08-22-2012 10:36 PM - edited 02-21-2020 06:17 PM
Hello, below is my VPN config in my 871 and radius user config. I am unable to connect to the vpn using Cisco vpn client. I am getting one of two errors depending on what config changes I make. I believe I have the radius configured correctly because it is authencation but not 100% sure.
Error I first received, with no changes.
50 22:00:48.120 08/22/12 Sev=Warning/2 IKE/0xE3000023
No private IP address was assigned by the peer
Error I received after adding "crypto isakmp client configuration address-pool local VPN-Pool"
45 21:59:38.435 08/22/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 172.28.29.255
Netmask 255.255.255.255
Gateway 192.168.17.1
Interface 192.168.17.17
46 21:59:38.435 08/22/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: ac1c1dff, Netmask: ffffffff, Interface: c0a81111, Gateway: c0a81101.
Radius users config
VPN-Clients Cleartext-Password := "cisco"
Service-Type = "Outbound-User",
Tunnel-Type="ESP",
Tunnel-Password=<removed>",
cisco-avpair = "ipsec:tunnel-type*ESP",
cisco-avpair = "ipsec:key-exchange=ike",
cisco-avpair = "ipsec:addr-pool=VPN-Pool",
cisco-avpair = "ipsec:default-domain=<removed>,
cisco-avpair = "ipsec:inacl=VPN-Split-Tunnel",
cisco-avpair = "ipsec:dns-servers=192.168.16.10 68.105.29.12"
DEFAULT Auth-Type := Pam
Service-Type = Login,
cisco-avpair = "ipsec:user-vpn-group=VPN-Clients",
cisco-avpair = "ipsec:addr-pool=VPN-Pool",
cisco-avpair = "ipsec:inacl=VPN-Split-Tunnel"
VPN config on router:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <removed> address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 900
!
crypto isakmp client configuration group VPN-Clients
key <removed>
dns 192.168.16.10 68.105.28.12
domain <removed>
pool VPN-Pool
acl VPN-Split-Tunnel
max-users 6
netmask 255.255.255.128
crypto isakmp profile vpn-ike-profile-1
match identity group VPN-Clients
client authentication list VPN-Users
isakmp authorization list VPN-Users
client configuration address respond
client configuration group VPN-Clients
keepalive 60 retry 30
virtual-template 1
!
crypto ipsec security-association idle-time 1800
!
crypto ipsec transform-set encrypt-method-1 esp-aes 256 esp-sha-hmac comp-lzs
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
set isakmp-profile vpn-ike-profile-1
!
interface Virtual-Template1 type tunnel
description VPN Zone Inside
ip unnumbered Vlan10
ip nat inside
ip virtual-reassembly
zone-member security Inside
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
ip local pool VPN-Pool 192.168.17.1 192.168.17.17
!
ip access-list extended VPN-Split-Tunnel
permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.128
08-23-2012 02:16 AM
Update:
When i remove the authenticationthrough radius, the vpn connections works. So my issues lines with my radius config. any idea?
08-23-2012 08:33 PM
Update 2:
I have fixed the issue with "AddRoute failed to add a route with metric of 0" by adding the Cisco-AVPair = "isakmp-group-id=VPN-Clients"; however this leads me to a new problem were the local resources are not accessible or pingable after the vpn connection is made. below is updated config for router and radius. Is there something incorrect about my config that would be stopping users from accessing resources?
Router:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key ***** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 900
crypto isakmp client configuration address-pool local VPN-Pool
!
crypto isakmp client configuration group VPN-Clients
key *****
dns *****
pool VPN-Pool
acl VPN-Split-Tunnel
group-lock
split-dns *****
max-users 6
netmask 255.255.255.128
crypto isakmp profile vpn-ike-profile-1
match identity group VPN-Clients
client authentication list VPN-Users
isakmp authorization list VPN-Users
client configuration address respond
client configuration group VPN-Clients
keepalive 60 retry 30
virtual-template 1
!
crypto ipsec security-association idle-time 1800
!
crypto ipsec transform-set encrypt-method-1 esp-aes 256 esp-sha-hmac comp-lzs
no crypto ipsec nat-transparency udp-encaps
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
set isakmp-profile vpn-ike-profile-1
!
interface Virtual-Template1 type tunnel
description VPN Zone Inside
ip unnumbered Vlan10
ip nat inside
ip virtual-reassembly
zone-member security Inside
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
ip local pool VPN-Pool 192.168.17.0 192.168.17.127 group VPN-Pool
!
ip nat inside source list NAT interface FastEthernet4 overload
!
ip access-list extended VPN-Split-Tunnel
permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
Radius:
VPN-Clients Cleartext-Password := "cisco"
Service-Type = "Outbound-User",
Tunnel-Type="ESP",
Tunnel-Password="*****",
Cisco-AVPair = "isakmp-group-id=VPN-Clients",
cisco-avpair += "ipsec:tunnel-type*ESP",
cisco-avpair += "ipsec:key-exchange=ike",
cisco-avpair += "ipsec:addr-pool=VPN-Pool",
cisco-avpair += "ipsec:default-domain=*****",
cisco-avpair += "ipsec:inacl=VPN-Split-Tunnel",
cisco-avpair += "ipsec:dns-servers=*****",
Framed-IP-Netmask = 255.255.255.128
DEFAULT Auth-Type := Pam
Service-Type = NAS-Prompt-User,
cisco-avpair = "ipsec:tunnel-type*ESP",
Cisco-AVPair += "isakmp-group-id=VPN-Clients",
cisco-avpair += "ipsec:key-exchange=ike",
cisco-avpair += "ipsec:addr-pool=VPN-Pool",
cisco-avpair += "ipsec:default-domain=*****",
cisco-avpair += "ipsec:inacl=VPN-Split-Tunnel",
cisco-avpair += "ipsec:dns-servers=*****",
cisco-avpair += "ipsec:user-vpn-group=VPN-Clients"
08-25-2012 08:07 PM
Update 3, errors looked to be in the radius setup. change service-type to outbound-users on the default user setting and everything works great.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide