cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
821
Views
0
Helpful
6
Replies

VPN on 1841

Mark
Level 1
Level 1

Hoping someone might take a look at my VPN config here and see where I'm going wrong. Was working, now mysteriously it stopped working and nothing changed. It just fails to connect while authenticating and fails to WAN miniport then fails. Thank you in advance for any suggestions.

Current configuration : 6955 bytes
!
! No configuration change since last restart
! NVRAM config last updated at 17:13:02 EDT Wed Jul 27 2016
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime
service password-encryption
!
hostname CISCO_1841
!
boot-start-marker
boot config flash:running-config
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 REMOVED
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network default local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.25
!
ip dhcp pool DATA
network 192.168.100.0 255.255.255.0
dns-server 75.75.75.75 8.8.8.8
default-router 192.168.100.1
!
ip dhcp pool WIRELESS
network 192.168.103.0 255.255.255.0
dns-server 75.75.75.75 8.8.8.8
default-router 192.168.103.1
!
ip dhcp pool CANON
host 192.168.100.5 255.255.255.0
client-identifier 0100.1e8f.39c0.c4
!
ip dhcp pool MONITOR
host 192.168.100.174 255.255.255.0
client-identifier 0100.2170.476e.10
!
ip dhcp pool VOIP
network 192.168.102.0 255.255.255.0
dns-server 75.75.75.75 8.8.8.8
default-router 192.168.102.1
!
ip dhcp pool SUT
network 192.168.101.0 255.255.255.0
dns-server 75.75.75.75 8.8.8.8
default-router 192.168.101.1
!
!
ip ddns update method no-ip
HTTP
add http://REMOVED
interval maximum 0 4 0 0
!
!
async-bootp dns-server 8.8.8.8
!
crypto pki trustpoint TP-self-signed-2714623577
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2714623577
revocation-check none
rsakeypair TP-self-signed-2714623577
!
!
crypto pki certificate chain TP-self-signed-2714623577
certificate self-signed 01
30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373134 36323335 3737301E 170D3136 30373237 32313133
30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37313436
32333537 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D003 AB5C4BD0 A741A8DE 506C4BE6 42A4E2EF DDE6BA34 16D7F2FB 64E4431A
E84361FC 44263E33 35F09285 0A8EC17A BD7C00EF F8F46F48 45D2367A 1755792D
89716DE1 BDD2740C 755B00F3 AC19B443 DE401821 17FB7C00 BE6D30D5 49800FD4
7ADE5072 18BAAB4D 57C3253B F7602BCC 0A3A15A0 57314D35 4B9CF9A8 8CAFFFA9
D3D50203 010001A3 7F307D30 0F060355 1D130101 FF040530 030101FF 302A0603
551D1104 23302182 1F434953 434F5F31 3834312E 68736431 2E76742E 636F6D63
6173742E 6E65742E 301F0603 551D2304 18301680 14F9099F 868D57A5 96AF22C9
BE730271 23E38849 45301D06 03551D0E 04160414 F9099F86 8D57A596 AF22C9BE
73027123 E3884945 300D0609 2A864886 F70D0101 04050003 81810085 DBA36507
ED7C6C15 DF6CF152 14045A9D 679E2CCB 349FC1C7 A676861B C7507567 66E7838F
546C8495 C6821600 79366AD7 91A6DE25 CD48C386 3C104BA6 D01C1B1B 9E599C8B
77374DD5 AB20FC58 9A175A9A 35966DAB F43CC1C0 D0A6D284 AFAC9C9E E86E2829
9623FA27 520B476A 6135E8A5 03DBA59E A30B582B CB014C71 D98EA1
quit
username REMOVED
username REMOVED
username REMOVED
username REMOVED
username REMOVED
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local VPN
!
crypto isakmp client configuration group vpnclient
key northnetvpn
dns 8.8.8.8
pool VPN
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
crypto map intmap client configuration address initiate
!
!
!
interface FastEthernet0/0
ip ddns update hostname northshire.no-ip.biz
ip ddns update no-ip
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map clientmap
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.100
encapsulation dot1Q 100
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.101
encapsulation dot1Q 101
ip address 192.168.101.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.102
encapsulation dot1Q 102
ip address 192.168.102.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.103
encapsulation dot1Q 103
ip address 192.168.103.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool VPN 10.10.10.10 10.10.10.50
no ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 111 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.100.1 22 interface FastEthernet0/0 22
ip nat inside source static udp 192.168.100.1 500 interface FastEthernet0/0 500
ip nat inside source static esp 192.168.100.1 interface FastEthernet0/0
ip nat inside source static udp 192.168.100.1 4500 interface FastEthernet0/0 4500
ip dns server
!
access-list 101 remark Allowed VPN Traffic
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.101.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.102.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.103.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 remark NAT and Split Tunnel
access-list 111 deny ip 192.168.100.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 deny ip 192.168.101.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 deny ip 192.168.102.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 deny ip 192.168.103.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 permit ip any any
!
!
control-plane
!
!
line con 0
line aux 0
transport input ssh
line vty 0 4
privilege level 15
transport input telnet ssh
transport output telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178992
ntp server 198.144.194.12 prefer
end

6 Replies 6

Luke Oxley
Level 1
Level 1
[@Mark@northshirenetworks.com],
Thanks for your post - I'd be happy to assist. I make this assumption that you're using Cisco VPN Client on your end point.
Nothing is blindingly obvious from your configuration, it looks good. WAN miniport failure sounds like a client based issue at the moment. Can you please enable logging on the VPN client from the log drop down menu and also issue the following commands on the router (the syntax may vary depending on your version of IOS, use '?' to get the correct syntax).
debug crypto ipsec
debug crypto isakmp
Now try to recreate the issue. After it fails, take the logs from the logs tab and any debug output from the router and include it in a reply to this thread. Hopefully we can get this sorted for you!
Thanks,
Luke

Thanks for your help, Luke!

Here is the log from my client. I uninstalled and reinstalled with no change however I can connect to a different site with no problems using the same Cisco client.

Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

1 08:40:54.055 07/28/16 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified

2 08:40:54.055 07/28/16 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.

3 08:40:54.055 07/28/16 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:915)

4 08:40:54.071 07/28/16 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)

Getting closer, here is the log from the router-

Log Buffer (4096 bytes):
e_proxy= 10.10.10.11/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Jul 28 13:33:26.638: IPSEC(validate_transform_proposal): invalid local address 192.168.100.1
Jul 28 13:33:26.638: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
Jul 28 13:33:26.638: ISAKMP:(0:2:SW:1):Checking IPSec proposal 15
Jul 28 13:33:26.638: ISAKMP: transform 1, ESP_NULL
Jul 28 13:33:26.642: ISAKMP: attributes in transform:
Jul 28 13:33:26.642: ISAKMP: authenticator is HMAC-MD5
Jul 28 13:33:26.642: ISAKMP: encaps is 1 (Tunnel)
Jul 28 13:33:26.642: ISAKMP: SA life type in seconds
Jul 28 13:33:26.642: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 28 13:33:26.642: ISAKMP:(0:2:SW:1):atts are acceptable.
Jul 28 13:33:26.642: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.100.1, remote= 70.193.133.221,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.10.10.11/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-null esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Jul 28 13:33:26.642: IPSEC(validate_transform_proposal): invalid local address 192.168.100.1
Jul 28 13:33:26.642: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
Jul 28 13:33:26.642: ISAKMP:(0:2:SW:1):Checking IPSec proposal 16
Jul 28 13:33:26.642: ISAKMP: transform 1, ESP_NULL
Jul 28 13:33:26.642: ISAKMP: attributes in transform:
Jul 28 13:33:26.642: ISAKMP: authenticator is HMAC-SHA
Jul 28 13:33:26.642: ISAKMP: encaps is 1 (Tunnel)
Jul 28 13:33:26.642: ISAKMP: SA life type in seconds
Jul 28 13:33:26.642: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 28 13:33:26.642: ISAKMP:(0:2:SW:1):atts are acceptable.
Jul 28 13:33:26.642: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.100.1, remote= 70.193.133.221,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.10.10.11/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-null esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Jul 28 13:33:26.642: IPSEC(validate_transform_proposal): invalid local address 192.168.100.1
Jul 28 13:33:26.642: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
Jul 28 13:33:26.642: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local 192.168.100.1 remote 70.193.133.221)
Jul 28 13:33:26.642: ISAKMP: set new node -1490255815 to QM_IDLE
Jul 28 13:33:26.642: ISAKMP:(0:2:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1664594792, message ID = -1490255815
Jul 28 13:33:26.646: ISAKMP:(0:2:SW:1): sending packet to 70.193.133.221 my_port 500 peer_port 10979 (R) QM_IDLE
Jul 28 13:33:26.646: ISAKMP:(0:2:SW:1):purging node -1490255815
Jul 28 13:33:26.646: ISAKMP:(0:2:SW:1):deleting node 764928476 error TRUE reason "QM rejected"
Jul 28 13:33:26.646: ISAKMP (0:134217730): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node 764928476: state = IKE_QM_READY
Jul 28 13:33:26.646: ISAKMP:(0:2:SW:1):Node 764928476, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Jul 28 13:33:26.646: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY New State = IKE_QM_READY
Jul 28 13:33:26.734: ISAKMP (0:134217730): received packet from 70.193.133.221 dport 500 sport 10979 Global (R) QM_IDLE
Jul 28 13:33:26.734: ISAKMP: set new node -324468883 to QM_IDLE
Jul 28 13:33:26.734: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = -324468883
Jul 28 13:33:26.734: ISAKMP:(0:2:SW:1): processing DELETE payload. message ID = -324468883
Jul 28 13:33:26.738: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.

Jul 28 13:33:26.738: ISAKMP:(0:2:SW:1):deleting node -324468883 error FALSE reason "Informational (in) state 1"
Jul 28 13:33:26.738: IPSEC(key_engine): got a queue event with 1 kei messages
Jul 28 13:33:26.738: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

Hey [@Mark@northshirenetworks.com],

My apologies for the late response, my shift patterns are mad at the moment and I've been recovering from some all-nighters. We are indeed getting closer, thanks for sending the debugs over.
First thing I would say it to double check your configuration in the .PCF profile for the client, in fact, I would suggest making a new one with the below template just to be sure. The reason I say this is as per the logging output from the client it looks like it could be a mismatched group name or password. So please, for my sanity and yours, recreate the profile and test again.
Connection Entry:
<Anything_You_Want>
Description:
<Anything_You_Want>
Host:
<Insert_Public_IP_Here>
Authentication Type:
Group Authentication
Name:
vpnclient
Password:
northnetvpn
Confirm Password:
northnetvpn
If this does not work, I would suggest forcing the mode on the transform set with the below commands.
crypto ipsec transform-set myset
mode tunnel
If you still have no luck, we will continue to troubleshoot. I assume there is no urgent rush to get this completed?

Thanks,
Luke


Thank you for your assistance and sorry for the delay in getting back to you. Home network always comes last... which encryption type do I choose below?

 

crypto ipsec transform-set myset (what set should I set here, says the command is incomplete… see below)
 mode tunnel

 

 

  ah-md5-hmac   AH-HMAC-MD5 transform

  ah-sha-hmac   AH-HMAC-SHA transform

  comp-lzs      IP Compression using the LZS compression algorithm

  esp-3des      ESP transform using 3DES(EDE) cipher (168 bits)

  esp-aes       ESP transform using AES cipher

  esp-des       ESP transform using DES cipher (56 bits)

  esp-md5-hmac  ESP transform using HMAC-MD5 auth

  esp-null      ESP transform w/o cipher

  esp-seal      ESP transform using SEAL cipher (160 bits)

  esp-sha-hmac  ESP transform using HMAC-SHA auth

Glenn Martin
Cisco Employee
Cisco Employee

This discussion is being moved to the Network Infrastructure community.

Review Cisco Networking for a $25 gift card