Cisco 2911 - Remote Access VPN

jschrody1 · ‎09-13-2010

I have a 2911 Router that I am trying to configure for remote VPN access.

I have tried three different clients, with varying results (none of them successful).

Using the Cisco VPN Client version 5:

Cisco Systems VPN Client Version 5.0.00.0320
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 09:44:17.011 09/13/10 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.

2 09:44:21.027 09/13/10 Sev=Info/4 CM/0x63100002
Begin connection process

3 09:44:21.292 09/13/10 Sev=Info/4 CM/0x63100004
Establish secure connection

4 09:44:21.292 09/13/10 Sev=Info/4 CM/0x63100024
Attempt connection with server "74.124.21.40"

5 09:44:22.027 09/13/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xx.xx.21.40.

6 09:44:22.105 09/13/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.xx.21.40

7 09:44:22.120 09/13/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

8 09:44:22.120 09/13/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

9 09:44:22.120 09/13/10 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.21.40

10 09:44:22.120 09/13/10 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

11 09:44:22.136 09/13/10 Sev=Info/4 IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

12 09:44:22.136 09/13/10 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

...and on the 2911...

*Sep 13 14:44:26.822: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Sep 13 14:44:26.822: ISAKMP:      encryption 3DES-CBC
*Sep 13 14:44:26.822: ISAKMP:      hash SHA
*Sep 13 14:44:26.822: ISAKMP:      default group 2
*Sep 13 14:44:26.822: ISAKMP:      auth pre-share
*Sep 13 14:44:26.822: ISAKMP:      life type in seconds
*Sep 13 14:44:26.822: ISAKMP:      life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Sep 13 14:44:26.822: ISAKMP:(0):Preshared authentication offered but does not match policy!
*Sep 13 14:44:26.822: ISAKMP:(0):atts are not acceptable. Next payload is 3

Using Windows XP Networking:

2911 Router:

*Sep 13 14:51:28.674: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Sep 13 14:51:28.674: ISAKMP:      encryption 3DES-CBC
*Sep 13 14:51:28.674: ISAKMP:      hash SHA
*Sep 13 14:51:28.674: ISAKMP:      default group 2
*Sep 13 14:51:28.674: ISAKMP:      auth pre-share
*Sep 13 14:51:28.674: ISAKMP:      life type in seconds
*Sep 13 14:51:28.674: ISAKMP:      life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 13 14:51:28.674: ISAKMP:(0):atts are acceptable. Next payload is 3
*Sep 13 14:51:28.674: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep 13 14:51:28.674: ISAKMP:(0):Acceptable atts:life: 0
*Sep 13 14:51:28.674: ISAKMP:(0):Fill atts in sa vpi_length:4
*Sep 13 14:51:28.674: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
*Sep 13 14:51:28.674: ISAKMP:(0):Returning Actual lifetime: 28800
*Sep 13 14:51:28.674: ISAKMP:(0)::Started lifetime timer: 28800.

*Sep 13 14:51:28.674: ISAKMP:(0): processing vendor id payload
*Sep 13 14:51:28.674: ISAKMP:(0): processing IKE frag vendor id payload
*Sep 13 14:51:28.674: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Sep 13 14:51:28.674: ISAKMP:(0): processing vendor id payload
*Sep 13 14:51:28.674: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Sep 13 14:51:28.674: ISAKMP:(0): processing vendor id payload
*Sep 13 14:51:28.674: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Sep 13 14:51:28.674: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 13 14:51:28.674: ISAKMP:(0): processing vendor id payload
*Sep 13 14:51:28.674: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Sep 13 14:51:28.674: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 13 14:51:28.678: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Sep 13 14:51:28.678: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Sep 13 14:51:28.678: ISAKMP:(0): sending packet to 71.244.0.152 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Sep 13 14:51:28.678: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 13 14:51:28.678: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 13 14:51:28.678: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*Sep 13 14:51:28.854: ISAKMP (0): received packet from 71.244.0.152 dport 500 sport 500 Global (R) MM_SA_SETUP
*Sep 13 14:51:28.854: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 13 14:51:28.854: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*Sep 13 14:51:28.854: ISAKMP:(0): processing KE payload. message ID = 0
*Sep 13 14:51:28.874: ISAKMP:(0): processing NONCE payload. message ID = 0
*Sep 13 14:51:28.874: ISAKMP:(0):found peer pre-shared key matching 71.244.0.152
*Sep 13 14:51:28.874: ISAKMP:received payload type 20
*Sep 13 14:51:28.874: ISAKMP (1028): His hash no match - this node outside NAT
*Sep 13 14:51:28.874: ISAKMP:received payload type 20
*Sep 13 14:51:28.874: ISAKMP (1028): His hash no match - this node outside NAT

Using Windows 7 Networking:
*Sep 13 14:55:30.638: ISAKMP:(1029):Checking IPSec proposal 2
*Sep 13 14:55:30.638: ISAKMP: transform 1, ESP_3DES
*Sep 13 14:55:30.638: ISAKMP:   attributes in transform:
*Sep 13 14:55:30.638: ISAKMP:      encaps is 4 (Transport-UDP)
*Sep 13 14:55:30.638: ISAKMP:      authenticator is HMAC-SHA
*Sep 13 14:55:30.638: ISAKMP:      SA life type in seconds
*Sep 13 14:55:30.638: ISAKMP:      SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Sep 13 14:55:30.638: ISAKMP:      SA life type in kilobytes
*Sep 13 14:55:30.638: ISAKMP:      SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Sep 13 14:55:30.638: ISAKMP:(1029):atts are acceptable.
*Sep 13 14:55:30.638: IPSEC(validate_proposal_request): proposal part #1
*Sep 13 14:55:30.638: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 74.124.21.40, remote= 71.244.0.152,
    local_proxy= xx.xx.21.40/255.255.255.255/17/1701 (type=1),
    remote_proxy= 71.244.0.152/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= NONE (Transport-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Sep 13 14:55:30.638: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x800
*Sep 13 14:55:30.638: ISAKMP:(1029): IPSec policy invalidated proposal with error 1024

Here is a subset of the config:

aaa new-model
!

aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!

aaa session-id common
!

ip dhcp excluded-address 192.168.3.1 192.168.3.100
ip dhcp excluded-address 192.168.3.151 192.168.3.254
!

username syspro privilege 15 secret 5 $1$jGd5$kz8Y2djeC3rem.Sfe0Vgv1
username jschrody privilege 15 secret 5 $1$f/RG$j274n/.bzQIgO8ensNLKn/
!

crypto ctcp port 10000
!

crypto logging ezvpn
!

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XxXxXxXxXx address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 20
crypto isakmp nat keepalive 60
crypto isakmp xauth timeout 30

!
crypto isakmp client configuration group DevelopmentVPN
key XxXxXxXxXx
dns 8.8.8.8
pool SDM_POOL_1
group-lock
save-password
max-users 50
max-logins 2
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group DevelopmentVPN
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto dynamic-map vpn-map 1
set transform-set ESP-3DES-SHA
reverse-route
!
crypto map vpn-map client authentication list ciscocp_vpn_group_ml_1
crypto map vpn-map isakmp authorization list ciscocp_vpn_group_ml_1
crypto map vpn-map client configuration address respond
crypto map vpn-map 10 ipsec-isakmp dynamic vpn-map
!
interface Loopback40
ip address xx.xx.21.40 255.255.255.255
ip nat outside
ip virtual-reassembly
crypto map vpn-map
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description $ETH-WAN$
ip address xx.xx.20.46 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
!
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/2.3
description $ETH-LAN$
encapsulation dot1Q 103
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/2.4
description $ETH-LAN$
encapsulation dot1Q 104
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet0/2.5
description $ETH-LAN$
encapsulation dot1Q 105
ip address 192.168.5.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/2.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
ip local pool SDM_POOL_1 192.168.3.151 192.168.3.200
ip default-gateway xx.xx.20.45
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat pool InternetAccess xx.xx.21.41 xx.xx.21.41 netmask 255.255.255.248
ip nat inside source route-map SDM_RMAP_1 pool InternetAccess
ip route 0.0.0.0 0.0.0.0 xx.xx.20.45
!
access-list 141 remark CCP_ACL Category=18
access-list 141 permit ip 192.168.3.0 0.0.0.255 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 141

Any ideas where I'm going wrong?

Federico Coto Fajardo · ‎09-13-2010

Hi,

I haven't look at it in detail but it seems that you're trying to connect with your VPN client using a pre-shared key and the router is configured for authentication using certificates.

This is your phase 1 configuration:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

The default value as far as I remember is rsa signatures for the authentication.

You can try the following:

crypto isakmp policy 1
authen pre-share

Federico.

jschrody1 · ‎09-13-2010

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

isn't 'authen pre-share' just a shortened version of the same command?

jschrody1 · ‎09-13-2010

Just to clarify the overall WAN architecture...

We currently have 2 sites, with connectivity from different service providers.

The local IPs for the first site are 192.168.1.0/24
The local IPs for the second site are 192.168.2.0/24
This router will have an inside interface supporting 192.168.3.0/24

We eventually want to provision three VPN items.

An always up tunnel to/from site 1

An always up tunnel to/from site 2

VPN server for remote clients to attach to 192.168.3.0/24, and be able then to access all three subnets.

I was starting with the VPN server, with int Gi0/1 being the service provider (outside) interface, and Loopback40 being the IP clients would hit.

Unfortunately, each of the different VPN clients I try to connect with get different results, none of which are successful.

At this point I'd be happy to get any one of the clients working properly.

Federico Coto Fajardo · ‎09-13-2010

You're right about the authentication (i missed that sorry).

You're using isakmp profiles, why not use regular IPsec Site-to-Site and RA configuration?

In this way you create a dynamic crypto map for the VPN clients and bind it to the static crypto map used by the site-to-site connections.

Federico.