12-03-2012 04:15 AM - edited 03-07-2019 10:22 AM
Hi all! Please help me with the router IPSec VPN config for remote users using Cisco VPN Client 5.0.07
Router 3945 IOS C3900-UNIVERSALK9-M Version 15.1(4)M4
Can't understand what wrong with this config - I'm just beginer.
Here is VPN related config part and log from router and client.
aaa new-model
!
!
aaa authentication login default none
aaa authorization network default none
!
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
lifetime 300
crypto isakmp key 987456987 address 192.168.60.1
!
crypto isakmp client configuration group VPN-SB
key 987456987
pool VPN-SB
save-password
dhcp timeout 15
dhcp server 192.168.60.1
netmask 255.255.255.0
!
!
crypto ipsec transform-set VPN-SB esp-aes 256 esp-sha-hmac
!
crypto dynamic-map VPN-SB-dyn 6
set transform-set VPN-SB
reverse-route
!
!
crypto map VPN-SB client authentication list default
crypto map VPN-SB isakmp authorization list default
crypto map VPN-SB client configuration address respond
crypto map VPN-SB 5 ipsec-isakmp
set peer 192.168.60.1
set transform-set VPN-SB
match address VPN-SB
crypto map VPN-SB 6 ipsec-isakmp dynamic VPN-SB-dyn discover
!
interface GigabitEthernet0/0.60
description VPN-SB
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no cdp enable
!
interface GigabitEthernet0/1.200
description WAN Rostel
encapsulation dot1Q 200
ip address x.x.x.x x.x.x.x
ip mtu 1340
ip nat outside
ip virtual-reassembly in max-reassemblies 1024
ip tcp adjust-mss 1300
no cdp enable
crypto map VPN-SB
!
ip local pool VPN-SB 192.168.60.10 192.168.60.20
!
ip nat pool Rostel-28 x.x.x.x x.x.x.x netmask x.x.x.x
ip nat inside source route-map LANs pool Rostel-28 overload
!
access-list 1 remark LAN-to-NAT
access-list 1 permit 192.168.60.0 0.0.0.255
!
route-map LANs permit 1
description LANs-to-NAT
match ip address 1
VPN client log:
1 15:47:17.303 12/03/12 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2 15:47:31.900 12/03/12 Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command
3 16:06:27.542 12/03/12 Sev=Info/4 CM/0x63100002
Begin connection process
4 16:06:27.568 12/03/12 Sev=Info/4 CM/0x63100004
Establish secure connection
5 16:06:27.568 12/03/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "85.174.231.28"
6 16:06:27.580 12/03/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 85.174.231.28.
7 16:06:27.597 12/03/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
8 16:06:27.663 12/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 85.174.231.28
9 16:06:27.679 12/03/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
10 16:06:27.679 12/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
11 16:06:33.154 12/03/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
12 16:06:33.154 12/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 85.174.231.28
13 16:06:38.223 12/03/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
14 16:06:38.223 12/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 85.174.231.28
15 16:06:43.293 12/03/12 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
16 16:06:43.293 12/03/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 85.174.231.28
17 16:06:48.363 12/03/12 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=67B97DA7634157D8 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
18 16:06:48.865 12/03/12 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=67B97DA7634157D8 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
19 16:06:48.865 12/03/12 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "85.174.231.28" because of "DEL_REASON_PEER_NOT_RESPONDING"
20 16:06:48.866 12/03/12 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
21 16:06:48.890 12/03/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
22 16:06:48.893 12/03/12 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
23 16:06:49.904 12/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
24 16:06:49.904 12/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
25 16:06:49.904 12/03/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
26 16:06:49.904 12/03/12 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Router log:
000527: Dec 3 12:05:36.699 UTC: ISAKMP (0): received packet from 188.162.132.92 dport 500 sport 8145 Global (N) NEW SA
000528: Dec 3 12:05:36.699 UTC: ISAKMP: Created a peer struct for 188.162.132.92, peer port 8145
000529: Dec 3 12:05:36.699 UTC: ISAKMP: New peer created peer = 0x14456F30 peer_handle = 0x80000008
000530: Dec 3 12:05:36.699 UTC: ISAKMP: Locking peer struct 0x14456F30, refcount 1 for crypto_isakmp_process_block
000531: Dec 3 12:05:36.699 UTC: ISAKMP:(0):Setting client config settings 251AF40
000532: Dec 3 12:05:36.699 UTC: ISAKMP:(0):(Re)Setting client xauth list and state
000533: Dec 3 12:05:36.699 UTC: ISAKMP/xauth: initializing AAA request
000534: Dec 3 12:05:36.699 UTC: ISAKMP AAA: NAS Port Id is currently unavailable.
000535: Dec 3 12:05:36.699 UTC: ISAKMP:(0):AAA: Nas Port ID is unavailable.
000536: Dec 3 12:05:36.699 UTC: AAA/BIND(00000013): Bind i/f
000537: Dec 3 12:05:36.699 UTC: ISAKMP/aaa: unique id = 19
000538: Dec 3 12:05:36.699 UTC: ISAKMP: local port 500, remote port 8145
000539: Dec 3 12:05:36.699 UTC: ISAKMP:(0):insert sa successfully sa = 1463A728
000540: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing SA payload. message ID = 0
000541: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing ID payload. message ID = 0
000542: Dec 3 12:05:36.699 UTC: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : VPN-SB
protocol : 17
port : 500
length : 14
000543: Dec 3 12:05:36.699 UTC: ISAKMP:(0):: peer matches *none* of the profiles
000544: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing vendor id payload
000545: Dec 3 12:05:36.699 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
000546: Dec 3 12:05:36.699 UTC: ISAKMP:(0): vendor ID is XAUTH
000547: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing vendor id payload
000548: Dec 3 12:05:36.699 UTC: ISAKMP:(0): vendor ID is DPD
000549: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing vendor id payload
000550: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing IKE frag vendor id payload
000551: Dec 3 12:05:36.699 UTC: ISAKMP:(0):Support for IKE Fragmentation not enabled
000552: Dec 3 12:05:36.703 UTC: ISAKMP:(0): processing vendor id payload
000553: Dec 3 12:05:36.703 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
000554: Dec 3 12:05:36.703 UTC: ISAKMP:(0): vendor ID is NAT-T v2
000555: Dec 3 12:05:36.703 UTC: ISAKMP:(0): processing vendor id payload
000556: Dec 3 12:05:36.703 UTC: ISAKMP:(0): vendor ID is Unity
000557: Dec 3 12:05:36.703 UTC: ISAKMP:(0): Authentication by xauth preshared
000558: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy
000559: Dec 3 12:05:36.703 UTC: ISAKMP: encryption AES-CBC
000560: Dec 3 12:05:36.703 UTC: ISAKMP: hash SHA
000561: Dec 3 12:05:36.703 UTC: ISAKMP: default group 2
000562: Dec 3 12:05:36.703 UTC: ISAKMP: auth XAUTHInitPreShared
000563: Dec 3 12:05:36.703 UTC: ISAKMP: life type in seconds
000564: Dec 3 12:05:36.703 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
000565: Dec 3 12:05:36.703 UTC: ISAKMP: keylength of 256
000566: Dec 3 12:05:36.703 UTC: ISAKMP:(0):atts are acceptable. Next payload is 3
000567: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Acceptable atts:actual life: 300
000568: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Acceptable atts:life: 0
000569: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4
000570: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
000571: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Returning Actual lifetime: 300
000572: Dec 3 12:05:36.703 UTC: ISAKMP:(0)::Started lifetime timer: 300.
000573: Dec 3 12:05:36.703 UTC: ISAKMP:(0): processing KE payload. message ID = 0
000574: Dec 3 12:05:36.703 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0
000575: Dec 3 12:05:36.703 UTC: ISAKMP:(0): vendor ID is NAT-T v2
000576: Dec 3 12:05:36.703 UTC: ISAKMP:(0):ISAKMP/tunnel: setting up tunnel VPN-SB pw request
000577: Dec 3 12:05:36.703 UTC: AAA/AUTHOR (0x13): Pick method list 'default'
000578: Dec 3 12:05:36.703 UTC: ISAKMP:(0):ISAKMP/tunnel: Tunnel VPN-SB PW Request successfully sent to AAA
000579: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
000580: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
- PASS
000581: Dec 3 12:05:36.703 UTC: ISAKMP:(0):ISAKMP/tunnel: received callback from AAA
000582: Dec 3 12:05:36.703 UTC: ISAKMP/tunnel: received tunnel atts
000583: Dec 3 12:05:36.703 UTC: ISAKMP:Error - skey id.
000584: Dec 3 12:05:36.703 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID
000585: Dec 3 12:05:36.703 UTC: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
000586: Dec 3 12:05:36.703 UTC: ISAKMP (0): ID payload
next-payload : 10
type : 1
address : x.x.x.x (my WAN address)
protocol : 0
port : 0
length : 12
000587: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Total payload length: 12
000588: Dec 3 12:05:36.703 UTC: ISAKMP:(0): unable to compute hash!
000589: Dec 3 12:05:36.703 UTC: ISAKMP:(0): unable to compute hash!
000590: Dec 3 12:05:36.703 UTC: ISAKMP:(0):peer does not do paranoid keepalives.
000591: Dec 3 12:05:36.703 UTC: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 188.162.132.92)
000592: Dec 3 12:05:36.703 UTC: ISAKMP (0): FSM action returned error: 2
000593: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
000594: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
000595: Dec 3 12:05:36.703 UTC: ISAKMP:FSM error - Message from AAA for key reply.
000596: Dec 3 12:05:36.703 UTC: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 188.162.132.92)
000597: Dec 3 12:05:36.703 UTC: ISAKMP: Unlocking peer struct 0x14456F30 for isadb_mark_sa_deleted(), count 0
000598: Dec 3 12:05:36.703 UTC: ISAKMP: Deleting peer node by peer_reap for 188.162.132.92: 14456F30
000599: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
000600: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Old State = IKE_R_AM2 New State = IKE_DEST_SA
000601: Dec 3 12:05:36.703 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
000602: Dec 3 12:05:42.083 UTC: ISAKMP (0): received packet from 188.162.132.92 dport 500 sport 8145 Global (R) MM_NO_STATE
000603: Dec 3 12:05:47.147 UTC: ISAKMP (0): received packet from 188.162.132.92 dport 500 sport 8145 Global (R) MM_NO_STATE
000604: Dec 3 12:05:52.227 UTC: ISAKMP (0): received packet from 188.162.132.92 dport 500 sport 8145 Global (R) MM_NO_STATE
000605: Dec 3 12:06:36.703 UTC: ISAKMP:(0):purging SA., sa=1463A728, delme=1463A728
I highlighted strings with possible problems of of unabling to connect but doesn't know what to do with it. Google doesn't help.=/
12-03-2012 12:56 PM
Hello Mr. Lagun,
Thank you for posting, unfortunately the Cisco Support community is only dedicate to Small business products and does not support CLI configuration.
And the Router 3945 is not considered as an Small business device.
In order to get an accurate and quick answer I recommend you to contact our Cisco support center.
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html.
Diego Rodriguez
Cisco network engineer
Thank you.
12-05-2012 05:28 PM
It is possible that there is more than one problem here. But the first thing that I notice is what looks like a problem with authentication. The configuration of the crypto map says
crypto map VPN-SB client authentication list default
but the only thing that I see in the router config about authentication is
aaa authentication login default none
which says that the router is not doing authentication. I suggest that you address this and let us know what are the results.
HTH
Rick
12-06-2012 11:47 PM
Thx a lot for your answer, Richard, I always resolve this problem, and yes, authentication was only one of wrong misconfigs. Here is the right config:
!
aaa new-model
!
!
aaa authentication login SB local
aaa authorization network SB local
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 2
lifetime 300
!
crypto isakmp client configuration group SB
key %Hereispresharedkey%
pool VPN-SB
acl VPN-SB
save-password
!
!
crypto ipsec transform-set VPN-SB esp-aes 256 esp-sha-hmac
!
crypto dynamic-map VPN-SB-dyn 6
set transform-set VPN-SB
reverse-route
!
!
crypto map VPN-SB client authentication list SB
crypto map VPN-SB isakmp authorization list SB
crypto map VPN-SB client configuration address respond
crypto map VPN-SB 6 ipsec-isakmp dynamic VPN-SB-dyn
other strings (acl, interface config) is same.
12-06-2012 11:51 PM
Thx Juan, Cisco support helped me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide