I have a task in hand, where by i need to get Site to Site and Remote to site configure in my Branch Router
HQ- Only Site to Site VPN to Branch Router
Branch- Site to Site VPN with HQ router and Client to Branch Site VPN Access
I have following configuration, site to site is working fine but when i connect laptop from out side branch network using Cisco VPN Client ver 5 i, it ask for username and password but after sometime, no connection established. i enabled logging in VPN Client and get following error message which means Phase 2 is not getting negotiated.
If i change the transform-set to esp-aes esp-sha-mac then i loose my site to site VPN connectivity to my HQ router.
I am stuck now and have tried all the possible solution but nothing seems to be working do not know where i am going wrong
Branch Router Config (Cisco 3825)
Interface gigabitethernet 0/0 ip address 192.168.4.1 255.255.255.0 ip nat inside no shut !
Interface gigabitethernet 0/1 ip address XX.XX.XX.XX 255.255.255.0 ip nat outside no shut !
IP route 0.0.0.0 0.0.0.0 XX.XX.XX.XX ! IP nat inside source list 199 interface Gigabitethernet 0/1 overload
! IP access-list extended 199 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255 permit ip 192.168.4.0 0.0.255.255 any permit ip 172.16.0.0 0.0.255.255 any
! IP access-list extended 100 permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255 !
IP access-list extended 102 permit ip 172.16.0.0 0.0.255.255 any
aaa new-model aaa authentication login users local aaa authorization network groups local ! ip local pool VPNPOOL 172.16.0.1 172.16.0.50 ! ! Crypto isakmp Client Configuration group internal key cisco pool vpnpool acl 102 ! crypto dynamic-map d-map 1 set transform-set MY-SET reverse-route !
crypto map IPSEC-SITE-TO-SITE-VPN 11 ipsec-isakmp dynamic d-map ! crypto map IPSEC-SITE-TO-SITE-VPN client configuration address respond ! crypto map IPSEC-SITE-TO-SITE-VPN isakmp authorization list groups crypto map IPSEC-SITE-TO-SITE-VPN client authentication list users ! username XX password XX !
Cisco VPN Client Log message
Cisco Systems VPN Client Version 5.0.07.0410 Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 6.1.7601 Service Pack 1
684 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100002 Begin connection process
698 18:05:08.123 08/16/19 Sev=Info/6 IKE/0x63000001 IOS Vendor ID Contruction successful
699 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xx.xx.xx.xx
700 18:05:08.123 08/16/19 Sev=Info/6 IKE/0x63000055 Sent a keepalive on the IPSec SA
701 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000083 IKE Port in use - Local Port = 0xC613, Remote Port = 0x1194
702 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000072 Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end IS behind a NAT device
703 18:05:08.123 08/16/19 Sev=Info/4 CM/0x6310000E Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
736 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=FBE3680929414118 R_Cookie=691F595CFB68BADA) reason = DEL_REASON_IKE_NEG_FAILED
737 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to xx.xx.xx.xx
738 18:05:36.008 08/16/19 Sev=Info/4 IKE/0x6300004B Discarding IKE SA negotiation (I_Cookie=FBE3680929414118 R_Cookie=691F595CFB68BADA) reason = DEL_REASON_IKE_NEG_FAILED
739 18:05:36.008 08/16/19 Sev=Info/4 CM/0x6310000F Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: