cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5370
Views
5
Helpful
20
Replies

Cisco 2600 router as an IPSec client

adamfayaz
Beginner
Beginner

Hello,

Currently I'm using Cisco VPN client software to connect to a remote IPSec server on the workstations.

I want to to configure IPSec client on Cisco 2600 router which connects to the remote IPSec server so the workstations can access VPN subnet without using VPN software.

Anyone can guide me on how to configure IPSec client on the router?

Thanks

20 Replies 20

I think it is because the encryption and hash algorithm doesn't match? Because when I connect from the Cisco VPN Client software I can see that the encryption is 128-bit AES and authentication is hmac-sha1.

But from the router log it is:

*Jan 19 14:32:34.868: ISAKMP:      encryption 3DES-CBC

*Jan 19 14:32:34.868: ISAKMP:      hash MD5

How do I change the encryption parameters?

Thanks

Hi Adam,

It looks strange you didn't match iskmp policies but the phase1 was compleated.

Could you attach the logs from:

#debug crypto isakmp packet

#debug crypto isakmp detail

Kind regadrs

Michal

Hi Michal,

Attached is the isakmp debug log.

Thanks

Hi Adam,

Sorry for my late responce I am a bit ill.

I have checked the logs and did small repro. To me it looks like the server is not supporting NEM:

This is from VPN server with NEM disabled:

Nov 30 00:13:56 [IKEv1 DEBUG]: Group = gsa3mle3, Username = cisco, IP = 10.10.10.2, MODE_CFG: Received request for DHCP hostname for DDNS is: R1!

Nov 30 00:13:56 [IKEv1]: Group = gsa3mle3, Username = cisco, IP = 10.10.10.2, Hardware Client connection rejected!  Network Extension Mode is not allowed for this group!

On client:

*Mar  1 00:45:56.387: ISAKMP:(1007): sending packet to 10.10.10.13 my_port 500 peer_port 500 (I) CONF_ADDR   

*Mar  1 00:45:56.439: ISAKMP (0:1007): received packet from 10.10.10.13 dport 500 sport 500 Global (I) CONF_ADDR   

*Mar  1 00:45:56.439: DGVPN:crypt_iv after decrypt, sa:650BE464

7BCF116E8E4DFF6C

*Mar  1 00:45:56.443:

*Mar  1 00:45:56.443: ISAKMP: Information packet contents (flags 1, len 92):

*Mar  1 00:45:56.447:           HASH payload

*Mar  1 00:45:56.447:           DELETE payload

*Mar  1 00:45:56.459: ISAKMP: Information packet contents (flags 1, len 80):

*Mar  1 00:45:56.459:           HASH payload

*Mar  1 00:45:56.459:           DELETE payload

*Mar  1 00:45:56.459: DGVPN: crypt_iv after encrypt, sa:650BE464

Change it to client mode and try it.

Kind regards

Michal

Hi Michal,

Client mode works perfectly. Thank you so much for your help and get well soon.

Best regards

Adam

Emmanuel Valdez
Participant
Participant

Hi Adam,

Are you using Cisco Easy VPN on your central site? what are you using? (router, ASA,)

I saw your are using subinterfaces to setup your enviroment, I don´t really recommend that, you should to use 2 physical interfaces to setup correctly the remote VPN on your Cisco 2600.

Best regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers