Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1409
Views
0
Helpful
5
Replies

Easy VPN

simon.green
Level 1
Level 1

‎10-04-2010 03:59 PM

Hi All,

Hope everyone is well? Im trying to setup an Easy VPN Server on a Cisco 2801 but not having much luck. Currently we have a Site-To-Site VPN Tunnel setup on this router from one of our remote sites. I`ve gone through the docs on the Easy VPN setup info on Cisco but when i try and use the Cisco VPN Client to go to 77.88.44.81 it fails to connect, infact i dont even think its starting to handshake. Wondert if someone could see any errors in my below config?

Cheers

Si

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname PRIRTINTHQ1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
no logging console
enable secret ********
enable password ********
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login userauthvpn local
aaa authorization exec local_author local
aaa authorization network groupauthvpn local
!
aaa session-id common
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name ndb-europe.local
ip name-server 212.50.160.100
ip name-server 213.249.130.100
ip inspect name ndbfw cuseeme timeout 3600
ip inspect name ndbfw rcmd timeout 3600
ip inspect name ndbfw realaudio timeout 3600
ip inspect name ndbfw udp timeout 15
ip inspect name ndbfw tcp timeout 3600
ip inspect name ndbfw h323 timeout 3600
ip inspect name ndbfw ftp timeout 3600
ip inspect name ndbfw icmp timeout 3600
ip inspect name ndbfw sip timeout 3600
ip inspect name ndbfw rtsp timeout 3600
ip inspect name ndbfw pptp timeout 3600
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3461232490
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3461232490
revocation-check none
rsakeypair TP-self-signed-3461232490
!
!
crypto pki certificate chain TP-self-signed-3461232490
certificate self-signed 01
  30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33343631 32333234 3930301E 170D3130 30393236 31333432
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34363132
  551D1104 0F300D82 0B505249 5254494E 54485131 301F0603 551D2304 18301680
  143A3732 8A84089C 11824A6B 6E405D88 1C7A0912 1E301D06 03551D0E 04160414
  3A37328A 84089C11 824A6B6E 405D881C 7A09121E 300D0609 2A864886 F70D0101
  04050003 81810069 D7E8E97F C785FB76 B666C143 5B9C4CFC 135C168A B4F18B59
  19CD5698 9327E957 580BE806 E8214A74 A0D62AB4 9ACE6C6D 2DA36DEC 89D05852
  52921C77 F5D62C65 7D865664 0E826AE7 7AC173E6 C65892A3 20940CB5 5639F9AE
  AB0A66DB 2B7413
  quit
username c1sc0adm1n privilege 15 password ********
username cisco password ********
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 87.122.111.130
!
crypto isakmp client configuration group VPNclients
key cisco123
dns 192.168.0.1
domain ndb-europe.local
pool ippool
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set vpnclients esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set vpnclients
!
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 87.122.111.130
set transform-set 3DES-SHA
set pfs group2
match address Crypto-list
!
crypto map vpnclients client authentication list userauthvpn
crypto map vpnclients isakmp authorization list groupauthorvpn
crypto map vpnclients client configuration address respond
crypto map vpnclients 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Inside Ethernet LAN
ip address 10.1.1.1 255.255.0.0 secondary
ip address 172.1.1.1 255.255.255.0 secondary
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
load-interval 30
speed auto
full-duplex
no cdp enable
no mop enabled
hold-queue 100 out
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/2/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 1/50
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Dialer0
description Outside Connection to Karoo
bandwidth 960
ip address 77.88.44.81 255.255.255.248
ip access-group 110 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect ndbfw out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ********
ppp chap password ********
crypto map vpnclients
!
ip local pool ippool 192.168.0.181 192.168.0.199
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip dns server
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.15 80 77.88.44.1 80 extendable
ip nat inside source static udp 192.168.0.17 162 77.88.44.81 162 extendable
ip nat inside source static udp 192.168.0.17 514 77.88.44.81 514 extendable
ip nat inside source static tcp 192.168.0.17 8080 77.88.44.81 8080 extendable
ip nat inside source static tcp 192.168.0.15 8088 77.88.44.81 8088 extendable
ip nat inside source static 192.168.0.10 77.88.4482
ip nat inside source static 192.168.0.12 77.88.4483
!
ip access-list extended Crypto-list
permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
!
logging trap debugging
logging 192.168.0.17
access-list 4 remark NAT-ACL
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 4 permit 172.1.1.0 0.0.0.255
access-list 4 permit 10.1.0.0 0.0.255.255
access-list 100 remark NAT-ACL
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 172.1.1.0 0.0.0.255 any
access-list 100 permit ip 10.1.0.0 0.0.255.255 any
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
access-list 110 permit ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 110 permit udp host 87.122.111.130 any eq isakmp
access-list 110 permit esp host 87.122.111.130 any
access-list 110 permit tcp any host 77.88.44.81 eq www
access-list 110 permit tcp any host 77.88.44.81 eq 8088
access-list 110 permit tcp any host 77.88.44.81 eq 443
access-list 110 permit tcp any host 77.88.44.81 eq 8080
access-list 110 permit udp any host 77.88.44.81 eq syslog
access-list 110 permit udp any host 77.88.44.81 eq snmptrap
access-list 110 permit tcp any host 77.88.44.82 eq 1723
access-list 110 permit tcp any host 77.88.44.82 eq 4125
access-list 110 permit tcp any host 77.88.44.82 eq 443
access-list 110 permit tcp any host 77.88.44.82 eq 444
access-list 110 permit tcp any host 77.88.44.82 eq 993
access-list 110 permit tcp any host 77.88.44.82 eq smtp
access-list 110 permit tcp any host 77.88.44.82 eq 8019
access-list 110 permit udp any host 77.88.44.82 eq 8019
access-list 110 permit gre any host 77.88.44.82
access-list 110 permit tcp any host 77.88.44.83 eq 2727
access-list 110 permit tcp any host 77.88.44.83 eq 5082
access-list 110 permit tcp any host 77.88.44.83 eq 5060
access-list 110 permit udp any host 77.88.44.83 range 5060 5082
access-list 110 permit udp any host 77.88.44.83 range 10000 20000
access-list 110 permit gre any any
access-list 110 deny   ip any any log
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server host 192.168.0.17 version 2c ndbsnmp
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^CCC

****************************
*      WARNING BANNER      *
****************************

WARNING - Authorized Access only

The owner and any subsidiary companies, has proprietary rights
over this system and data. Unauthorized access is unlawful and may
result in legal proceedings.

All access to this system is monitored.
^C
!
line con 0
privilege level 15
transport output all
line aux 0
privilege level 15
transport input telnet ssh
transport output all
line vty 0 4
privilege level 15
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp master
end

Labels:
0 Helpful
5 Replies 5

Jitendriya Athavale
Cisco Employee
Cisco Employee

‎10-04-2010 04:59 PM

try the following

no crypto isakmp key ******** address 87.122.111.130

crypto isakmp key ******** address 87.122.111.130 no-xauth

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to Jitendriya Athavale

‎10-04-2010 05:01 PM

also in the acl 110 permit ports udp 500, udp 4500 and esp or ip 50 for the client's public ip address, but since they afor vpn clients i would assume you will need to open them for everybody

0 Helpful

simon.green
Level 1
Level 1

‎10-07-2010 02:00 PM

Hi There,

Many Thanks for your response and sorry for my delay in response .... it really has been one of those weeks.

I have tried as suggested and still can seem to connect. The VPN Client reports:

"Secure VPN Client terminated locally by the Client"

Reason 412: The remote peer is no longer responding.

Below is my new config and i've also included my Cisco VPN Debug too:)

Just wondering if you can see anything which jumps out?

Cheers

Si

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname PRIRTINTHQ1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
no logging console
enable secret ********
enable password ********
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login userauthvpn local
aaa authorization exec local_author local
aaa authorization network groupauthvpn local
!
aaa session-id common
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name ndb-europe.local
ip name-server 212.50.160.100
ip name-server 213.249.130.100
ip inspect name ndbfw cuseeme timeout 3600
ip inspect name ndbfw rcmd timeout 3600
ip inspect name ndbfw realaudio timeout 3600
ip inspect name ndbfw udp timeout 15
ip inspect name ndbfw tcp timeout 3600
ip inspect name ndbfw h323 timeout 3600
ip inspect name ndbfw ftp timeout 3600
ip inspect name ndbfw icmp timeout 3600
ip inspect name ndbfw sip timeout 3600
ip inspect name ndbfw rtsp timeout 3600
ip inspect name ndbfw pptp timeout 3600
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3461232490
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3461232490
revocation-check none
rsakeypair TP-self-signed-3461232490
!
!
crypto pki certificate chain TP-self-signed-3461232490
certificate self-signed 01
  30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33343631 32333234 3930301E 170D3130 30393236 31333432
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34363132
  551D1104 0F300D82 0B505249 5254494E 54485131 301F0603 551D2304 18301680
  143A3732 8A84089C 11824A6B 6E405D88 1C7A0912 1E301D06 03551D0E 04160414
  3A37328A 84089C11 824A6B6E 405D881C 7A09121E 300D0609 2A864886 F70D0101
  04050003 81810069 D7E8E97F C785FB76 B666C143 5B9C4CFC 135C168A B4F18B59
  19CD5698 9327E957 580BE806 E8214A74 A0D62AB4 9ACE6C6D 2DA36DEC 89D05852
  52921C77 F5D62C65 7D865664 0E826AE7 7AC173E6 C65892A3 20940CB5 5639F9AE
  AB0A66DB 2B7413
  quit
username c1sc0adm1n privilege 15 password ********
username cisco password ********
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 87.122.111.130 no-Xauth
!
crypto isakmp client configuration group VPNclients
key cisco123
dns 192.168.0.1
domain ndb-europe.local
pool ippool
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set vpnclients esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set vpnclients
!
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 87.122.111.130
set transform-set 3DES-SHA
set pfs group2
match address Crypto-list
!
crypto map vpnclients client authentication list userauthvpn
crypto map vpnclients isakmp authorization list groupauthorvpn
crypto map vpnclients client configuration address respond
crypto map vpnclients 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Inside Ethernet LAN
ip address 10.1.1.1 255.255.0.0 secondary
ip address 172.1.1.1 255.255.255.0 secondary
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
load-interval 30
speed auto
full-duplex
no cdp enable
no mop enabled
hold-queue 100 out
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/2/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 1/50
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Dialer0
description Outside Connection to Karoo
bandwidth 960
ip address 77.88.4481 255.255.255.248
ip access-group 110 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect ndbfw out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ********
ppp chap password ********
crypto map vpnclients
!
ip local pool ippool 192.168.0.181 192.168.0.199
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip dns server
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.15 80 77.88.4481 80 extendable
ip nat inside source static udp 192.168.0.17 162 77.88.4481 162 extendable
ip nat inside source static udp 192.168.0.17 514 77.88.4481 514 extendable
ip nat inside source static tcp 192.168.0.17 8080 77.88.4481 8080 extendable
ip nat inside source static tcp 192.168.0.15 8088 77.88.4481 8088 extendable
ip nat inside source static 192.168.0.10 77.88.4482
ip nat inside source static 192.168.0.12 77.88.4483
!
ip access-list extended Crypto-list
permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
!
logging trap debugging
logging 192.168.0.17
access-list 4 remark NAT-ACL
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 4 permit 172.1.1.0 0.0.0.255
access-list 4 permit 10.1.0.0 0.0.255.255
access-list 100 remark NAT-ACL
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 172.1.1.0 0.0.0.255 any
access-list 100 permit ip 10.1.0.0 0.0.255.255 any
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
access-list 110 permit ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 110 permit udp host 87.122.111.130 any eq isakmp
access-list 110 permit esp host 87.122.111.130 any
access-list 110 permit tcp any host 77.88.44.81 eq www
access-list 110 permit tcp any host 77.88.44.81 eq 8088
access-list 110 permit tcp any host 77.88.44.81 eq 443
access-list 110 permit tcp any host 77.88.44.81 eq 8080
access-list 110 permit udp any host 77.88.44.81 eq syslog
access-list 110 permit udp any host 77.88.44.81 eq snmptrap
access-list 110 permit udp any host 77.88.44.81 eq isakmp
access-list 110 permit udp any host 77.88.44.81 eq non500-isakmp
access-list 110 permit esp any host 77.88.44.81
access-list 110 permit tcp any host 77.88.44.82 eq 1723
access-list 110 permit tcp any host 77.88.44.82 eq 4125
access-list 110 permit tcp any host 77.88.44.82 eq 443
access-list 110 permit tcp any host 77.88.44.82 eq 444
access-list 110 permit tcp any host 77.88.44.82 eq 993
access-list 110 permit tcp any host 77.88.44.82 eq smtp
access-list 110 permit tcp any host 77.88.44.82 eq 8019
access-list 110 permit udp any host 77.88.44.82 eq 8019
access-list 110 permit gre any host 77.88.44.82
access-list 110 permit tcp any host 77.88.44.83 eq 2727
access-list 110 permit tcp any host 77.88.44.83 eq 5082
access-list 110 permit tcp any host 77.88.44.83 eq 5060
access-list 110 permit udp any host 77.88.44.83 range 5060 5082
access-list 110 permit udp any host 77.88.44.83 range 10000 20000
access-list 110 permit gre any any
access-list 110 deny   ip any any log
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server host 192.168.0.17 version 2c ndbsnmp
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^CCC

****************************
*      WARNING BANNER      *
****************************

WARNING - Authorized Access only

The owner and any subsidiary companies, has proprietary rights
over this system and data. Unauthorized access is unlawful and may
result in legal proceedings.

All access to this system is monitored.
^C
!
line con 0
privilege level 15
transport output all
line aux 0
privilege level 15
transport input telnet ssh
transport output all
line vty 0 4
privilege level 15
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp master
end

--------------------------------------------

Cisco VPN Client Debug:

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6002 Service Pack 2

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6002 Service Pack 2
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      22:15:10.690  10/07/10  Sev=Info/4 CM/0x63100002
Begin connection process

2      22:15:10.705  10/07/10  Sev=Info/4 CM/0x63100004
Establish secure connection

3      22:15:10.705  10/07/10  Sev=Info/4 CM/0x63100024
Attempt connection with server "77.88.44.81"

4      22:15:10.721  10/07/10  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 77.88.44.81.

5      22:15:10.721  10/07/10  Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

6      22:15:10.721  10/07/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 77.88.44.81

7      22:15:11.298  10/07/10  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 77.88.44.81

8      22:15:11.298  10/07/10  Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

9      22:15:11.298  10/07/10  Sev=Info/4 IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

10     22:15:11.298  10/07/10  Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

11     22:15:11.298  10/07/10  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

12     22:15:11.298  10/07/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

13     22:15:15.914  10/07/10  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

14     22:15:15.914  10/07/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 77.88.44.81

15     22:15:20.978  10/07/10  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

16     22:15:20.978  10/07/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 77.88.44.81

17     22:15:26.047  10/07/10  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

18     22:15:26.047  10/07/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 77.88.44.81

19     22:15:31.116  10/07/10  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=8AA13D800031A4C1 R_Cookie=EEAAE4E0278F4070) reason = DEL_REASON_PEER_NOT_RESPONDING

20     22:15:31.631  10/07/10  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=8AA13D800031A4C1 R_Cookie=EEAAE4E0278F4070) reason = DEL_REASON_PEER_NOT_RESPONDING

21     22:15:31.631  10/07/10  Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "77.88.44.81" because of "DEL_REASON_PEER_NOT_RESPONDING"

22     22:15:31.631  10/07/10  Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

23     22:15:31.631  10/07/10  Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

24     22:15:31.631  10/07/10  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

25     22:15:32.614  10/07/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

26     22:15:32.614  10/07/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

27     22:15:32.614  10/07/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

28     22:15:32.614  10/07/10  Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

0 Helpful

Rudresh Veerappaji
Cisco Employee
Cisco Employee
In response to simon.green

‎10-07-2010 11:05 PM

Hi Simon,

Please find the details below:

     1. You have 2 crypto maps defined in the router namely, VPN-Map-1 and vpnclients.

     2. Only the "vpnclients" crypto map is applied to the dialer interface, so only this crypto map is effective.

     3. Now the "vpn clients" crypto map is a dynamic map, while the VPN-Map-1 is a static crypto map.

     4. So i think vpn "clients" is handling both the dynamic site to site tunnle to peer 87.122.111.130 and the remote access vpn clients, and this is the issue.

     5. If you can confirm that on the router that you have a site to site tunnel to 87.122.111.130 up and running ( "sh cry isa sa" output display an active tunnel), then you need the following configuration to have both site to site tunnel and remote access vpns working properly:

*************************************************************************************************


crypto isakmp client configuration group VPNclients
key cisco123
dns 192.168.0.1
domain ndb-europe.local
pool ippool

crypto isakmp profile VPNclient 
   description VPN clients profile 
   match identity group VPNclients
 client authentication list userauthvpn
 isakmp authorization list groupauthorvpn
 client configuration address respond   


crypto dynamic-map dynmap 5 
 set transform-set vpnclients
 set isakmp-profile VPNclient


crypto map vpnclients client authentication list userauthvpn
crypto map vpnclients isakmp authorization list groupauthorvpn
crypto map vpnclients client configuration address respond

crypto map vpnclients 10 ipsec-isakmp

set peer 87.122.111.130

set transform-set 3DES-SHA

set pfs group2

match address Crypto-list

crypto map vpnclients 20 ipsec-isakmp dynamic dynmap


********************************************************************************************

Please let me know if this helps,

Cheers,

Rudresh V

0 Helpful

simon.green
Level 1
Level 1
In response to Rudresh Veerappaji

‎10-08-2010 02:10 PM

Hi There,

Thanks for your reply:)

OK I have made the changes and below is the config. Still the same error though:(

I have also done a Sh Crypto ISA SA to and included the debug again from the Cisco VPN Client ...

Thanks again for your help so far.

Cheers

Si

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6002 Service Pack 2

82     21:53:41.756  10/08/10  Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command

83     21:53:41.850  10/08/10  Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries

84     21:53:52.831  10/08/10  Sev=Info/4 PPP/0x63200015
Processing enumerate phone book entries command

85     21:53:52.987  10/08/10  Sev=Info/4 PPP/0x6320000D
Retrieved 5 dial entries

86     21:53:57.806  10/08/10  Sev=Info/4 CM/0x63100002
Begin connection process

87     21:53:57.822  10/08/10  Sev=Info/4 CM/0x63100004
Establish secure connection

88     21:53:57.822  10/08/10  Sev=Info/4 CM/0x63100024
Attempt connection with server "77.88.44.81"

89     21:53:57.837  10/08/10  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 77.88.44.81.

90     21:53:57.853  10/08/10  Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

91     21:53:57.884  10/08/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 77.88.44.81

92     21:53:57.900  10/08/10  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

93     21:53:57.900  10/08/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

94     21:54:03.359  10/08/10  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

95     21:54:03.359  10/08/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 77.88.44.81

96     21:54:08.491  10/08/10  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

97     21:54:08.491  10/08/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 77.88.44.81

98     21:54:13.622  10/08/10  Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

99     21:54:13.622  10/08/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 77.88.44.81

100    21:54:18.738  10/08/10  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=2A7E2C7C5CB76441 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

101    21:54:19.253  10/08/10  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=2A7E2C7C5CB76441 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

102    21:54:19.253  10/08/10  Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "77.88.44.81" because of "DEL_REASON_PEER_NOT_RESPONDING"

103    21:54:19.253  10/08/10  Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

104    21:54:19.284  10/08/10  Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

105    21:54:19.284  10/08/10  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

106    21:54:20.226  10/08/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

107    21:54:20.227  10/08/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

108    21:54:20.227  10/08/10  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

109    21:54:20.227  10/08/10  Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

---------------------------------------------------------------------------------------------


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname PRIRTINTHQ1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
no logging console
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name ndb-europe.local
ip name-server 212.50.160.100
ip name-server 213.249.130.100
ip inspect name ndbfw cuseeme timeout 3600
ip inspect name ndbfw rcmd timeout 3600
ip inspect name ndbfw realaudio timeout 3600
ip inspect name ndbfw udp timeout 15
ip inspect name ndbfw tcp timeout 3600
ip inspect name ndbfw h323 timeout 3600
ip inspect name ndbfw ftp timeout 3600
ip inspect name ndbfw icmp timeout 3600
ip inspect name ndbfw sip timeout 3600
ip inspect name ndbfw rtsp timeout 3600
ip inspect name ndbfw pptp timeout 3600
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3461232490
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3461232490
revocation-check none
rsakeypair TP-self-signed-3461232490
!
!
crypto pki certificate chain TP-self-signed-3461232490
certificate self-signed 01
  30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33343631 32333234 3930301E 170D3130 30393236 31333432
  32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34363132
  33323439 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  143A3732 8A84089C 11824A6B 6E405D88 1C7A0912 1E301D06 03551D0E 04160414
  F87F04DD AC425664 10AEF872 83700E50 AB3CFB0A 1922967B 207638AD 80A0C32F
  19CD5698 9327E957 580BE806 E8214A74 A0D62AB4 9ACE6C6D 2DA36DEC 89D05852
  52921C77 F5D62C65 7D865664 0E826AE7 7AC173E6 C65892A3 20940CB5 5639F9AE
  AB0A66DB 2B7413
  quit
username c1sc0 privilege 15 password cisco
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******** address 87.112..111.130 no-xauth
!
crypto isakmp client configuration group VPNclients
key cisco123
dns 192.168.0.1
domain ndb-europe.local
pool ippool
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group VPNclients
   client authentication list userauthvpn
   isakmp authorization list groupauthorvpn
   client configuration address respond
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs
crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs
crypto ipsec transform-set vpnclients esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set vpnclients
set isakmp-profile VPNclient
!
!
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 87.112..111.130
set transform-set 3DES-SHA
set pfs group2
match address Crypto-list
!
crypto map vpnclients client authentication list userauthvpn
crypto map vpnclients isakmp authorization list groupauthorvpn
crypto map vpnclients client configuration address respond
crypto map vpnclients 10 ipsec-isakmp
set peer 87.112..111.130
set transform-set 3DES-SHA
set pfs group2
match address Crypto-list
crypto map vpnclients 20 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Inside Ethernet LAN
ip address 10.1.1.1 255.255.0.0 secondary
ip address 172.1.1.1 255.255.255.0 secondary
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
load-interval 30
speed auto
full-duplex
no cdp enable
no mop enabled
hold-queue 100 out
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/2/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 1/50
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface Dialer0
description Outside Connection to Karoo
bandwidth 960
ip address 77.88.44.81 255.255.255.248
ip access-group 110 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect ndbfw out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
crypto map vpnclients
!
!
ip local pool ippool 192.168.0.181 192.168.0.199
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip dns server
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.15 80 77.88.44.81 80 extendable
ip nat inside source static udp 192.168.0.17 162 77.88.44.81 162 extendable
ip nat inside source static udp 192.168.0.17 514 77.88.44.81 514 extendable
ip nat inside source static tcp 192.168.0.17 8080 77.88.44.81 8080 extendable
ip nat inside source static tcp 192.168.0.15 8088 77.88.44.81 8088 extendable
ip nat inside source static 192.168.0.10 77.88.44.82
ip nat inside source static 192.168.0.12 77.88.44.83
!
ip access-list extended Crypto-list
permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
!
logging trap debugging
logging 192.168.0.17
access-list 4 remark NAT-ACL
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 4 permit 172.1.1.0 0.0.0.255
access-list 4 permit 10.1.0.0 0.0.255.255
access-list 100 remark NAT-ACL
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 172.1.1.0 0.0.0.255 any
access-list 100 permit ip 10.1.0.0 0.0.255.255 any
access-list 110 permit tcp any any eq domain
access-list 110 permit udp any any eq domain
access-list 110 permit ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 110 permit udp host 87.122.111.130 any eq isakmp
access-list 110 permit esp host 87.122.111.130 any
access-list 110 permit tcp any host 77.88.44.81 eq www
access-list 110 permit tcp any host 77.88.44.81 eq 8088
access-list 110 permit tcp any host 77.88.44.81 eq 443
access-list 110 permit tcp any host 77.88.44.81 eq 8080
access-list 110 permit udp any host 77.88.44.81 eq syslog
access-list 110 permit udp any host 77.88.44.81 eq snmptrap
access-list 110 permit udp any host 77.88.44.81 eq isakmp
access-list 110 permit udp any host 77.88.44.81 eq non500-isakmp
access-list 110 permit esp any host 77.88.44.81
access-list 110 permit tcp any host 77.88.44.82 eq 1723
access-list 110 permit tcp any host 77.88.44.82 eq 4125
access-list 110 permit tcp any host 77.88.44.82 eq 443
access-list 110 permit tcp any host 77.88.44.82 eq 444
access-list 110 permit tcp any host 77.88.44.82 eq 993
access-list 110 permit tcp any host 77.88.44.82 eq smtp
access-list 110 permit tcp any host 77.88.44.82 eq 8019
access-list 110 permit udp any host 77.88.44.82 eq 8019
access-list 110 permit gre any host 77.88.44.82
access-list 110 permit tcp any host 77.88.44.83 eq 2727
access-list 110 permit tcp any host 77.88.44.83 eq 5082
access-list 110 permit tcp any host 77.88.44.83 eq 5060
access-list 110 permit udp any host 77.88.44.83 range 5060 5082
access-list 110 permit udp any host 77.88.44.83 range 10000 20000
access-list 110 permit gre any any
access-list 110 deny   ip any any log
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server host 192.168.0.17 version 2c ndbsnmp
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^CCC

****************************
*      WARNING BANNER      *
****************************

WARNING - Authorized Access only

The owner and any subsidiary companies, has proprietary rights
over this system and data. Unauthorized access is unlawful and may
result in legal proceedings.

All access to this system is monitored.
^C
!
line con 0
privilege level 15
transport output all
line aux 0
privilege level 15
transport input telnet ssh
transport output all
line vty 0 4
privilege level 15
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp master
end

---------------------------------------------------------------------------------------------
PRIRTINTHQ1#sh crypto isa sa
dst             src             state          conn-id slot status
77.88.44.81     87.112.111.130  QM_IDLE              2    0 ACTIVE

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents