01-17-2013 08:46 AM - edited 02-21-2020 06:37 PM
Hello,
Currently I'm using Cisco VPN client software to connect to a remote IPSec server on the workstations.
I want to to configure IPSec client on Cisco 2600 router which connects to the remote IPSec server so the workstations can access VPN subnet without using VPN software.
Anyone can guide me on how to configure IPSec client on the router?
Thanks
Solved! Go to Solution.
01-21-2013 04:09 AM
I think it is because the encryption and hash algorithm doesn't match? Because when I connect from the Cisco VPN Client software I can see that the encryption is 128-bit AES and authentication is hmac-sha1.
But from the router log it is:
*Jan 19 14:32:34.868: ISAKMP: encryption 3DES-CBC
*Jan 19 14:32:34.868: ISAKMP: hash MD5
How do I change the encryption parameters?
Thanks
01-21-2013 04:35 AM
Hi Adam,
It looks strange you didn't match iskmp policies but the phase1 was compleated.
Could you attach the logs from:
#debug crypto isakmp packet
#debug crypto isakmp detail
Kind regadrs
Michal
01-21-2013 08:24 PM
01-24-2013 11:36 AM
Hi Adam,
Sorry for my late responce I am a bit ill.
I have checked the logs and did small repro. To me it looks like the server is not supporting NEM:
This is from VPN server with NEM disabled:
Nov 30 00:13:56 [IKEv1 DEBUG]: Group = gsa3mle3, Username = cisco, IP = 10.10.10.2, MODE_CFG: Received request for DHCP hostname for DDNS is: R1!
Nov 30 00:13:56 [IKEv1]: Group = gsa3mle3, Username = cisco, IP = 10.10.10.2, Hardware Client connection rejected! Network Extension Mode is not allowed for this group!
On client:
*Mar 1 00:45:56.387: ISAKMP:(1007): sending packet to 10.10.10.13 my_port 500 peer_port 500 (I) CONF_ADDR
*Mar 1 00:45:56.439: ISAKMP (0:1007): received packet from 10.10.10.13 dport 500 sport 500 Global (I) CONF_ADDR
*Mar 1 00:45:56.439: DGVPN:crypt_iv after decrypt, sa:650BE464
7BCF116E8E4DFF6C
*Mar 1 00:45:56.443:
*Mar 1 00:45:56.443: ISAKMP: Information packet contents (flags 1, len 92):
*Mar 1 00:45:56.447: HASH payload
*Mar 1 00:45:56.447: DELETE payload
*Mar 1 00:45:56.459: ISAKMP: Information packet contents (flags 1, len 80):
*Mar 1 00:45:56.459: HASH payload
*Mar 1 00:45:56.459: DELETE payload
*Mar 1 00:45:56.459: DGVPN: crypt_iv after encrypt, sa:650BE464
Change it to client mode and try it.
Kind regards
Michal
01-25-2013 05:02 AM
Hi Michal,
Client mode works perfectly. Thank you so much for your help and get well soon.
Best regards
Adam
01-24-2013 12:30 PM
Hi Adam,
Are you using Cisco Easy VPN on your central site? what are you using? (router, ASA,)
I saw your are using subinterfaces to setup your enviroment, I don´t really recommend that, you should to use 2 physical interfaces to setup correctly the remote VPN on your Cisco 2600.
Best regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide