Solved: Re: Remote to Site VPN not working

manish.sharma@cjpl.in · ‎08-17-2019

Hello All

I have a task in hand, where by i need to get Site to Site and Remote to site configure in my Branch Router

HQ- Only Site to Site VPN to Branch Router

Branch- Site to Site VPN with HQ router and Client to Branch Site VPN Access

I have following configuration, site to site is working fine but when i connect laptop from out side branch network using Cisco VPN Client ver 5 i, it ask for username and password but after sometime, no connection established. i enabled logging in VPN Client and get following error message which means Phase 2 is not getting negotiated.

If i change the transform-set to esp-aes esp-sha-mac then i loose my site to site VPN connectivity to my HQ router.

I am stuck now and have tried all the possible solution but nothing seems to be working do not know where i am going wrong

Branch Router Config (Cisco 3825)

Interface gigabitethernet 0/0
ip address 192.168.4.1 255.255.255.0
ip nat inside
no shut
!

Interface gigabitethernet 0/1
ip address XX.XX.XX.XX 255.255.255.0
ip nat outside
no shut
!

IP route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
!
IP nat inside source list 199 interface Gigabitethernet 0/1 overload

!
IP access-list extended 199
deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255
permit ip 192.168.4.0 0.0.255.255 any
permit ip 172.16.0.0 0.0.255.255 any

!
IP access-list extended 100
permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
!

IP access-list extended 102
permit ip 172.16.0.0 0.0.255.255 any

!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!

crypto isakmp key XX address XX.XX.XX

crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac

crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set MY-SET
match address 100

!

Interface gigabitethernet 0/1
crypto map IPSEC-SITE-TO-SITE-VPN
!

aaa new-model
aaa authentication login users local
aaa authorization network groups local
!
ip local pool VPNPOOL 172.16.0.1 172.16.0.50
!
!
Crypto isakmp Client Configuration group internal
key cisco
pool vpnpool
acl 102
!
crypto dynamic-map d-map 1
set transform-set MY-SET
reverse-route
!

crypto map IPSEC-SITE-TO-SITE-VPN 11 ipsec-isakmp dynamic d-map
!
crypto map IPSEC-SITE-TO-SITE-VPN client configuration address respond
!
crypto map IPSEC-SITE-TO-SITE-VPN isakmp authorization list groups
crypto map IPSEC-SITE-TO-SITE-VPN client authentication list users
!
username XX password XX
!

Cisco VPN Client Log message

Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1

684 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100002
Begin connection process

685 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100004
Establish secure connection

686 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100024
Attempt connection with server "xx.xx.xx.xx"

687 18:05:07.982 08/16/19 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xx.xx.xx.xx.

688 18:05:07.982 08/16/19 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

689 18:05:07.998 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.xx.xx.xx

690 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

691 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from xx.xx.xx.xx

692 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

693 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports DPD

694 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text

695 18:05:08.232 08/16/19 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.

696 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

697 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

698 18:05:08.123 08/16/19 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

699 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xx.xx.xx.xx

700 18:05:08.123 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

701 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xC613, Remote Port = 0x1194

702 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device

703 18:05:08.123 08/16/19 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

704 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

705 18:05:08.232 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xx.xx.xx.xx

706 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

707 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

708 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

709 18:05:08.232 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.xx.xx.xx

710 18:05:08.232 08/16/19 Sev=Info/4 CM/0x63100015
Launch xAuth application

711 18:05:08.294 08/16/19 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

712 18:05:08.294 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

713 18:05:12.045 08/16/19 Sev=Info/4 CM/0x63100017
xAuth application returned

714 18:05:12.045 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx

715 18:05:12.248 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

716 18:05:12.248 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.xx.xx.xx

717 18:05:12.248 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx

718 18:05:12.248 08/16/19 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

719 18:05:12.264 08/16/19 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

720 18:05:12.264 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx

721 18:05:17.529 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

722 18:05:17.529 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx

723 18:05:18.547 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

724 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx

725 18:05:22.673 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816096

726 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

727 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx

728 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

729 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx

730 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx

731 18:05:27.770 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816097

732 18:05:28.804 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

733 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx

734 18:05:32.916 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816098

735 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=45C6D766

736 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=FBE3680929414118 R_Cookie=691F595CFB68BADA) reason = DEL_REASON_IKE_NEG_FAILED

737 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to xx.xx.xx.xx

738 18:05:36.008 08/16/19 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=FBE3680929414118 R_Cookie=691F595CFB68BADA) reason = DEL_REASON_IKE_NEG_FAILED

739 18:05:36.008 08/16/19 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

740 18:05:36.008 08/16/19 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

741 18:05:36.008 08/16/19 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

742 18:05:36.008 08/16/19 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

743 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

744 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

745 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

746 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

Any help would be greatly appreciated

Giuseppe Larosa · ‎08-17-2019

Hello Manish,

if the issue is caused by the transform-set define another one to be used only for remote Access.

crypto ipsec transform-set REMOTE esp-aes esp-sha-mac

then

crypto dynamic-map d-map 1
set transform-set REMOTE
reverse-route
!

This should allow to keep the current transform set on the SITE To site VPN and to use the new one for Remote VPN access

Hope to help

Giuseppe

View solution in original post

manish.sharma@cjpl.in · ‎08-19-2019

Please ignore the previous request as i sorted out the issue by myself

It was not that difficult and took only few lines to be modification in Config

View solution in original post

Giuseppe Larosa · ‎08-17-2019

Hello Manish,

if the issue is caused by the transform-set define another one to be used only for remote Access.

crypto ipsec transform-set REMOTE esp-aes esp-sha-mac

then

crypto dynamic-map d-map 1
set transform-set REMOTE
reverse-route
!

This should allow to keep the current transform set on the SITE To site VPN and to use the new one for Remote VPN access

Hope to help

Giuseppe

manish.sharma@cjpl.in · ‎08-19-2019

Thanks for your suggestion Giuseppe!!

After creating second transform-set for Remote VPN, it is working as intended. But now i have one more issue which i did not noticed earlier.

I have server with IP address 10.0.0.27:8069 , we need to access this server from public network so i enabled port mapping on my HQ Router and it is working perfectly fine.

ip nat inside source static tcp 10.0.0.27 8069 xx.xx.xx.xx 8069

But i am not able to access http://10.0.0.27:8069 on my branch site connected via site to site VPN as well from remote site after connecting Cisco VPN client.

I searched google and found some piece related to route map with following command but i do not know how to implement fully in my HQ Router

ip nat inside source static tcp 10.0.0.27 8069 xx.xx.xx.xx 8069 route-map VPN

Need support for closing this crossing this final hurdle in closing my internal task

Config of my HQ Router

Router#sh running-config
Building configuration...

Current configuration : 4506 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XX
!
boot-start-marker
boot system flash:c2800nm-advsecurityk9-mz.124-15.T1.Final.bin
boot-end-marker
!
enable secret 5 $1$p
!
aaa new-model
!
!
aaa authentication login users local
aaa authorization network groups local
!
!
aaa session-id common
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key secretkey address XX.XX.XX.XX
crypto isakmp key secretkey2 address XX.XX.XX.XX
crypto isakmp key secretkey3 address XX.XX.XX.XX
crypto isakmp key secretkey4 address XX.XX.XX.XX
!
crypto isakmp client configuration group internal
key XXXXXX
pool VPNPOOL
acl 150
!
!
crypto ipsec transform-set XX esp-aes esp-md5-hmac
crypto ipsec transform-set XXXX esp-aes esp-md5-hmac
!
crypto dynamic-map d-map 1
set transform-set XXXX
reverse-route
!
!
crypto map IPSEC-SITE-TO-SITE-VPN client authentication list users
crypto map IPSEC-SITE-TO-SITE-VPN isakmp authorization list groups
crypto map IPSEC-SITE-TO-SITE-VPN client configuration address respond
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set XX
match address 100
crypto map IPSEC-SITE-TO-SITE-VPN 11 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set XX
match address 103
crypto map IPSEC-SITE-TO-SITE-VPN 12 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set XX
match address 105
crypto map IPSEC-SITE-TO-SITE-VPN 13 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set XX
match address 104
crypto map IPSEC-SITE-TO-SITE-VPN 15 ipsec-isakmp dynamic d-map
!
!
!
!
!
username admin password 7 0525
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address XX.XX.XX.XX 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSEC-SITE-TO-SITE-VPN
!

!
ip local pool VPNPOOL 192.168.9.1 192.168.9.100
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
!
!
ip http server
no ip http secure-server

ip nat inside source list 199 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.0.0.10 82 XX.XX.XX.XX 82 extendable
ip nat inside source static tcp 10.0.0.9 4048 82 XX.XX.XX.XX 4048 extendable
ip nat inside source static tcp 10.0.0.16 22 82 XX.XX.XX.XX 8023 extendable
ip nat inside source static tcp 10.0.0.9 22 82 XX.XX.XX.XX 8042 extendable
ip nat inside source static tcp 10.0.0.13 22 82 XX.XX.XX.XX 8044 extendable
ip nat inside source static tcp 10.0.0.27 8069 82 XX.XX.XX.XX 8069 extendable
ip nat inside source static tcp 10.0.0.13 8069 82 XX.XX.XX.XX 8079 extendable
ip nat inside source static tcp 10.0.0.16 8085 82 XX.XX.XX.XX 8085 extendable
ip nat inside source static tcp 10.0.0.119 8091 82 XX.XX.XX.XX 8091 extendable
ip nat inside source static tcp 10.0.0.9 9005 82 XX.XX.XX.XX 9005 extendable
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 104 permit ip 10.0.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 150 permit ip 10.0.0.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 199 deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 199 deny ip 10.0.0.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 199 deny ip 10.0.0.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 199 permit ip 10.0.0.0 0.0.0.255 any
!
!
!
!
control-plane
!
line con 0
line aux 0
line vty 5 15
!
scheduler allocate 20000 1000

!
webvpn cef
!
end

Router#

manish.sharma@cjpl.in · ‎08-19-2019

Please ignore the previous request as i sorted out the issue by myself

It was not that difficult and took only few lines to be modification in Config

Giuseppe Larosa · ‎08-19-2019

Hello Manish,

see the following document on how to configure that route-map

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14144-static.html

The idea is that the route-map should deny traffic belonging to the LAN to LAN IPSec VPN so that the static NAT does not happens to them

Warning:

I'm not sure you can use the route-map option and the extendable keyword at the same time.

If this happens your possible workaround is to access the server on th public address.

Hope to help

Giuseppe

Georg Pauwen · ‎08-17-2019

Hello,

I am not sure, but I think your split VPN access list needs to look like this:

ip access-list extended 102
permit ip 192.168.4.0 0.0.0.255 172.16.0.0 0.0.255.255