
---
Running Configuration:
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 4 <
enable password <
!
aaa new-model
!
aaa authentication login default local
aaa authentication login local_authen local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization exec local_author local
aaa authorization network vpn_group_ml_1 local
!
aaa session-id common
!
memory-size iomem 10
clock timezone Sydney 10 0
clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2735032776
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2735032776
revocation-check none
rsakeypair TP-self-signed-2735032776
!
!
crypto pki certificate chain TP-self-signed-2735032776
certificate self-signed 01
<
quit
ip source-route
!
ip dhcp excluded-address 10.0.10.1 10.0.10.169
ip dhcp excluded-address 10.0.10.190 10.0.10.254
!
ip dhcp pool staffDHCP
import all
network 10.0.10.0 255.255.255.0
dns-server 10.0.10.1
default-router 10.0.10.1
domain-name <
!
ip cef
ip name-server <
ip name-server <
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn <
license boot module c880-data level advipservices
!
username <
username <
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group CCLIENT-VPN
key <
dns 10.0.10.1
pool VPN-Pool
acl 120
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENT-VPN
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description <
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface Virtual-Template2 type tunnel
ip unnumbered Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1436
dialer pool 1
ppp chap hostname <
ppp chap password 0 <
ppp pap sent-username <
!
ip local pool VPN-Pool 10.0.10.160 10.0.10.169
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source static tcp 10.0.10.150 6113 <
ip nat inside source static tcp 10.0.10.150 6116 <
ip nat inside source static tcp 10.0.10.150 6117 <
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.0.10.0 0.0.0.255
access-list 23 permit 10.0.10.0 0.0.0.255
access-list 55 permit <
access-list 55 permit <
access-list 55 permit <
access-list 55 permit <
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.0.10.150
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 150 permit tcp any host <
access-list 150 remark INBOUND VPN
access-list 150 permit ip host 10.0.10.160 any
access-list 150 permit ip host 10.0.10.161 any
access-list 150 permit ip host 10.0.10.162 any
access-list 150 permit ip host 10.0.10.163 any
access-list 150 permit ip host 10.0.10.164 any
access-list 150 permit ip host 10.0.10.165 any
access-list 150 permit ip host 10.0.10.166 any
access-list 150 permit ip host 10.0.10.167 any
access-list 150 permit ip host 10.0.10.168 any
access-list 150 permit ip host 10.0.10.169 any
no cdp run
!
snmp-server community <
snmp-server enable traps tty
!
control-plane
!
banner login <
!
line con 0
transport output telnet
line aux 0
line vty 0 4
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
end
Debug Ouput:
ISAKMP (0): received packet from <
ISAKMP: Created a peer struct for <
ISAKMP: New peer created peer = 0x877FF074 peer_handle = 0x80000007
ISAKMP: Locking peer struct 0x877FF074, refcount 1 for crypto_isakmp_process_block
ISAKMP: local port 500, remote port 500
ISAKMP:(0):insert sa successfully sa = 872B88E8
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 198 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 29 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 114 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 227 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 250 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 164 mismatch
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 242 mismatch
ISAKMP:(0): vendor ID is XAUTH
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is Unity
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): processing IKE frag vendor id payload
ISAKMP:(0): vendor ID is IKE Fragmentation
ISAKMP:(0): MM Fragmentation supported
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID is DPD
ISAKMP:(0):No pre-shared key with <
ISAKMP : Scanning profiles for xauth ... vpn-ike-profile-1
ISAKMP:(0): Authentication by xauth preshared
ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Hash algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):Checking ISAKMP transform 1 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 2 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 3 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 4 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 128
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 5 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Hash algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 6 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption 3DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 7 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 3
ISAKMP:(0):Checking ISAKMP transform 8 against priority 2 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 3600
ISAKMP: encryption DES-CBC
ISAKMP: auth XAUTHInitPreShared
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP:(0):Encryption algorithm offered does not match policy!
ISAKMP:(0):atts are not acceptable. Next payload is 0
ISAKMP:(0):no offers accepted!
ISAKMP:(0): phase 1 SA policy not acceptable! (local <
ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
ISAKMP:(0): Failed to construct AG informational message.
ISAKMP:(0): sending packet to <
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):peer does not do paranoid keepalives.
ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer <
ISAKMP (0): FSM action returned error: 2
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer <
ISAKMP: Unlocking peer struct 0x877FF074 for isadb_mark_sa_deleted(), count 0
ISAKMP: Deleting peer node by peer_reap for <
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
IPSEC(key_engine): got a queue event with 1 KMI message(s)
ISAKMP (0): received packet from <
ISAKMP (0): received packet from <
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
