Problem with router vpn configuration

radix1123 · ‎12-03-2012

Hi all! Please help me with the router IPSec VPN config for remote users using Cisco VPN Client 5.0.07

Router 3945 IOS C3900-UNIVERSALK9-M Version 15.1(4)M4

Can't understand what wrong with this config - I'm just beginer.

Here is VPN related config part and log from router and client.

aaa new-model

!

aaa authentication login default none

aaa authorization network default none

!

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 2

lifetime 300

crypto isakmp key 987456987 address 192.168.60.1

!

crypto isakmp client configuration group VPN-SB

key 987456987

pool VPN-SB

save-password

dhcp timeout 15

dhcp server 192.168.60.1

netmask 255.255.255.0

!

crypto ipsec transform-set VPN-SB esp-aes 256 esp-sha-hmac

!

crypto dynamic-map VPN-SB-dyn 6

set transform-set VPN-SB

reverse-route

!

crypto map VPN-SB client authentication list default

crypto map VPN-SB isakmp authorization list default

crypto map VPN-SB client configuration address respond

crypto map VPN-SB 5 ipsec-isakmp

set peer 192.168.60.1

set transform-set VPN-SB

match address VPN-SB

crypto map VPN-SB 6 ipsec-isakmp dynamic VPN-SB-dyn discover

!

interface GigabitEthernet0/0.60

description VPN-SB

encapsulation dot1Q 60

ip address 192.168.60.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

no cdp enable

!

interface GigabitEthernet0/1.200

description WAN Rostel

encapsulation dot1Q 200

ip address x.x.x.x x.x.x.x

ip mtu 1340

ip nat outside

ip virtual-reassembly in max-reassemblies 1024

ip tcp adjust-mss 1300

no cdp enable

crypto map VPN-SB

!

ip local pool VPN-SB 192.168.60.10 192.168.60.20

!

ip nat pool Rostel-28 x.x.x.x x.x.x.x netmask x.x.x.x

ip nat inside source route-map LANs pool Rostel-28 overload

!

access-list 1 remark LAN-to-NAT

access-list 1 permit 192.168.60.0 0.0.0.255

!

route-map LANs permit 1

description LANs-to-NAT

match ip address 1

VPN client log:

1 15:47:17.303 12/03/12 Sev=Info/6 GUI/0x63B00011

Reloaded the Certificates in all Certificate Stores successfully.

2 15:47:31.900 12/03/12 Sev=Info/4 PPP/0x63200015

Processing enumerate phone book entries command

3 16:06:27.542 12/03/12 Sev=Info/4 CM/0x63100002

Begin connection process

4 16:06:27.568 12/03/12 Sev=Info/4 CM/0x63100004

Establish secure connection

5 16:06:27.568 12/03/12 Sev=Info/4 CM/0x63100024

Attempt connection with server "85.174.231.28"

6 16:06:27.580 12/03/12 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 85.174.231.28.

7 16:06:27.597 12/03/12 Sev=Info/4 IKE/0x63000001

Starting IKE Phase 1 Negotiation

8 16:06:27.663 12/03/12 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 85.174.231.28

9 16:06:27.679 12/03/12 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

10 16:06:27.679 12/03/12 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

11 16:06:33.154 12/03/12 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

12 16:06:33.154 12/03/12 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 85.174.231.28

13 16:06:38.223 12/03/12 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

14 16:06:38.223 12/03/12 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 85.174.231.28

15 16:06:43.293 12/03/12 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

16 16:06:43.293 12/03/12 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 85.174.231.28

17 16:06:48.363 12/03/12 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=67B97DA7634157D8 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

18 16:06:48.865 12/03/12 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=67B97DA7634157D8 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

19 16:06:48.865 12/03/12 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "85.174.231.28" because of "DEL_REASON_PEER_NOT_RESPONDING"

20 16:06:48.866 12/03/12 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

21 16:06:48.890 12/03/12 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

22 16:06:48.893 12/03/12 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

23 16:06:49.904 12/03/12 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

24 16:06:49.904 12/03/12 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

25 16:06:49.904 12/03/12 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

26 16:06:49.904 12/03/12 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

Router log:

000527: Dec 3 12:05:36.699 UTC: ISAKMP (0): received packet from 188.162.132.92 dport 500 sport 8145 Global (N) NEW SA

000528: Dec 3 12:05:36.699 UTC: ISAKMP: Created a peer struct for 188.162.132.92, peer port 8145

000529: Dec 3 12:05:36.699 UTC: ISAKMP: New peer created peer = 0x14456F30 peer_handle = 0x80000008

000530: Dec 3 12:05:36.699 UTC: ISAKMP: Locking peer struct 0x14456F30, refcount 1 for crypto_isakmp_process_block

000531: Dec 3 12:05:36.699 UTC: ISAKMP:(0):Setting client config settings 251AF40

000532: Dec 3 12:05:36.699 UTC: ISAKMP:(0):(Re)Setting client xauth list and state

000533: Dec 3 12:05:36.699 UTC: ISAKMP/xauth: initializing AAA request

000534: Dec 3 12:05:36.699 UTC: ISAKMP AAA: NAS Port Id is currently unavailable.

000535: Dec 3 12:05:36.699 UTC: ISAKMP:(0):AAA: Nas Port ID is unavailable.

000536: Dec 3 12:05:36.699 UTC: AAA/BIND(00000013): Bind i/f

000537: Dec 3 12:05:36.699 UTC: ISAKMP/aaa: unique id = 19

000538: Dec 3 12:05:36.699 UTC: ISAKMP: local port 500, remote port 8145

000539: Dec 3 12:05:36.699 UTC: ISAKMP:(0):insert sa successfully sa = 1463A728

000540: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing SA payload. message ID = 0

000541: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing ID payload. message ID = 0

000542: Dec 3 12:05:36.699 UTC: ISAKMP (0): ID payload

next-payload : 13

type : 11

group id : VPN-SB

protocol : 17

port : 500

length : 14

000543: Dec 3 12:05:36.699 UTC: ISAKMP:(0):: peer matches *none* of the profiles

000544: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing vendor id payload

000545: Dec 3 12:05:36.699 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

000546: Dec 3 12:05:36.699 UTC: ISAKMP:(0): vendor ID is XAUTH

000547: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing vendor id payload

000548: Dec 3 12:05:36.699 UTC: ISAKMP:(0): vendor ID is DPD

000549: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing vendor id payload

000550: Dec 3 12:05:36.699 UTC: ISAKMP:(0): processing IKE frag vendor id payload

000551: Dec 3 12:05:36.699 UTC: ISAKMP:(0):Support for IKE Fragmentation not enabled

000552: Dec 3 12:05:36.703 UTC: ISAKMP:(0): processing vendor id payload

000553: Dec 3 12:05:36.703 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

000554: Dec 3 12:05:36.703 UTC: ISAKMP:(0): vendor ID is NAT-T v2

000555: Dec 3 12:05:36.703 UTC: ISAKMP:(0): processing vendor id payload

000556: Dec 3 12:05:36.703 UTC: ISAKMP:(0): vendor ID is Unity

000557: Dec 3 12:05:36.703 UTC: ISAKMP:(0): Authentication by xauth preshared

000558: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy

000559: Dec 3 12:05:36.703 UTC: ISAKMP: encryption AES-CBC

000560: Dec 3 12:05:36.703 UTC: ISAKMP: hash SHA

000561: Dec 3 12:05:36.703 UTC: ISAKMP: default group 2

000562: Dec 3 12:05:36.703 UTC: ISAKMP: auth XAUTHInitPreShared

000563: Dec 3 12:05:36.703 UTC: ISAKMP: life type in seconds

000564: Dec 3 12:05:36.703 UTC: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

000565: Dec 3 12:05:36.703 UTC: ISAKMP: keylength of 256

000566: Dec 3 12:05:36.703 UTC: ISAKMP:(0):atts are acceptable. Next payload is 3

000567: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Acceptable atts:actual life: 300

000568: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Acceptable atts:life: 0

000569: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Fill atts in sa vpi_length:4

000570: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483

000571: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Returning Actual lifetime: 300

000572: Dec 3 12:05:36.703 UTC: ISAKMP:(0)::Started lifetime timer: 300.

000573: Dec 3 12:05:36.703 UTC: ISAKMP:(0): processing KE payload. message ID = 0

000574: Dec 3 12:05:36.703 UTC: ISAKMP:(0): processing NONCE payload. message ID = 0

000575: Dec 3 12:05:36.703 UTC: ISAKMP:(0): vendor ID is NAT-T v2

000576: Dec 3 12:05:36.703 UTC: ISAKMP:(0):ISAKMP/tunnel: setting up tunnel VPN-SB pw request

000577: Dec 3 12:05:36.703 UTC: AAA/AUTHOR (0x13): Pick method list 'default'

000578: Dec 3 12:05:36.703 UTC: ISAKMP:(0):ISAKMP/tunnel: Tunnel VPN-SB PW Request successfully sent to AAA

000579: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

000580: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

- PASS

000581: Dec 3 12:05:36.703 UTC: ISAKMP:(0):ISAKMP/tunnel: received callback from AAA

000582: Dec 3 12:05:36.703 UTC: ISAKMP/tunnel: received tunnel atts

000583: Dec 3 12:05:36.703 UTC: ISAKMP:Error - skey id.

000584: Dec 3 12:05:36.703 UTC: ISAKMP:(0): constructed NAT-T vendor-02 ID

000585: Dec 3 12:05:36.703 UTC: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR

000586: Dec 3 12:05:36.703 UTC: ISAKMP (0): ID payload

next-payload : 10

type : 1

address : x.x.x.x (my WAN address)

protocol : 0

port : 0

length : 12

000587: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Total payload length: 12

000588: Dec 3 12:05:36.703 UTC: ISAKMP:(0): unable to compute hash!

000589: Dec 3 12:05:36.703 UTC: ISAKMP:(0): unable to compute hash!

000590: Dec 3 12:05:36.703 UTC: ISAKMP:(0):peer does not do paranoid keepalives.

000591: Dec 3 12:05:36.703 UTC: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 188.162.132.92)

000592: Dec 3 12:05:36.703 UTC: ISAKMP (0): FSM action returned error: 2

000593: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

000594: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

000595: Dec 3 12:05:36.703 UTC: ISAKMP:FSM error - Message from AAA for key reply.

000596: Dec 3 12:05:36.703 UTC: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 188.162.132.92)

000597: Dec 3 12:05:36.703 UTC: ISAKMP: Unlocking peer struct 0x14456F30 for isadb_mark_sa_deleted(), count 0

000598: Dec 3 12:05:36.703 UTC: ISAKMP: Deleting peer node by peer_reap for 188.162.132.92: 14456F30

000599: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

000600: Dec 3 12:05:36.703 UTC: ISAKMP:(0):Old State = IKE_R_AM2 New State = IKE_DEST_SA

000601: Dec 3 12:05:36.703 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)

000602: Dec 3 12:05:42.083 UTC: ISAKMP (0): received packet from 188.162.132.92 dport 500 sport 8145 Global (R) MM_NO_STATE

000603: Dec 3 12:05:47.147 UTC: ISAKMP (0): received packet from 188.162.132.92 dport 500 sport 8145 Global (R) MM_NO_STATE

000604: Dec 3 12:05:52.227 UTC: ISAKMP (0): received packet from 188.162.132.92 dport 500 sport 8145 Global (R) MM_NO_STATE

000605: Dec 3 12:06:36.703 UTC: ISAKMP:(0):purging SA., sa=1463A728, delme=1463A728

I highlighted strings with possible problems of of unabling to connect but doesn't know what to do with it. Google doesn't help.=/

jurodri3 · ‎12-03-2012

Hello Mr. Lagun,

Thank you for posting, unfortunately the Cisco Support community is only dedicate to Small business products and does not support CLI configuration.

And the Router 3945 is not considered as an Small business device.

In order to get an accurate and quick answer I recommend you to contact our Cisco support center.

http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html.

Diego Rodriguez

Cisco network engineer

Thank you.

Richard Burts · ‎12-05-2012

It is possible that there is more than one problem here. But the first thing that I notice is what looks like a problem with authentication. The configuration of the crypto map says

crypto map VPN-SB client authentication list default

but the only thing that I see in the router config about authentication is

aaa authentication login default none

which says that the router is not doing authentication. I suggest that you address this and let us know what are the results.

HTH

Rick

HTH

Rick

radix1123 · ‎12-06-2012

Thx a lot for your answer, Richard, I always resolve this problem, and yes, authentication was only one of wrong misconfigs. Here is the right config:

!

aaa new-model

!

aaa authentication login SB local

aaa authorization network SB local

!

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 2

lifetime 300

!

crypto isakmp client configuration group SB

key %Hereispresharedkey%

pool VPN-SB

acl VPN-SB

save-password

!

crypto ipsec transform-set VPN-SB esp-aes 256 esp-sha-hmac

!

crypto dynamic-map VPN-SB-dyn 6

set transform-set VPN-SB

reverse-route

!

crypto map VPN-SB client authentication list SB

crypto map VPN-SB isakmp authorization list SB

crypto map VPN-SB client configuration address respond

crypto map VPN-SB 6 ipsec-isakmp dynamic VPN-SB-dyn

other strings (acl, interface config) is same.

radix1123 · ‎12-06-2012

Thx Juan, Cisco support helped me.