cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5755
Views
0
Helpful
1
Replies

SR520 VPN tunnel [IKE packet from xxx.xxx.xxx.xxx was not encrypted and it should've been]

Good afternoon everyone,

I'am a newbie at configuring cisco routers, I had made a few month ago a VPN tunnel between 2 sites. Site A had the VPN server on a cisco SR520-ADSL-K9 network is 192.168.1.0 (public IP is 80.11.82.100 (not real).

Site B is the VPN client and uses the same cisco equipment, the VPN link was made using CCA (vpn remote) and was working well... until some power failures made the Site B SR520 not working at all (ethernet interfaces were down), network on site B is 192.168.2.0

I then completly reset Site B router and tried to rebuild the original configuration (tried because, I FAILED !).

  • I manage to have computers able to see each other on Site B
  • I manage to have computers from site B surfing the internet
  • Computers from site A can see each other and surf the internet (that was normal because the configuration of this router has not been modified)
  • But I can't manage to have a computer (say the one at 192.168.2.9 - Site B) connect to my server via SMB or TSE (server is 192.168.1.3 on site A).

I noticed that I have the following redundant message in console :

*Aug  8 12:43:52.971: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=EZVPN_GROUP_1  Server_public_addr=80.11.82.100

*Aug  8 12:44:04.924: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 80.11.82.100 was not encrypted and it should've been.

Some Cisco docs says there is something to do with ACLs but because I am newbie ... I don't know what exactly and which commands should I enter :-( (note that I have not set up the firewall to be sure the problem was not linked to it)

Below is my Site B SR520 running-configuration, hope it might help. I will be very gratefull to the one who can help me finding what is wrong and how to solve it (I have to fix this within 2 days, because my customer production Site (B) has no access to his data server located on site A.

Many Thanks in advance !

Current configuration : 4205 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$/Ym3$HTZIbVitmAU1L0ht5lMGO/

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-2778606820

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2778606820

revocation-check none

rsakeypair TP-self-signed-2778606820

!

!

crypto pki certificate chain TP-self-signed-2778606820

certificate self-signed 01

  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32373738 36303638 3230301E 170D3132 30383038 31313137

  31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37373836

  30363832 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  810095A2 CC829D95 4C16F247 D62D9121 1012C46D AF3C50C1 2B9C73E4 B4363B79

  20CEB668 74FB75BC 523E526D 7B61C1BF 7CBC8301 116FBA12 394742CA 9E20F783

  1A274A7D EA1DD208 BF3FE8C0 3CDC5D11 6503C3CB EB47BA2B B71FE034 190C9C92

  A052718C 882BD919 2425A51B 9805C15E 9F6AC7D2 BCF667A8 963335C0 FC452FA8

  FE710203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603

  551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 A55A26AD

  CED7752E 39BB0FA9 2B89F96F CE5336C9 301D0603 551D0E04 160414A5 5A26ADCE

  D7752E39 BB0FA92B 89F96FCE 5336C930 0D06092A 864886F7 0D010104 05000381

  810079B8 E6C8E12D 920023C9 2A0A730A 34717EF7 47300C04 F1A56B3A 1E5E6A1A

  22E83442 50550BBD 7F7FF547 D697EA44 1B6433CA EE21DF22 04A81AD6 90B3E37A

  3F7A2F7B 1BD3EC52 80BD0747 0335E7D5 597E0A8E D5446018 4126F41D 90AAA815

  BDB9A878 8941083D 6CF93AAB EB2C4574 4C3C1015 421E13E9 BEF074A8 5E9779BF FF67

      quit

dot11 syslog

ip source-route

!

!

!

ip dhcp pool inside

   import all

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.1

   dns-server 208.67.222.222 208.67.220.220

!

!

ip cef

!

no ipv6 cef

multilink bundle-name authenticated

password encryption aes

!

!

username cisco privilege 15 secret 5 $1$SLpF$faZxmVpsbDxRp9AP5RNbn/

!

!

!

!

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1

connect auto

group EZVPN_GROUP_1 key 6 diVchD[BbOObaCh\ULLO\NMEWLPGGAfGRNfBb^VeB]LLQLRM

mode client

peer 80.11.82.100

virtual-interface 1

username thfvpn2 password 6 JV_`hGWVKLObb]V\\IZTKYTCUNHXORGPJYDONT`\d[

xauth userid mode local

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

switchport access vlan 75

!

interface FastEthernet1

switchport access vlan 75

!

interface FastEthernet2

switchport access vlan 75

!

interface FastEthernet3

switchport access vlan 75

!

interface Virtual-Template1 type tunnel

no ip address

tunnel mode ipsec ipv4

!

interface Vlan1

no ip address

!

interface Vlan75

description $FW_INSIDE$

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname fti/2egd7pc

ppp chap password 7 0756254E170F1C1C

ppp pap sent-username fti/2egd7pc password 7 0552020D784A4B10

ppp ipcp dns request

crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0 2

!

ip http server

ip http secure-server

ip nat inside source list 1 interface Dialer0 overload

!

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip any any

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

!

!

!

control-plane

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

login

!

scheduler max-task-time 5000

end

1 Reply 1

You will find below the configuration of the Server if it can helps in diagnostic.

Best regards

Current configuration : 9081 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SR520
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$ivUp$NqRs6bmNc.OgFFkGCrh1B1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local 
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-197926840
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-197926840
 revocation-check none
 rsakeypair TP-self-signed-197926840
!
!
crypto pki certificate chain TP-self-signed-197926840
 certificate self-signed 01
  3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31393739 32363834 30301E17 0D313131 32303830 39333430 
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3139 37393236 
  38343030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  B88A224D BB963F99 CF673115 4966D8CF AFB05D15 1EE8F082 51A83EF9 28076540 
  C8CC075E A4B3C14A F27E7CE3 58A28F66 85A00FB4 152A29B6 B0B144ED A37C82B2 
  E52B3EFE 43E9D34F FF7B6132 C191E365 523228E2 D531D777 E1F081C0 70FC2F9F 
  A85712A0 04B698D7 09FA32B1 67A185D0 0E024625 8FB1B208 71A1CDC5 B6A9028F 
  02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D 
  11040930 07820553 52353230 301F0603 551D2304 18301680 141E0283 885027DB 
  05254B77 1A4C6C15 6629A3A1 5C301D06 03551D0E 04160414 1E028388 5027DB05 
  254B771A 4C6C1566 29A3A15C 300D0609 2A864886 F70D0101 04050003 8181006D 
  10808258 DF48712D 8C15CD94 C6F4E931 130E8347 D14CADDB 4506B89B 8FFF852C 
  8ECB6698 2BA7BC70 32F0BDE4 75E96C2B B598F9C1 970C29F5 C3225512 5AA2AEEB 
  68E78808 C0C9E0D2 DE3FF7C7 CA0584DE 7B49FCAA 397F6DCE F1254140 6FCDD8F1 
  EE162C1E 2EA6A58C 1523C352 A4110E34 C2C12B99 96C2416A 55642E61 276679
       quit
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool inside
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username cisco privilege 15 secret 5 $1$IGpr$Pq8mZdfgfGWTXYW4heUBd/
username thfvpn secret 5 $1$x6hr$giyMhMZXgKs7DJQ8IuulG1
username thfvpn2 secret 5 $1$X1zF$eZC/9Zuwk1vk2.cuS2Elr/
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
 key MyUnencryptedKey
 dns 81.253.89.1 80.10.246.2
 pool SDM_POOL_1
 acl 101
 save-password
 max-users 10
crypto isakmp profile sdm-ike-profile-1
   match identity group EZVPN_GROUP_1
   client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
   isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
   client configuration address respond
   virtual-template 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
archive
 log config
  logging enable
  logging size 600
  hidekeys
!
!
!
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any SDM-Voice-permit
 match protocol sip
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all dhcp_out_self
 match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
 match access-group name dhcp-req-permit
class-map type inspect match-all sdm-protocol-http
 match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect dhcp_self_out
  pass
 class type inspect sdm-cls-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-cls-insp-traffic
  inspect 
 class type inspect sdm-protocol-http
  inspect 
 class type inspect SDM-Voice-permit
  pass
 class class-default
  pass
policy-map type inspect sdm-inspect-voip-in
 class type inspect SDM-Voice-permit
  pass
 class class-default
  drop
policy-map type inspect sdm-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class type inspect dhcp_out_self
  pass
 class class-default
  drop
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
zone-pair security sdm-zp-out-in source out-zone destination in-zone
 service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 switchport access vlan 75
!
interface FastEthernet1
 switchport access vlan 75
!
interface FastEthernet2
 switchport access vlan 75
!
interface FastEthernet3
 switchport access vlan 75
!
interface Virtual-Template3 type tunnel
 ip unnumbered Vlan75
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan75
 description $FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer2
 description $FW_OUTSIDE$
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname fti/vy6u3wb
 ppp chap password 7 08241F1A0D090045
 ppp pap sent-username fti/vy6u3wb password 7 1412415F08142F79
 ppp ipcp dns request
!
ip local pool SDM_POOL_1 192.168.1.100 192.168.1.109
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 192.168.10.0 255.255.255.0 Vlan75
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer2 overload
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_IP
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended dhcp-req-permit
 remark SDM_ACL Category=1
 permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
 remark SDM_ACL Category=1
 permit udp any eq bootps any eq bootpc
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
end
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: