Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
0
Helpful
3
Replies

871w, remote access vpn, and radius - Issue with connecting through VPN

asucrews2010
Level 1
Level 1

‎08-22-2012 10:36 PM - edited ‎02-21-2020 06:17 PM

Hello, below is my VPN config in my 871 and radius user config.  I am unable to connect to the vpn using Cisco vpn client.  I am getting one of two errors depending on what config changes I make.  I believe I have the radius configured correctly because it is authencation but not 100% sure.

Error I first received, with no changes.

50     22:00:48.120  08/22/12  Sev=Warning/2    IKE/0xE3000023

No private IP address was assigned by the peer

Error I received after adding "crypto isakmp client configuration address-pool local VPN-Pool"

45     21:59:38.435  08/22/12  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    172.28.29.255

    Netmask    255.255.255.255

    Gateway    192.168.17.1

    Interface    192.168.17.17

46     21:59:38.435  08/22/12  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: ac1c1dff, Netmask: ffffffff, Interface: c0a81111, Gateway: c0a81101.

Radius users config

VPN-Clients     Cleartext-Password := "cisco"

               Service-Type = "Outbound-User",

               Tunnel-Type="ESP",

               Tunnel-Password=<removed>",

                cisco-avpair = "ipsec:tunnel-type*ESP",

               cisco-avpair = "ipsec:key-exchange=ike",

               cisco-avpair = "ipsec:addr-pool=VPN-Pool",

               cisco-avpair = "ipsec:default-domain=<removed>,

                cisco-avpair = "ipsec:inacl=VPN-Split-Tunnel",

               cisco-avpair = "ipsec:dns-servers=192.168.16.10 68.105.29.12"

DEFAULT         Auth-Type := Pam

              Service-Type = Login,

               cisco-avpair = "ipsec:user-vpn-group=VPN-Clients",

               cisco-avpair = "ipsec:addr-pool=VPN-Pool",

               cisco-avpair = "ipsec:inacl=VPN-Split-Tunnel"

VPN config on router:

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

lifetime 3600

crypto isakmp key <removed> address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 900

!

crypto isakmp client configuration group VPN-Clients

key <removed>

dns 192.168.16.10 68.105.28.12

domain <removed>

pool VPN-Pool

acl VPN-Split-Tunnel

max-users 6

netmask 255.255.255.128

crypto isakmp profile vpn-ike-profile-1

   match identity group VPN-Clients

   client authentication list VPN-Users

   isakmp authorization list VPN-Users

   client configuration address respond

   client configuration group VPN-Clients

   keepalive 60 retry 30

   virtual-template 1

!

crypto ipsec security-association idle-time 1800

!

crypto ipsec transform-set encrypt-method-1 esp-aes 256 esp-sha-hmac comp-lzs

!

crypto ipsec profile VPN-Profile-1

set transform-set encrypt-method-1

set isakmp-profile vpn-ike-profile-1

!

interface Virtual-Template1 type tunnel

description VPN Zone Inside

ip unnumbered Vlan10

ip nat inside

ip virtual-reassembly

zone-member security Inside

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN-Profile-1

!

ip local pool VPN-Pool 192.168.17.1 192.168.17.17

!

ip access-list extended VPN-Split-Tunnel

permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.128

Labels:
0 Helpful
3 Replies 3

asucrews2010
Level 1
Level 1

‎08-23-2012 02:16 AM

Update:

When i remove the authenticationthrough radius, the vpn connections works.  So my issues lines with my radius config.  any idea?

0 Helpful

asucrews2010
Level 1
Level 1

‎08-23-2012 08:33 PM

Update 2:

I have fixed the issue with "AddRoute failed to add a route with metric of 0" by adding the Cisco-AVPair = "isakmp-group-id=VPN-Clients"; however this leads me to a new problem were the local resources are not accessible or pingable after the vpn connection is made.  below is updated config for router and radius.  Is there something incorrect about my config that would be stopping users from accessing resources?

Router:

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 2

encr aes 256

authentication pre-share

group 2

lifetime 3600

crypto isakmp key ***** address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 900

crypto isakmp client configuration address-pool local VPN-Pool

!

crypto isakmp client configuration group VPN-Clients

               key *****

               dns *****

pool VPN-Pool

acl VPN-Split-Tunnel

group-lock

               split-dns *****

max-users 6

netmask 255.255.255.128

crypto isakmp profile vpn-ike-profile-1

   match identity group VPN-Clients

   client authentication list VPN-Users

   isakmp authorization list VPN-Users

   client configuration address respond

   client configuration group VPN-Clients

   keepalive 60 retry 30

   virtual-template 1

!

crypto ipsec security-association idle-time 1800

!

crypto ipsec transform-set encrypt-method-1 esp-aes 256 esp-sha-hmac comp-lzs

no crypto ipsec nat-transparency udp-encaps

!

crypto ipsec profile VPN-Profile-1

set transform-set encrypt-method-1

set isakmp-profile vpn-ike-profile-1

!

interface Virtual-Template1 type tunnel

description VPN Zone Inside

ip unnumbered Vlan10

ip nat inside

ip virtual-reassembly

zone-member security Inside

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN-Profile-1

!

ip local pool VPN-Pool 192.168.17.0 192.168.17.127 group VPN-Pool

!

ip nat inside source list NAT interface FastEthernet4 overload

!

ip access-list extended VPN-Split-Tunnel

permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255

Radius:

VPN-Clients     Cleartext-Password := "cisco"

                Service-Type = "Outbound-User",

                Tunnel-Type="ESP",

                Tunnel-Password="*****",

                Cisco-AVPair = "isakmp-group-id=VPN-Clients",

                cisco-avpair += "ipsec:tunnel-type*ESP",

                cisco-avpair += "ipsec:key-exchange=ike",

                cisco-avpair += "ipsec:addr-pool=VPN-Pool",

                cisco-avpair += "ipsec:default-domain=*****",

                cisco-avpair += "ipsec:inacl=VPN-Split-Tunnel",

                cisco-avpair += "ipsec:dns-servers=*****",

                Framed-IP-Netmask = 255.255.255.128

DEFAULT         Auth-Type := Pam

                Service-Type = NAS-Prompt-User,

                cisco-avpair = "ipsec:tunnel-type*ESP",

                Cisco-AVPair += "isakmp-group-id=VPN-Clients",

                cisco-avpair += "ipsec:key-exchange=ike",

                cisco-avpair += "ipsec:addr-pool=VPN-Pool",

                cisco-avpair += "ipsec:default-domain=*****",

                cisco-avpair += "ipsec:inacl=VPN-Split-Tunnel",

                cisco-avpair += "ipsec:dns-servers=*****",

                cisco-avpair += "ipsec:user-vpn-group=VPN-Clients"

0 Helpful

asucrews2010
Level 1
Level 1

‎08-25-2012 08:07 PM

Update 3, errors looked to be in the radius setup.  change service-type to outbound-users on the default user setting and everything works great.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents