VPN errors

lauraseymore · ‎05-24-2013

Hi all!

I have trouble with VPN access. I have search I-net but can't quite fine the solution. Please HELP!!!! below is the debug info

May 25 02:34:31.599: ISAKMP (0): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (N) NEW SA

May 25 02:34:31.599: ISAKMP: Created a peer struct for xxx.xxx.xxx.xxx, peer port 17348

May 25 02:34:31.599: ISAKMP: New peer created peer = 0x2BA1981C peer_handle = 0x80000003

May 25 02:34:31.599: ISAKMP: Locking peer struct 0x2BA1981C, refcount 1 for crypto_isakmp_process_block

May 25 02:34:31.599: ISAKMP: local port 500, remote port 17348

May 25 02:34:31.599: ISAKMP:(0):insert sa successfully sa = 2BD65240

May 25 02:34:31.599: ISAKMP:(0): processing SA payload. message ID = 0

May 25 02:34:31.599: ISAKMP:(0): processing ID payload. message ID = 0

May 25 02:34:31.599: ISAKMP (0): ID payload

next-payload : 13

type : 11

group id : ECOCION-VPN

protocol : 17

port : 500

length : 19

May 25 02:34:31.603: ISAKMP:(0):: peer matches vpn-ike-profile-1 profile

May 25 02:34:31.603: ISAKMP:(0):Setting client config settings 2BA19490

May 25 02:34:31.603: ISAKMP:(0):(Re)Setting client xauth list and state

May 25 02:34:31.603: ISAKMP/xauth: initializing AAA request

May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload

May 25 02:34:31.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch

May 25 02:34:31.603: ISAKMP:(0): vendor ID is XAUTH

May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload

May 25 02:34:31.603: ISAKMP:(0): vendor ID is DPD

May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload

May 25 02:34:31.603: ISAKMP:(0): processing IKE frag vendor id payload

May 25 02:34:31.603: ISAKMP:(0):Support for IKE Fragmentation not enabled

May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload

May 25 02:34:31.603: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

May 25 02:34:31.603: ISAKMP:(0): vendor ID is NAT-T v2

May 25 02:34:31.603: ISAKMP:(0): processing vendor id payload

May 25 02:34:31.603: ISAKMP:(0): vendor ID is Unity

May 25 02:34:31.603: ISAKMP:(0): Authentication by xauth preshared

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash SHA

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 256

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash MD5

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 256

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash SHA

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth pre-share

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 256

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash MD5

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth pre-share

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 256

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash SHA

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 128

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash MD5

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 128

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash SHA

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth pre-share

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 128

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption AES-CBC

May 25 02:34:31.603: ISAKMP: hash MD5

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth pre-share

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP: keylength of 128

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy

May 25 02:34:31.603: ISAKMP: encryption 3DES-CBC

May 25 02:34:31.603: ISAKMP: hash SHA

May 25 02:34:31.603: ISAKMP: default group 2

May 25 02:34:31.603: ISAKMP: auth XAUTHInitPreShared

May 25 02:34:31.603: ISAKMP: life type in seconds

May 25 02:34:31.603: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

May 25 02:34:31.603: ISAKMP:(0):atts are acceptable. Next payload is 3

May 25 02:34:31.603: ISAKMP:(0):Acceptable atts:actual life: 86400

May 25 02:34:31.603: ISAKMP:(0):Acceptable atts:life: 0

May 25 02:34:31.603: ISAKMP:(0):Fill atts in sa vpi_length:4

May 25 02:34:31.603: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483

May 25 02:34:31.603: ISAKMP:(0):Returning Actual lifetime: 86400

May 25 02:34:31.603: ISAKMP:(0)::Started lifetime timer: 86400.

May 25 02:34:31.603: ISAKMP:(0): processing KE payload. message ID = 0

May 25 02:34:31.623: ISAKMP:(0): processing NONCE payload. message ID = 0

May 25 02:34:31.623: ISAKMP:(0): vendor ID is NAT-T v2

May 25 02:34:31.623: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH

May 25 02:34:31.623: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

May 25 02:34:31.623: ISAKMP:(1002): constructed NAT-T vendor-02 ID

May 25 02:34:31.623: ISAKMP:(1002):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR

May 25 02:34:31.623: ISAKMP (1002): ID payload

next-payload : 10

type : 1

address : xxx.xxx.xxx.xxx

protocol : 0

port : 0

length : 12

May 25 02:34:31.623: ISAKMP:(1002):Total payload length: 12

May 25 02:34:31.627: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH

May 25 02:34:31.627: ISAKMP:(1002):Sending an IKE IPv4 Packet.

May 25 02:34:31.627: ISAKMP:(1002):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

May 25 02:34:31.627: ISAKMP:(1002):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

May 25 02:34:36.971: ISAKMP (1002): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (R) AG_INIT_EXCH

May 25 02:34:36.971: ISAKMP:(1002): phase 1 packet is a duplicate of a previous packet.

May 25 02:34:36.971: ISAKMP:(1002): retransmitting due to retransmit phase 1

May 25 02:34:37.471: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...

May 25 02:34:37.471: ISAKMP (1002): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

May 25 02:34:37.471: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH

May 25 02:34:37.471: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH

May 25 02:34:37.471: ISAKMP:(1002):Sending an IKE IPv4 Packet.

May 25 02:34:42.043: ISAKMP (1002): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (R) AG_INIT_EXCH

May 25 02:34:42.043: ISAKMP:(1002): phase 1 packet is a duplicate of a previous packet.

May 25 02:34:42.043: ISAKMP:(1002): retransmitting due to retransmit phase 1

May 25 02:34:42.543: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...

May 25 02:34:42.543: ISAKMP (1002): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

May 25 02:34:42.543: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH

May 25 02:34:42.543: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH

May 25 02:34:42.543: ISAKMP:(1002):Sending an IKE IPv4 Packet.

May 25 02:34:47.135: ISAKMP (1002): received packet from xxx.xxx.xxx.xxx dport 500 sport 17348 Global (R) AG_INIT_

May 25 02:34:47.135: ISAKMP:(1002): phase 1 packet is a duplicate of a previous packet.

May 25 02:34:47.135: ISAKMP:(1002): retransmitting due to retransmit phase 1

May 25 02:34:47.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...

May 25 02:34:47.635: ISAKMP (1002): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

May 25 02:34:47.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH

May 25 02:34:47.635: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH

May 25 02:34:47.635: ISAKMP:(1002):Sending an IKE IPv4 Packet.

May 25 02:34:57.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH...

May 25 02:34:57.635: ISAKMP (1002): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

May 25 02:34:57.635: ISAKMP:(1002): retransmitting phase 1 AG_INIT_EXCH

May 25 02:34:57.635: ISAKMP:(1002): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 17348 (R) AG_INIT_EXCH

May 25 02:34:57.635: ISAKMP:(1002):Sending an IKE IPv4 Packet.no debug all

Richard Burts · ‎05-25-2013

The debugs show that it got through the ISAKMP phase 1 negotiation. But does not go further. I do not see authentication activity and wonder if the problem is an issue with authentication.

Are there logs or debugs from the other device that might shed more light on what the problem is?

HTH

Rick

HTH

Rick

lauraseymore · ‎05-26-2013

Hi Richard,

Thank you for the response! Unfortunately there is no logs or debugs from other devices. It did work fine and then suddenly it stopped working. I wonder if the issue could be with the T1 line?

Thanks,

Laura

Richard Burts · ‎05-26-2013

Laura

Especially if you tell us that it was working and then stopped working, and if the debug suggests that phase 1 works and that phase 2 fails, then I think that it is highly unlikely that the problem is with the T1. It is most likely that the problem is on one end or the other end.

HTH

Rick

HTH

Rick

lauraseymore · ‎05-27-2013

Richards,

Can you give me little directions? I don't even know where to look... I'm new to this. If it was working and then stopped and if the configurations haven't been changed, what could it be?

Richard Burts · ‎05-27-2013

Laura

If it was working and then it stopped working then my guess is that something changed on one end or the other. Perhaps it is a configuration change in the tunnel termination end points. Or perhaps it is a code upgrade somewhere. Or perhaps it is a change in firewall rules on one side or the other. Or perhaps it is some change in the provider environment on one side or the other.

Is it possible to run debugs on the device on the other end of the connection?

HTH

Rick

HTH

Rick

lauraseymore · ‎05-27-2013

Rick,

That is the thing, nothing was changed... I even went and restore the backed up settings and it did not fix anything. That is why I said may be there is something with the T1... Nothing was changed... it stopped woking for all of the users at one point...

Richard Burts · ‎05-27-2013

Laura

You restored the backed up settings on one side or on both sides?

Can you tell us about the T1? Is it possible that the provider has changed something about the T1?

HTH

Rick

HTH

Rick

johnlloyd_13 · ‎05-27-2013

Hi,

ISAKMP policy didn't match. Re-check the config on both VPN peers.

May 25 02:34:31.603: ISAKMP:(0):Encryption algorithm offered does not match policy!

May 25 02:34:31.603: ISAKMP:(0):atts are not acceptable. Next payload is 3

Sent from Cisco Technical Support iPhone App

Richard Burts · ‎05-27-2013

But if you keep reading the debugs and get down to #9 set of attributes you find this

May 25 02:34:31.603: ISAKMP:(0):atts are acceptable. Next payload is 3

and it goes on a bit and gets to this

May 25 02:34:31.627: ISAKMP:(1002):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

May 25 02:34:31.627: ISAKMP:(1002):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

and it looks to me like this is where things stall and stop progressing

I believe that it is more of a phase 2 problem than an ISAKMP attribute not matching problem.

HTH

Rick

HTH

Rick

lauraseymore · ‎05-27-2013

Weird... I will look tomorow again...

Thank you guys!

lauraseymore · ‎05-28-2013

Ok I see nothing wrong with the config... Also the config wasn't change when VPN stopped working. I decided to share with u my current configurations. Pleas Please Please take a look and see if you see anything wrong with it.

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-241536836

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-241536836

revocation-check none

rsakeypair TP-self-signed-241536836

!

username ciscouser secret cisco

ip ssh version 1

track 1 ip sla 1 reachability

track 2 ip sla 2 reachability

track 3 ip sla 3 reachability

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group Cisco-VPN

key cisco

dns xxx.xxx.xxx.xxx

domain cisco.com

pool VPN-Pool

acl 140

max-users 5

crypto isakmp profile vpn-ike-profile-1

match identity group Cisco-VPN

client authentication list vpn_xauth_ml_1

isakmp authorization list vpn_group_ml_1

client configuration address respond

virtual-template 2

crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac

crypto ipsec profile VPN-Profile-1

set transform-set encrypt-method-1

bridge irb

interface Embedded-Service-Engine0/0

no ip address

shutdown

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

bridge-group 1

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

bridge-group 1

!

interface GigabitEthernet0/2

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip access-group 120 in

ip access-group 120 out

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/0/0

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip access-group 120 in

ip access-group 120 out

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/0/1

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip access-group 120 in

ip access-group 120 out

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template2 type tunnel

ip unnumbered BVI1

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN-Profile-1

!

interface BVI1

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip local pool VPN-Pool xxx.xxx.xxx.1 xxx.xxx.xxx.5

ip forward-protocol nd

!

no ip http server

ip http secure-server

!

ip nat inside source static tcp xxx.xxx.xxx.xxx 1521 interface FastEthernet0/0/1 1521

ip nat inside source static tcp xxx.xxx.xxx.xxx interface FastEthernet0/0/1 85

ip nat inside source route-map isp1 interface FastEthernet0/0/0 overload

ip nat inside source route-map isp2 interface FastEthernet0/0/1 overload

ip nat inside source route-map isp3 interface GigabitEthernet0/2 overload

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx track 1

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx track 2

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx track 3

!

ip sla 1

icmp-echo xxx.xxx.xxx.xxx source-interface FastEthernet0/0/0

threshold 2

timeout 1000

frequency 3

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo xxx.xxx.xxx.xxx source-interface FastEthernet0/0/1

threshold 2

timeout 1000

frequency 3

ip sla schedule 2 life forever start-time now

ip sla 3

icmp-echo xxx.xxx.xxx.xxx source-interface GigabitEthernet0/2

threshold 2

timeout 1000

frequency 3

ip sla schedule 3 life forever start-time now

access-list 23 permit xxx.xxx.xxx.xxx 0.0.0.255

access-list 100 remark NAT

access-list 100 permit ip xxx.xxx.xxx.xxx 0.0.0.255 any

access-list 120 remark Rackspace

access-list 120 permit ip xxx.xxx.xxx.xxx 0.0.0.255 host xxx.xxx.xxx.xxx

access-list 120 permit ip xxx.xxx.xxx0 0.0.0.255 host xxx.xxx.xxx.xxx

access-list 120 permit ip xxx.xxx.xxx0 0.0.0.255 host xxx.xxx.xxx.38

access-list 120 permit ip xxx.xxx.xxx0 0.0.0.255 host xxx.xxx.xxx.xxx

access-list 120 permit ip host xxx.xxx.xxx.32 xxx.xxx.xxx0 0.0.0.255

access-list 120 permit ip host xxx.xxx.xxx.33 xxx.xxx.xxx0 0.0.0.255

access-list 120 permit ip host xxx.xxx.xxx.34 xxx.xxx.xxx0 0.0.0.255

access-list 120 permit ip host xxx.xxx.xxx.35 xxx.xxx.xxx0 0.0.0.255

access-list 120 permit ip host xxx.xxx.xxx.36 xxx.xxx.xxx0 0.0.0.255

access-list 120 permit ip host xxx.xxx.xxx.37 xxx.xxx.xxx0 0.0.0.255

access-list 120 permit ip host xxx.xxx.xxx.38 xxx.xxx.xxx0 0.0.0.255

access-list 120 permit ip host xxx.xxx.xxx.xxx xxx.xxx.xxx0 0.0.0.255

access-list 120 permit ip any host xxx.xxx.xxx.xxx

access-list 120 permit ip host xxx.xxx.xxx.xxx any

access-list 120 permit tcp any any eq 4500

access-list 120 permit tcp any any eq 500

access-list 120 permit ip any any

access-list 140 remark VPN Users

access-list 140 permit ip any host xxx.xxx.xxx1

access-list 140 permit ip any host xxx.xxx.xxx2

access-list 140 permit ip any host xxx.xxx.xxx3

access-list 140 permit ip any host xxx.xxx.xxx4

access-list 140 permit ip any host xxx.xxx.xxx5

access-list 140 permit ip any any

!

route-map isp2 permit 10

match ip address 100

match interface FastEthernet0/0/1

!

route-map isp3 permit 10

match ip address 100

match interface GigabitEthernet0/2

!

route-map isp1 permit 10

match ip address 100

match interface FastEthernet0/0/0

!

control-plane

!

bridge 1 route ip

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

transport input ssh

!

scheduler allocate 20000 1000

end

Richard Burts · ‎05-28-2013

Laura

I have reviewed the parts of the config that you posted. I see a few things that seem unusual, such as having access list 120 applied both in and out on multiple interfaces. But I do not think this relates to your VPN problem. I am also a bit puzzled about access list 140 which does play a role in your VPN processing. It permits access from any source to 5 specific hosts and then does permit any any. So what is the point of the 5 specific hosts?

I do see that the config sets 5 as the max number of users and I wonder if that is part of the problem.

In looking again at the original post it shows output from debug crypto isakmp. But I am not convinced that the problem is necessarily in ISAKMP. I wonder what would show up in the output of debug crypto ipsec?

HTH

Rick

HTH

Rick

lauraseymore · ‎05-28-2013

I wanted to tunnel all traffic from the VPN client to our network

R1(config)# access-list 120 remark ==[Cisco VPN Users]==

R1(config)# access-list 120 permit ip any host 192.168.0.1

R1(config)# access-list 120 permit ip any host 192.168.0.2

R1(config)# access-list 120 permit ip any host 192.168.0.3

R1(config)# access-list 120 permit ip any host 192.168.0.4

R1(config)# access-list 120 permit ip any host 192.168.0.5

lauraseymore · ‎05-28-2013

I ran debug crypto ipsec and got no output what so ever...