Solved: issue setting up VPN after changing line-type

ingvar001 · ‎02-17-2020

We are trying to set up a VPN connection to our cisco 867-VAE-K9. The VPN used to work fine, but recently the line-type changed (ADSL -> VDSL). We've made some changes to the configuration and the internet-connection is ok, but we are unable to connect to the VPN. I guess the problem has something to do with the changes we made to the cisco, but i don't know which setting is the problem.

The configuration looks like this:

version 15.6
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 102400 notifications
no logging console
no logging monitor
enable secret 5 XXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnauth local
aaa authorization exec default if-authenticated
aaa authorization network vpnauth local
!
!
!
!
!
aaa session-id common
wan mode dsl
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 3:00 last Sun Oct 2:00
no ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool datavlan178
network 192.168.1.0 255.255.255.0
domain-name xxx.local
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
!
!
!
ip inspect log drop-pkt
ip inspect name IOSFW icmp
ip inspect name IOSFW dns
ip inspect name IOSFW esmtp
ip inspect name IOSFW http
ip inspect name IOSFW https
ip inspect name IOSFW imap reset
ip inspect name IOSFW pop3 reset
ip inspect name IOSFW tcp
ip inspect name IOSFW udp
ip inspect name IOSFW ftp
no ip bootp server
ip domain name xxx.local
ip host modem 192.168.1.1
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
!
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
path flash:/archive/
maximum 14
write-memory
time-period 10080
!
spanning-tree vlan 178 priority 8192
username AAA privilege 15 secret 5 AAAA
username BBB privilege 4 secret 5 BBBB
!
!
controller VDSL 0
firmware filename flash:VAE_AB_35j_23jE.bin
no cdp run
!
ip tcp ecn
ip tcp synwait-time 10
!
crypto logging session
crypto logging ezvpn
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group privavpn
key XXXXX
domain priva.local
pool vpnpool
acl SplitVPN
include-local-lan
pfs
max-users 5
netmask 255.255.255.0
crypto isakmp profile vpnclient
match identity group privavpn
client authentication list vpnauth
isakmp authorization list vpnauth
client configuration address respond
!
!
crypto ipsec transform-set vpnset esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto call admission limit ike sa 20
!
crypto call admission limit ike in-negotiation-sa 20
!
crypto dynamic-map dynmap 1
set transform-set vpnset
set isakmp-profile vpnclient
reverse-route
!
!
crypto map vpnmap 65535 ipsec-isakmp dynamic dynmap
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
!
interface Ethernet0.6
encapsulation dot1Q 6
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0
switchport access vlan 178
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 178
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 178
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 178
no ip address
spanning-tree portfast
!
interface GigabitEthernet0
switchport access vlan 178
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan178
ip address 192.168.1.1 255.255.255.0
ip access-group Firewall_Inside_In in
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description VDSL
ip address negotiated
ip access-group Firewall_Outside_In in
ip nbar protocol-discovery
ip inspect IOSFW out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXX password 7 XXX
no cdp enable
crypto map vpnmap
!
ip local pool vpnpool 192.168.179.200 192.168.179.250
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source static tcp 192.168.1.Y 1433 interface Dialer0 1433
ip nat inside source static udp 192.168.1.Y 1433 interface Dialer0 1433
ip nat inside source static tcp 192.168.1.Y 15000 interface Dialer0 15000
ip nat inside source static udp 192.168.1.Y 15000 interface Dialer0 15000
ip nat inside source static tcp 192.168.1.Y 15001 interface Dialer0 15001
ip nat inside source static udp 192.168.1.Y 15001 interface Dialer0 15001
ip nat inside source static tcp 192.168.1.Y 15010 interface Dialer0 15010
ip nat inside source static udp 192.168.1.Y 15010 interface Dialer0 15010
ip nat inside source static tcp 192.168.1.Y 500 interface Dialer0 500
ip nat inside source static udp 192.168.1.Y 500 interface Dialer0 500
ip nat inside source static tcp 192.168.1.Y 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.1.Y 47 interface Dialer0 47
ip nat inside source static udp 192.168.1.Y 4500 interface Dialer0 4500
ip nat inside source static tcp 192.168.1.Y 3389 interface Dialer0 3389
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 1234 rotary 1
!
ip access-list standard Support
permit A.A.A.A
!
ip access-list extended Firewall_Inside_In
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
ip access-list extended Firewall_Outside_In
permit tcp host A.A.A.A any eq 1234
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
permit udp host A.A.A.A any eq snmp
permit gre any any
permit esp any any
permit tcp host A.A.A.A any eq 1433
permit udp host A.A.A.A any eq 1433
permit tcp host A.A.A.A any eq 15000
permit udp host A.A.A.A any eq 15000
permit tcp host A.A.A.A any eq onep-plain
permit udp host A.A.A.A any eq 15001
permit tcp host A.A.A.A any eq 15010
permit udp host A.A.A.A any eq 15010
permit tcp host A.A.A.A any eq 500
permit udp host A.A.A.A any eq isakmp
permit tcp host A.A.A.A any eq 1723
permit tcp host A.A.A.A any eq 47
permit udp host A.A.A.A any eq non500-isakmp
deny tcp any any eq 1720

ip access-list extended NoNATACL
remark Exempt Private Network Traffic from NAT process
deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
deny ip host 192.168.1.Y 192.168.179.0 0.0.0.255
ip access-list extended SplitVPN
permit ip 192.168.179.0 0.0.0.255 host 192.168.1.Y
permit ip host 192.168.1.Y 192.168.179.0 0.0.0.255
!
logging trap warnings
logging source-interface Vlan178
logging host 5.5.5.5
dialer-list 1 protocol ip permit
mac-address-table aging-time 10
!
route-map nonat permit 10
match ip address NoNATACL
!
!
line con 0
exec-timeout 15 0
logging synchronous
no modem enable
line aux 0
no exec
transport output none
line vty 0 4
exec-timeout 15 0
rotary 1
transport input ssh
transport output none
!
scheduler process-watchdog reload
scheduler isr-watchdog
scheduler allocate 60000 1000
ntp source Vlan178
ntp server F.F.F.F prefer
ntp server G.G.G.G

When using the Shrewsoft VPN access manager, i get the following output:

attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
negotiation timout occurred
tunnel disabled
detached from key daemon

Richard Burts · ‎02-19-2020

After reading through the discussion a couple of times and looking at the posted config I have several questions and comments.

I am guessing that entry in the routing table was the result of negotiation of the vpn by Shrewsoft. Since the negotiation was not successful there is no routing entry. I believe that the client would be able to reach the vpn using the default route and am not surprised that manually configuring the route on the client did not fix the problem. As one way of checking on this is the client able to ping the address of the vpn?

I am wondering if the issue with vpn is because the address of the router changed and perhaps the vpn client did not change. How does the user initiate the vpn? Does the user supply the vpn server address or is it something that is stored in the vpn client? In the vpn file in one of the posts there are several addresses but they are represented as xxx and so we can not know if any of them are the old vpn address, the new vpn address, or some other address. Is there any way to verify what address the vpn client is attempting to access?

Is this vpn coming from a single remote site or from multiple sites? In looking at the access list Firewall_Outside_In I see a permit for isakmp from host A.A.A.A. If the vpn is coming from a single remote site and that site is A.A.A.A then it is ok. Otherwise it looks to me like isakmp is not getting through the access list.

I am also wondering about how the vpn works. I see configuration in the router that suggests that the router is the vpn server. But I also see static address translation that is sending isakmp to 192.168.1.Y. So is 192.168.1.Y running the vpn? How is this supposed to work?

I am wondering about this in the original post

When using the Shrewsoft VPN access manager, i get the following output:

peer configured

remote id configured

Is there any way to determine what the client is using for these?

HTH

Rick

View solution in original post

Georg Pauwen · ‎02-17-2020

Hello,

your NAT access list doesn't look right, make sure it looks like this:

ip access-list extended NoNATACL
remark Exempt Private Network Traffic from NAT process
deny ip host 192.168.1.0 192.168.179.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

ingvar001 · ‎02-17-2020

I've changed the NAT accesslist.

Unfortunately this didn't solve the problem.

I'm still unable to use the VPN.

Georg Pauwen · ‎02-17-2020

Hello,

try and temporarily remove the access list to see if they are blocking access. Also, post the output of 'debug crypto ipsec sa' when a remote client tries to connect...

interface Vlan178
ip address 192.168.1.1 255.255.255.0
--> no ip access-group Firewall_Inside_In in
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
description VDSL
ip address negotiated
--> no ip access-group Firewall_Outside_In in
ip nbar protocol-discovery
ip inspect IOSFW out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXX password 7 XXX
no cdp enable
crypto map vpnmap

ingvar001 · ‎02-18-2020

Hello,

Removing the access list didn't help. trying to bring up the tunnel still results in a negotiation timeout.

When trying to use 'debug crypto ipsec sa' the cisco gives a "Invalid input detected at '^' marker.".

It seems the cisco doesn't know the 'sa'.

the options the cisco gives after 'debug crypto ipsec ?' are:

client Client Debug
error IPSEC errors
ha IPSEC High Availability
hw-request IPSEC hw-request
message IPSEC message
metadata CTS metadata
states IPSEC states

I've tried all the above options, but all it gives me is a notification that the option is 'on'

Georg Pauwen · ‎02-18-2020

Hello,

which VPN client(s) are you using ? Can the clients reach the public outside IP address of your router ?

ingvar001 · ‎02-18-2020

Hello,

I'm using Shrewsoft VPN client for windows.

The client should be able to reach the public IP of the router. I'm using ssh on the same windows computer to change the configuration on the router.

Georg Pauwen · ‎02-18-2020

Hello,

do you remember which settings you changed ? Do you have the original configuration saved somewhere ?

Georg Pauwen · ‎02-18-2020

Hello,

I am not too familiar with Screw Soft, but I believe there is a .pcf file that is imported, can you post the content of that file ?

ingvar001 · ‎02-18-2020

All I could find was a .vpn file, hope it has the info you are looking for.

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:1
n:client-wins-auto:1
n:phase1-dhgroup:5
n:phase1-keylen:256
n:phase1-life-secs:86400
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-keylen:256
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:1
s:network-host:XXX.XXX.XXX.XXX
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:keyid
s:ident-server-type:address
s:ident-client-data:XXXXXXXXXXXX
b:auth-mutual-psk:XXXXXXXXXXXXXXXXX
s:phase1-exchange:aggressive
s:phase1-cipher:aes
s:phase1-hash:sha1
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:-1
s:policy-level:auto

Georg Pauwen · ‎02-18-2020

Hello,

that is exactly the file I was looking for. I'll check the values and get back with you...

ingvar001 · ‎02-18-2020

All i had to change is shutdown ATM0 and add Ethernet0:

interface ATM0

shutdown

interface Ethernet0

no ip address

!
interface Ethernet0.6

encapsulation dot1Q 6
pppoe-client dial-pool-number 1
no cdp enable

Georg Pauwen · ‎02-18-2020

Hello,

try and make the additions marked in bold. Since you only changed the external line, I would think the EZVPN part should be ok...

interface Ethernet0.6
encapsulation dot1Q 6
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dialer0
description VDSL
ip address negotiated
ip mtu 1492
ip access-group Firewall_Outside_In in
ip nbar protocol-discovery
ip inspect IOSFW out
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1452
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXX password 7 XXX
no cdp enable
ppp ipcp address accept
crypto map vpnmap

ingvar001 · ‎02-18-2020

Hello,

I've tried to add the settings.

The additions to Dialer0 don't fix the problem.

For some reason I can execute 'pppoe enable group global' without any errors, but it won't show in the configuration.

Richard Burts · ‎02-18-2020

It sounds like that value is the default value. When you enter a configuration command to change a parameter and you specify the default value of the parameter the command is accepted but the show run will not display that parameter value. If you want to check it out use

pppoe enable group ?

and try changing it to one of the options shown different from global. I think that will show up in show run. Then change it back to global so it is the way that it was.

HTH

Rick