Solved: Re: issue setting up VPN after changing line-type - Page 2

ingvar001 · ‎02-17-2020

We are trying to set up a VPN connection to our cisco 867-VAE-K9. The VPN used to work fine, but recently the line-type changed (ADSL -> VDSL). We've made some changes to the configuration and the internet-connection is ok, but we are unable to connect to the VPN. I guess the problem has something to do with the changes we made to the cisco, but i don't know which setting is the problem.

The configuration looks like this:

version 15.6
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 102400 notifications
no logging console
no logging monitor
enable secret 5 XXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnauth local
aaa authorization exec default if-authenticated
aaa authorization network vpnauth local
!
!
!
!
!
aaa session-id common
wan mode dsl
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 3:00 last Sun Oct 2:00
no ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool datavlan178
network 192.168.1.0 255.255.255.0
domain-name xxx.local
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
!
!
!
ip inspect log drop-pkt
ip inspect name IOSFW icmp
ip inspect name IOSFW dns
ip inspect name IOSFW esmtp
ip inspect name IOSFW http
ip inspect name IOSFW https
ip inspect name IOSFW imap reset
ip inspect name IOSFW pop3 reset
ip inspect name IOSFW tcp
ip inspect name IOSFW udp
ip inspect name IOSFW ftp
no ip bootp server
ip domain name xxx.local
ip host modem 192.168.1.1
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
!
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path flash:/archive/
maximum 14
write-memory
time-period 10080
!
spanning-tree vlan 178 priority 8192
username AAA privilege 15 secret 5 AAAA
username BBB privilege 4 secret 5 BBBB
!
!
controller VDSL 0
firmware filename flash:VAE_AB_35j_23jE.bin
no cdp run
!
ip tcp ecn
ip tcp synwait-time 10
!
crypto logging session
crypto logging ezvpn
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group privavpn
key XXXXX
domain priva.local
pool vpnpool
acl SplitVPN
include-local-lan
pfs
max-users 5
netmask 255.255.255.0
crypto isakmp profile vpnclient
match identity group privavpn
client authentication list vpnauth
isakmp authorization list vpnauth
client configuration address respond
!
!
crypto ipsec transform-set vpnset esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto call admission limit ike sa 20
!
crypto call admission limit ike in-negotiation-sa 20
!
crypto dynamic-map dynmap 1
set transform-set vpnset
set isakmp-profile vpnclient
reverse-route
!
!
crypto map vpnmap 65535 ipsec-isakmp dynamic dynmap
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
!
interface Ethernet0.6
encapsulation dot1Q 6
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0
switchport access vlan 178
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 178
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 178
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 178
no ip address
spanning-tree portfast
!
interface GigabitEthernet0
switchport access vlan 178
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan178
ip address 192.168.1.1 255.255.255.0
ip access-group Firewall_Inside_In in
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description VDSL
ip address negotiated
ip access-group Firewall_Outside_In in
ip nbar protocol-discovery
ip inspect IOSFW out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXX password 7 XXX
no cdp enable
crypto map vpnmap
!
ip local pool vpnpool 192.168.179.200 192.168.179.250
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source static tcp 192.168.1.Y 1433 interface Dialer0 1433
ip nat inside source static udp 192.168.1.Y 1433 interface Dialer0 1433
ip nat inside source static tcp 192.168.1.Y 15000 interface Dialer0 15000
ip nat inside source static udp 192.168.1.Y 15000 interface Dialer0 15000
ip nat inside source static tcp 192.168.1.Y 15001 interface Dialer0 15001
ip nat inside source static udp 192.168.1.Y 15001 interface Dialer0 15001
ip nat inside source static tcp 192.168.1.Y 15010 interface Dialer0 15010
ip nat inside source static udp 192.168.1.Y 15010 interface Dialer0 15010
ip nat inside source static tcp 192.168.1.Y 500 interface Dialer0 500
ip nat inside source static udp 192.168.1.Y 500 interface Dialer0 500
ip nat inside source static tcp 192.168.1.Y 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.1.Y 47 interface Dialer0 47
ip nat inside source static udp 192.168.1.Y 4500 interface Dialer0 4500
ip nat inside source static tcp 192.168.1.Y 3389 interface Dialer0 3389
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 1234 rotary 1
!
ip access-list standard Support
permit A.A.A.A
!
ip access-list extended Firewall_Inside_In
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
ip access-list extended Firewall_Outside_In
permit tcp host A.A.A.A any eq 1234
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
permit udp host A.A.A.A any eq snmp
permit gre any any
permit esp any any
permit tcp host A.A.A.A any eq 1433
permit udp host A.A.A.A any eq 1433
permit tcp host A.A.A.A any eq 15000
permit udp host A.A.A.A any eq 15000
permit tcp host A.A.A.A any eq onep-plain
permit udp host A.A.A.A any eq 15001
permit tcp host A.A.A.A any eq 15010
permit udp host A.A.A.A any eq 15010
permit tcp host A.A.A.A any eq 500
permit udp host A.A.A.A any eq isakmp
permit tcp host A.A.A.A any eq 1723
permit tcp host A.A.A.A any eq 47
permit udp host A.A.A.A any eq non500-isakmp
deny tcp any any eq 1720

ip access-list extended NoNATACL
remark Exempt Private Network Traffic from NAT process
deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
deny ip host 192.168.1.Y 192.168.179.0 0.0.0.255
ip access-list extended SplitVPN
permit ip 192.168.179.0 0.0.0.255 host 192.168.1.Y
permit ip host 192.168.1.Y 192.168.179.0 0.0.0.255
!
logging trap warnings
logging source-interface Vlan178
logging host 5.5.5.5
dialer-list 1 protocol ip permit
mac-address-table aging-time 10
!
route-map nonat permit 10
match ip address NoNATACL
!
!
line con 0
exec-timeout 15 0
logging synchronous
no modem enable
line aux 0
no exec
transport output none
line vty 0 4
exec-timeout 15 0
rotary 1
transport input ssh
transport output none
!
scheduler process-watchdog reload
scheduler isr-watchdog
scheduler allocate 60000 1000
ntp source Vlan178
ntp server F.F.F.F prefer
ntp server G.G.G.G

When using the Shrewsoft VPN access manager, i get the following output:

attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
negotiation timout occurred
tunnel disabled
detached from key daemon

Georg Pauwen · ‎02-18-2020

Hello,

I wonder if the router is the problem. I assume you are using Windows clients ? What does the local route table (route print) on the Windows client look like when you connect ?

Richard Burts · ‎02-18-2020

Thinking about this discussion I would suggest that it would be better to try debug for isakmp instead of for ipsec. isakmp is the first stage of negotiation and the messages from the client would seem to indicate that no negotiation is happening. So I am not surprised that there was no output from debug for ipsec.

HTH

Rick

ingvar001 · ‎02-18-2020

Hello,

Correct, I'm using a windows PC to connect.

When i try to connect to the vpn the route table looks like this:

>route print
===========================================================================
Interface List
8...8c 89 a5 88 0e 7f ......Realtek PCIe GbE Family Controller
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.178.1 192.168.178.117 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.178.0 255.255.255.0 On-link 192.168.178.117 281
192.168.178.117 255.255.255.255 On-link 192.168.178.117 281
192.168.178.255 255.255.255.255 On-link 192.168.178.117 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.178.117 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.178.117 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
8 281 fe80::/64 On-link
8 281 fe80::c492:28d1:f8ba:e3b5/128
On-link
1 331 ff00::/8 On-link
8 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

I have another router (also a cisco 867VAE-K9) with a working VPN. the configuration is exactly the same as the first router before the changes to the external line. If i check the route table when connected to the vpn on this router it looks like this:

>route print
===========================================================================
Interface List
8...8c 89 a5 88 0e 7f ......Realtek PCIe GbE Family Controller
5...aa aa aa ac a7 00 ......Shrew Soft Virtual Adapter
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.178.1 192.168.178.117 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.178.0 255.255.255.0 On-link 192.168.178.117 281
192.168.178.90 255.255.255.255 On-link 5 56
192.168.178.117 255.255.255.255 On-link 192.168.178.117 281
192.168.178.255 255.255.255.255 On-link 192.168.178.117 281
192.168.179.0 255.255.255.0 On-link 5 56
192.168.179.255 255.255.255.255 On-link 5 311
212.238.169.225 255.255.255.255 192.168.178.1 192.168.178.117 26
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.178.117 281
224.0.0.0 240.0.0.0 On-link 5 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.178.117 281
255.255.255.255 255.255.255.255 On-link 5 311
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
8 281 fe80::/64 On-link
5 311 fe80::/64 On-link
5 311 fe80::ac8d:f694:86e4:daa0/128
On-link
8 281 fe80::c492:28d1:f8ba:e3b5/128
On-link
1 331 ff00::/8 On-link
8 281 ff00::/8 On-link
5 311 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Georg Pauwen · ‎02-18-2020

Hello,

on the second, working machine, this seems to be the address of the VPN server:

212.238.169.225 255.255.255.255 192.168.178.1 192.168.178.117 26

The fact that there is no route similar to this one in the first machine would suggest that there never is a connection at all.

Georg Pauwen · ‎02-18-2020

Hello,

that said, what if you manually (route add) the route in your machine ? And then run the debugs on the router ?

ingvar001 · ‎02-19-2020

After adding the route manually, i can see it in the route print.

running the debugs on the router still don't give any useful information. The output is the same as before.

I've tried all the options from 'debug crytpo isakmp' and 'debug crypto ipsec' but the output is always 'debugging is on'

ingvar001 · ‎02-19-2020

Hello,

To be sure i didn't miss any changes, i compared the working vpn config with the not working config.

The differences between the 2 configurations are:

ATM0 is shutdown in the not working config.
interface Ethernet0.6 is added
interface Dialer0 has the suggested changes (ip mtu 1492, ip tcp adjust-mss 1452 and ppp ipcp address accept)
access-list FIrewall_Outside_In permits more ports

Richard Burts · ‎02-19-2020

After reading through the discussion a couple of times and looking at the posted config I have several questions and comments.

I am guessing that entry in the routing table was the result of negotiation of the vpn by Shrewsoft. Since the negotiation was not successful there is no routing entry. I believe that the client would be able to reach the vpn using the default route and am not surprised that manually configuring the route on the client did not fix the problem. As one way of checking on this is the client able to ping the address of the vpn?

I am wondering if the issue with vpn is because the address of the router changed and perhaps the vpn client did not change. How does the user initiate the vpn? Does the user supply the vpn server address or is it something that is stored in the vpn client? In the vpn file in one of the posts there are several addresses but they are represented as xxx and so we can not know if any of them are the old vpn address, the new vpn address, or some other address. Is there any way to verify what address the vpn client is attempting to access?

Is this vpn coming from a single remote site or from multiple sites? In looking at the access list Firewall_Outside_In I see a permit for isakmp from host A.A.A.A. If the vpn is coming from a single remote site and that site is A.A.A.A then it is ok. Otherwise it looks to me like isakmp is not getting through the access list.

I am also wondering about how the vpn works. I see configuration in the router that suggests that the router is the vpn server. But I also see static address translation that is sending isakmp to 192.168.1.Y. So is 192.168.1.Y running the vpn? How is this supposed to work?

I am wondering about this in the original post

When using the Shrewsoft VPN access manager, i get the following output:

peer configured

remote id configured

Is there any way to determine what the client is using for these?

HTH

Rick

ingvar001 · ‎02-20-2020

@Richard Burts wrote:

I am guessing that entry in the routing table was the result of negotiation of the vpn by Shrewsoft. Since the negotiation was not successful there is no routing entry. I believe that the client would be able to reach the vpn using the default route and am not surprised that manually configuring the route on the client did not fix the problem. As one way of checking on this is the client able to ping the address of the vpn?

Correct, the result in the routing table is the result of the shrewsoft vpn and only appears if the negotiation is successful. The client is able to ping the address of the vpn.

@Richard Burts wrote:
I am wondering if the issue with vpn is because the address of the router changed and perhaps the vpn client did not change. How does the user initiate the vpn? Does the user supply the vpn server address or is it something that is stored in the vpn client? In the vpn file in one of the posts there are several addresses but they are represented as xxx and so we can not know if any of them are the old vpn address, the new vpn address, or some other address. Is there any way to verify what address the vpn client is attempting to access?

The user supplies the address of the vpn server. The address in the vpn file is the new vpn address. The address is the same address i use to ssh to the router.

@Richard Burts wrote:
Is this vpn coming from a single remote site or from multiple sites? In looking at the access list Firewall_Outside_In I see a permit for isakmp from host A.A.A.A. If the vpn is coming from a single remote site and that site is A.A.A.A then it is ok. Otherwise it looks to me like isakmp is not getting through the access list.

I'm testing from my ip-address, which is the A.A.A.A address. Once the vpn is working other addresses will be added but for now that 1 address is enough.

As suggested in one of the earlier replies, i've temporarily disabled the access list. This didn't change the result, so i guess the access list can't be the problem.

@Richard Burts wrote:
I am also wondering about how the vpn works. I see configuration in the router that suggests that the router is the vpn server. But I also see static address translation that is sending isakmp to 192.168.1.Y. So is 192.168.1.Y running the vpn? How is this supposed to work?

The router is the vpn server. The device on 192.168.1.Y is the device that should be reachable once connected to the vpn.

The vpn always worked with this setting, but after reading your comment, it doesn't look logical to forward the isakmp to 192.168.1.Y. I'm going to remove the static address translation and check if it will fix the issue.

ingvar001 · ‎02-20-2020

You fixed my problem.

The static translation for isakmp caused the negotiation to timeout.

After removing the translation the vpn works.

Thanks for the help.

Richard Burts · ‎02-20-2020

You are welcome. I am glad that my suggestion pointed you in the right direction. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

Georg Pauwen · ‎02-19-2020

There was another post here a few days ago where the user could not establish a VPN connection, it turned out to be the ISP who was blocking certain traffic. Although it doesn't seem logical (why would any ISP block any ports), it might still be worth checking with your ISP...

ingvar001 · ‎02-20-2020

Hello,

It turned out to be an issue with the static translations. removing the translation for isakmp fixed the problem

thanks for the help