cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8582
Views
5
Helpful
12
Replies

Can't establish VPN connection

Hi!

Anyone has idea why I can't establish VPN connection to the office in the following scenario?

Key points:

1. Office

- Cisco router 851

- ADSL connection (dialer 0 interface)

- IOS version: Version 12.4(15)T13

- router has identical configuration (VPN part) as I've used on my 851W and 861 router (I haven't experienced any problem establishing VPN tunnel to these two routers but both were connected to different ISP as 851 is)

- access list on outside interface permits all IP traffic from my IP address

2. Client (my PC)

- Windows 7 x64

- Cisco VPN client 5.0.07.0290

- ADSL connection

I can establish VPN tunnel to many other routers without any problem from this PC without any problem.

VPN  + outside interface configuration:

crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group GROUPNAME
key STRONGKEY
dns 192.168.100.5
domain domain.local
pool vpnpool
acl 101
!!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route

crypto map clientmap client authentication list localauthentication
crypto map clientmap isakmp authorization list localautorization
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface Dialer0
mtu 1452
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map clientmap

Debug logs:

003655: Dec  2 20:26:16.861: ISAKMP:(0):Checking ISAKMP transform 10 against priority 3 policy
003656: Dec  2 20:26:16.861: ISAKMP:      encryption 3DES-CBC
003657: Dec  2 20:26:16.861: ISAKMP:      hash MD5
003658: Dec  2 20:26:16.861: ISAKMP:      default group 2
003659: Dec  2 20:26:16.861: ISAKMP:      auth XAUTHInitPreShared
003660: Dec  2 20:26:16.861: ISAKMP:      life type in seconds
003661: Dec  2 20:26:16.861: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
003662: Dec  2 20:26:16.861: ISAKMP:(0):atts are acceptable. Next payload is 3
003663: Dec  2 20:26:16.865: ISAKMP:(0):Acceptable atts:actual life: 86400
003664: Dec  2 20:26:16.865: ISAKMP:(0):Acceptable atts:life: 0
003665: Dec  2 20:26:16.865: ISAKMP:(0):Fill atts in sa vpi_length:4
003666: Dec  2 20:26:16.865: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
003667: Dec  2 20:26:16.865: ISAKMP:(0):Returning Actual lifetime: 86400
003668: Dec  2 20:26:16.865: ISAKMP:(0)::Started lifetime timer: 86400.
003669: Dec  2 20:26:16.865: ISAKMP:(0): processing KE payload. message ID = 0
003670: Dec  2 20:26:16.909: ISAKMP:(0): processing NONCE payload. message ID = 0
003671: Dec  2 20:26:16.909: ISAKMP:(0): vendor ID is NAT-T v2
003672: Dec  2 20:26:16.909: ISAKMP:(0):peer does not do paranoid keepalives.
003673: Dec  2 20:26:16.909: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer MY_IP_ADDRESS)
003674: Dec  2 20:26:16.909: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
003675: Dec  2 20:26:16.909: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
003676: Dec  2 20:26:16.909: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY
003677: Dec  2 20:26:16.909: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at MY_IP_ADDRESS
003678: Dec  2 20:26:16.909: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer MY_IP_ADDRESS)
003679: Dec  2 20:26:16.909: ISAKMP: Unlocking peer struct 0x82D497A0 for isadb_mark_sa_deleted(), count 0
003680: Dec  2 20:26:16.909: ISAKMP: Deleting peer node by peer_reap for MY_IP_ADDRESS: 82D497A0
003681: Dec  2 20:26:16.913: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
003682: Dec  2 20:26:16.913: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA
003683: Dec  2 20:26:22.166: ISAKMP (0:0): received packet from MY_IP_ADDRESS dport 500 sport 2589 Global (R) MM_NO_STATE

This is log from VPN client:
77     21:26:16.335  12/02/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to ROUTER_OUTSIDE_IP_ADDRESS

78     21:26:16.586  12/02/10  Sev=Info/4    IPSEC/0x63700008
IPSec driver successfully started

79     21:26:16.586  12/02/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

80     21:26:21.655  12/02/10  Sev=Info/4    IKE/0x63000021
Retransmitting last packet!

81     21:26:21.655  12/02/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to ROUTER_OUTSIDE_IP_ADDRESS

82     21:26:23.406  12/02/10  Sev=Info/6    GUI/0x63B0000D
Disconnecting VPN connection.

83     21:26:23.407  12/02/10  Sev=Info/4    CM/0x63100006
Abort connection attempt before Phase 1 SA up

84     21:26:23.407  12/02/10  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection

85     21:26:23.407  12/02/10  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=6BF056853A1161E0 R_Cookie=0000000000000000) reason = DEL_REASON_RESET_SADB

86     21:26:23.407  12/02/10  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=6BF056853A1161E0 R_Cookie=0000000000000000) reason = DEL_REASON_RESET_SADB

87     21:26:23.408  12/02/10  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv

88     21:26:23.414  12/02/10  Sev=Info/6    CM/0x63100046
Set tunnel established flag in registry to 0.

89     21:26:23.683  12/02/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

90     21:26:23.683  12/02/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

91     21:26:23.683  12/02/10  Sev=Info/4    IPSEC/0x63700014
Deleted all keys

92     21:26:23.683  12/02/10  Sev=Info/4    IPSEC/0x6370000A
IPSec driver successfully stopped

12 Replies 12

Hi,

What's the status of the ''sh cry is sa'' when you try to connect?

Are you connecting using NAT-T?

Have you tried connecting using IPsec over TCP?

Federico.

Federico,

> What's the status of the ''sh cry is sa'' when you try to connect?

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
ROUTER_IP   MY_IP  MM_NO_STATE          0    0 ACTIVE (deleted)

> Are you connecting using NAT-T?

Yes.

My PC is behing NAT/PAT device.

> Have you tried connecting using IPsec over TCP?

Yes, but the the problem is the same.

You say this is a different ISP connection (where this router accepts the VPN connections)?

Can you modify the ACL applied to the outside interface in the inbound direction to include the following as the first lines:

permit udp any host ROUTER_IP eq 500

permit udp any host ROUTER_IP eq 4500

permit tcp any host ROUTER_IP eq 10000

permit esp any host ROUTER_IP

The idea is to attempt to connect using NAT-T and IPsec/TCP and check the hitcounts on this ACL to make sure those packets are reaching the router ''sh access-list NAME_OF_THE_ACL''

Some ISP block by default some ports required for VPN.

Federico.

    1 permit udp any host ROUTER_IP eq isakmp log (6 matches)
    2 permit udp any host ROUTER_IP eq non500-isakmp log
    3 permit tcp any host ROUTER_IP eq 10000 log
    4 permit esp any host ROUTER_IP log
    40 permit ip host MYIP any (273 matches)

004168: Dec  2 22:54:55.054: ISAKMP (0:0): received packet from MY_IP dport 500 sport 41048 Global (R) MM_NO_STATE
004169: Dec  2 22:55:00.123: ISAKMP (0:0): received packet from MY_IP dport 500 sport 41048 Global (R) MM_NO_STATE

When using TCP/10000:

    1 permit udp any host ROUTER_IP eq isakmp log (2 matches)
    2 permit udp any host ROUTER_IP eq non500-isakmp log
    3 permit tcp any host ROUTER_IP eq 10000 log (2 matches)
    4 permit esp any host ROUTER_IP log

004172: Dec  2 22:56:57.569: %SEC-6-IPACCESSLOGP: list wan_access_in permitted tcp MY_IP(17997) -> ROUTER_IP(10000), 1 pack

I ran additional tests and I can confirm that traffic destined to udp/500 and udp/4500 is delivered to router. I have no idea why yesterday was not delivered to udp/4500.

004812: Dec  3 19:45:03.535: %SEC-6-IPACCESSLOGP: list wan_access_in permitted udp MY_IP(60226) -> ROUTER_IP(4500), 1 packet
004813: Dec  3 19:45:03.535: %SEC-6-IPACCESSLOGP: list wan_access_in permitted udp MY_IP(38530) -> ROUTER_IP(500), 14 packets
004814: Dec  3 19:45:03.535: %SEC-6-IPACCESSLOGP: list wan_access_in permitted udp MY_IP(13659) -> ROUTER_IP(4500), 15 packets
004815: Dec  3 19:46:03.536: %SEC-6-IPACCESSLOGP: list wan_access_in permitted udp MY_IP(3661) -> ROUTER_IP(500), 3 packets

and

    1 permit udp any host ROUTER_IP eq isakmp log (39 matches)

    2 permit udp any host ROUTER_IP eq non500-isakmp log (34 matches)

Any more suggestions?

Can you please reverify the Group Name & Group password configured on the client ? Infact reinput those values and try again.

The error that you saw in the debug ( first post ) are generated because of ISKAMP policy fail or wrong groupname &  group password. Since they show that Policy isn't an issue so i will redo the group name & password on the client again.

Manish

I've already checked groupname and group password.

Even more: (for debugging purposes) I reentered the password. Didn't help.

I changed the password. That didn't help neither.

I created new group and set new password - didn't help.

ok , can you try the following command :-

crypto isakmp identity a.b.c.d   # a.b.c.d = your cisco router ip where crypto map is applied.

also, ones this is configured, please remove and reply the crypto map on the interface again.

Manish

crypto isakmp identity offers these three options and doesen't accept IP address:

- address   Use the IP address of the interface for the identity
- dn        Use the distinguished name of the router cert for the identity
- hostname  Use the hostname of the router for the identity

I tried with option "address" and with option "hostname" (I reapplied crypto map on interface each time). Still can't get the login window.

I resolved the issue finally - I mistyped authorization list name at aaa authorization... and crypto map....

I also resolved by configuring the proper authorization format

Very thanks! It's helpful for me...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: