IPSec VPN cant seem to see what I'm doing wrong - Fresh set of eyes please

davidfield · ‎03-22-2017

Hello all and thanks for reading, Got a Cisco 867 IOS router with IPSEC VPN config i'm trying to get running. I get VPN connected but cannot access any internal devices (ive specified the internal IP ranges in the ACL. I have exactly the same config on another site (different IOS) and it works fine so a bit stumped. Can anyone see anything I've missed? VPN config elements in red.

Notes:

- VPN establishes ok

- IOS firmware c860vae-advsecurityk9-mz.156-2.T1.bin

- I can ping the router interfaces over the VPN

- I have checked the devices onsite Def Gw's

- The site does not have the IPSLA active so no traffic path issues.

- From devices onsite I cannot ping the VPN connected device. Traceroute shows traffic gets to the router but no further.

- Devices connecting to IPSEC VPN are Apple devices and can be from any public IP.

- Getting the following error on debug but then I get connection. Not getting at other site but it is running earlier firmware

"CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at "My-Test IP""

Any pointers appreciated.

Dave

hostname ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 100000 informational
enable secret XXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authentication login http none
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
wan mode ethernet
!
!
!
ip dhcp excluded-address 192.168.99.1 192.168.99.99
ip dhcp excluded-address 192.168.99.240 192.168.99.254
ip dhcp excluded-address 192.168.101.1 192.168.101.99
ip dhcp excluded-address 192.168.101.240 192.168.101.254
ip dhcp excluded-address 192.168.102.1 192.168.102.99
ip dhcp excluded-address 192.168.102.120 192.168.102.254
ip dhcp excluded-address 192.168.40.1 192.168.40.99
ip dhcp excluded-address 192.168.40.120 192.168.40.254
ip dhcp excluded-address 192.168.100.1 192.168.100.5
ip dhcp excluded-address 192.168.100.30 192.168.100.35
ip dhcp excluded-address 192.168.100.250 192.168.100.254
!
ip dhcp pool Mgmt
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
dns-server 8.8.8.8
!
ip dhcp pool Site
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 8.8.8.8
lease 0 4
!
ip dhcp pool AV
network 192.168.101.0 255.255.255.0
default-router 192.168.101.1
dns-server 8.8.8.8
!
ip dhcp pool Voice
network 192.168.102.0 255.255.255.0
dns-server 8.8.8.8
default-router 192.168.102.1
!
ip dhcp pool TI
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 8.8.8.8
!

!
!
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp router-traffic
ip inspect name CCP_LOW udp router-traffic
ip inspect name CCP_LOW vdolive
ip domain name XXXXXXXXXXXXX
ip ddns update method dyndns

!
ip cef
no ipv6 cef
!
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-XXXXXXXXXXXXXXXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXXXXXXXXXXXX
revocation-check none
rsakeypair TP-self-signed-2943135384
!
!
crypto pki certificate chain TP-self-signed-XXXXXXXXXXXXXXXXXXXX
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXX
quit
!

!
username XXXXXXXXXXXXXXXXXXXX privilege 15 password XXXXXXXXXXXXXXXXXXXX

!
!
controller VDSL 0
shutdown
!
track 1 ip sla 1 reachability
delay down 180
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGroup
key XXXXXXXXXXXXXXXXXXXX
dns 8.8.8.8
pool vpnpool
acl 101
max-users 5
netmask 255.255.255.0
crypto isakmp profile vpn-ike-profile-1
match identity group VPNGroup
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
!
!
!
!
!
!
interface Loopback1
no ip address
!
interface Loopback100
ip ddns update hostname XXXXXXXXXXXXXXXXXXXX
ip ddns update dyndns host XXXXXXXXXXXXXXXXXXXX
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
switchport mode trunk
no ip address
!
interface GigabitEthernet1
ip address XXXXXXXXXXXXXXXXXXXX 255.255.255.248
ip access-group INTERNET1 in
ip flow ingress
ip flow egress
ip inspect CCP_LOW out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet1
ip nat inside
ip virtual-reassembly in
peer default ip address pool vpnpool
no keepalive
ppp encrypt mppe auto passive
ppp authentication pap chap ms-chap ms-chap-v2
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
ip address 192.168.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan40
description TI Vlan
ip address 192.168.40.1 255.255.255.0
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan101
ip address 192.168.101.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan102
ip address 192.168.102.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address XXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX
ip access-group INTERNET in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect CCP_LOW out
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXXXXXXXX
ppp chap password XXXXXXXXXXXXXXXXXXXX
no cdp enable
!
ip local pool vpnpool 192.168.255.10 192.168.255.20
ip local pool VPN-Pool 192.168.254.20 192.168.254.25
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip flow-export version 9
ip flow-export interface-names
ip flow-export destination XXXXXXXXXXXXXXXXXXXX 9010
ip flow-top-talkers
top 15
sort-by packets
cache-timeout 360000
!
ip nat inside source static tcp 192.168.99.1 1723 interface GigabitEthernet1 1723
ip nat inside source static tcp 192.168.99.1 22 interface GigabitEthernet1 22
ip nat inside source list 1 interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 XXXXXXXXXXXXXXXXXXXX track 1
ip route 0.0.0.0 0.0.0.0 192.168.99.254 100
!

ip access-list extended INTERNET1
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit udp host 8.8.8.8 eq domain any
permit udp host 8.8.4.4 eq domain any
permit gre any any
permit tcp any any eq 1723
permit tcp any any eq 22
permit esp any any
permit icmp any any
permit tcp any any eq 50
permit tcp any any eq 51
permit tcp any any eq 500
permit tcp any any eq 4500
permit udp any any eq 50
permit udp any any eq 51
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq bootps
permit udp any any eq bootpc
permit udp host XXXXXXXXXXXXXXXXXXXX any
permit tcp host XXXXXXXXXXXXXXXXXXXX any
deny ip 192.168.0.0 0.0.0.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any log
ip access-list extended SLAPROBE_ACL
permit icmp any host XXXXXXXXXXXX
!
ip sla auto discovery
ip sla 1
icmp-echo XXXXXXXXXXXXXXXXXXXXsource-interface GigabitEthernet1
ip sla schedule 1 life forever start-time now
dialer-list 1 protocol ip permit
mac-address-table aging-time 20
!
route-map SLAPROBE permit 10
match ip address SLAPROBE_ACL
set ip next-hop XXXXXXXXXXXXXXXXXXXX
!
route-map Fiber permit 10
match ip address 1
match interface GigabitEthernet1
!
snmp-server community public RO
access-list 1 permit any
access-list 101 permit ip 192.168.99.0 0.0.0.255 any
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 permit ip 192.168.102.0 0.0.0.255 any
access-list 101 permit ip 192.168.101.0 0.0.0.255 any
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
ntp server XXXXXXXXXXXXXXXXXXXX
event manager applet dyndns
event track 1 state up
action 1 cli command "en"
action 2 cli command "user admin"
action 3 cli command "conf t"
action 4 cli command "interface loopback 100"
action 5 cli command "shut"
action 6 cli command "no shut"
event manager applet Pri_back
event track 1 state any
action 2.0 cli command "clear ip nat trans forced"
!

Philip D'Ath · ‎03-22-2017

15.6 is bleeding edge new. I would try a different software version.