12-30-2011 04:20 PM
using CCP 2.1 I was trying to assign the ip address to the new loopback interface when I did a show ip interface br it showed the interface unassigned
Virtual-Access1 unassigned YES unset down down
Loopback1 unassigned YES TFTP up up
Virtual-Template2 unassigned NO TFTP down down
here is the code that the ccp created
interface Loopback1
no shutdown
ip address 10.69.241.0 255.255.255.0
exit
So I tried to add the ip address thru the console
MyRouter(config)#interface loopback1
MyRouter(config-if)#no shutdown
MyRouter(config-if)#ip address 10.69.241.0 255.255.255.0
Bad mask /24 for address 10.69.241.0
MyRouter(config-if)#
What am I doing wrong?
Thanks
Tom
Solved! Go to Solution.
01-02-2012 07:12 AM
Create an account for yourself at the cisco.com main site. You should be able to use the same userid you use for here (the Cisco support community). Once you've done that, see if it will allow you to download the Cisco VPN client. the link for that download would be this. 32-bit for Windows is the default version but you can choose others from the menu tree on that page.
The only legitimate source for the software is to get it from Cisco. Any third parties distributing it would likely be unauthorized.
I mentioned the preshared key because of your post about RSA and certificates. If you're using PSK, you shouldn't need to be concerend about certificates.
You really should consider a Smartnet contract for your little 800 series router. It should be less than $100 a year and would pay for itself 5 times over just getting you working for this case.
01-02-2012 07:23 AM
Marvin
I tried that yesterday using my account only gives me guest access and that does not allow me to download the vpn client
This should not be so default cant believe there is not a version that I can test to make sure it works without having to go thru hoops to get it to work this should be straight forward
My router works fine and really should not have to purchase a support contract just to get a client software package
Yes I do not like getting third party software packages who knows what holes they left in the software
If as you say it is free then is there any way you can get me a copy?
Is there any way you can connect to my VPN just to see if it is really working or not?
Let me kow I want to watch the console when you connect so I cansee what is going on
Thanks
Tom
01-02-2012 08:09 AM
I sent you a PM re testing.
No you shouldn't have to purchase Smartnet for the client software. If you purchased your router through authorized channels you do get 90 day warranty support at no charge. You should be able to get the TAC to provide the client software under that warranty term. It may take a call as oppposed to opening a case online and you may need your PO number to confirm entitlement. Of course, if you got it on eBay, then all bets are off as far as support.
Smartnet gives you technical support throught the Cisco TAC. They will work with you directly, via Webex if necessary, to identify any configuration problems to get your system working.
I'm just saying one TAC call gives you return on investment for the support cost. I figure for a device like yours, the cost of Smartnet support is less than 2 hours of staff time for a reasonably-compensated engineer, say even three hours for a technician. If you can save that many hours of effort (or more) with TAC support, it's paid for itself after one call.
01-02-2012 08:16 AM
Marvin
The warrenty period is over I bought it from a cisco retailer but that was over a year or more ago
I called cisco today and they are closed
What is a PM re testing?
Tom
01-02-2012 08:32 AM
Cisco TAC is open 24x7, even on Christmas. Use contact numbers listed here. But if you are past warranty and without a service contract that won't help.
PM is a Private Message. You should get an e-mail notification or alternatively can look on this page under "Account, Private Messages" to see them.
01-02-2012 08:46 AM
Marvin
Thanks
Hey your prior post triggered something when you said about certificates I then went back to using microsofts VPN connection and changed the setting to the preshared key and now I am connecting but not getting any further than that
MyRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
72.88.223.20 192.168.69.101 MM_NO_STATE 0 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
then it times out with error 800 unable to establish the vpn connection
This is what I get when I am connected
I will look at your PM in a while thanks
Tom
01-02-2012 08:53 AM
MM_NO_STATE means you failed to connect (IKE Phase 1 negotiation didn't succeed). That is explained here.
I wouldn't expect the Microsoft VPN connection client to work, thus that message.
01-02-2012 09:04 AM
Marvin
Thanks
the link failed page 404 can you send it again
Tom
I am guessing I dont have the windows vpn connection setup properly but I am one step further along baby steps here I guess.
01-02-2012 09:19 AM
Try this link. The section tags seem to be giving cisco.com fits:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
or you can just Google the document title:
"IPsec Troubleshooting: Understanding and Using debug Commands".
In any case, the Microsoft VPN connection is not the right client to use.
01-02-2012 10:21 AM
Marvin
thanks
I turned on debugging when I attempted to connect
MyRouter#debug crypto isakmp
Crypto ISAKMP debugging is on
MyRouter#debug crypto ipsec
Crypto IPSEC debugging is on
MyRouter#terminal monitor
MyRouter#
.Jan 2 17:28:43.078: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (N) NEW SA
.Jan 2 17:28:43.078: ISAKMP: Created a peer struct for 192.168.69.101, peer por
t 500
.Jan 2 17:28:43.078: ISAKMP: New peer created peer = 0x82B83A40 peer_handle = 0
x80000010
.Jan 2 17:28:43.078: ISAKMP: Locking peer struct 0x82B83A40, refcount 1 for cry
pto_isakmp_process_block
.Jan 2 17:28:43.078: ISAKMP: local port 500, remote port 500
.Jan 2 17:28:43.078: insert sa successfully sa = 82B5F3EC
.Jan 2 17:28:43.078: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Jan 2 17:28:43.078: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
.Jan 2 17:28:43.082: ISAKMP:(0): processing SA payload. message ID = 0
.Jan 2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 228 mismat
ch
.Jan 2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatc
h
.Jan 2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismat
ch
.Jan 2 17:28:43.082: ISAKMP:(0): vendor ID is NAT-T v2
.Jan 2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismat
ch
.Jan 2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismat
ch
.Jan 2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismat
ch
.Jan 2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismat
ch
.Jan 2 17:28:43.082: ISAKMP:(0):No pre-shared key with 192.168.69.101!
.Jan 2 17:28:43.082: ISAKMP : Scanning profiles for xauth ... ciscocp-ike-profi
le-1
.Jan 2 17:28:43.082: ISAKMP:(0): Authentication by xauth preshared
.Jan 2 17:28:43.082: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1
policy
.Jan 2 17:28:43.082: ISAKMP: encryption AES-CBC
.Jan 2 17:28:43.082: ISAKMP: keylength of 256
.Jan 2 17:28:43.082: ISAKMP: hash SHA
.Jan 2 17:28:43.082: ISAKMP: unknown DH group 20
.Jan 2 17:28:43.082: ISAKMP: auth pre-share
.Jan 2 17:28:43.082: ISAKMP: life type in seconds
.Jan 2 17:28:43.082: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.086: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan 2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan 2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1
policy
.Jan 2 17:28:43.086: ISAKMP: encryption AES-CBC
.Jan 2 17:28:43.086: ISAKMP: keylength of 128
.Jan 2 17:28:43.086: ISAKMP: hash SHA
.Jan 2 17:28:43.086: ISAKMP: unknown DH group 19
.Jan 2 17:28:43.086: ISAKMP: auth pre-share
.Jan 2 17:28:43.086: ISAKMP: life type in seconds
.Jan 2 17:28:43.086: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.086: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan 2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan 2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1
policy
.Jan 2 17:28:43.086: ISAKMP: encryption 3DES-CBC
.Jan 2 17:28:43.086: ISAKMP: hash SHA
.Jan 2 17:28:43.086: ISAKMP: unknown DH group 14
.Jan 2 17:28:43.086: ISAKMP: auth pre-share
.Jan 2 17:28:43.086: ISAKMP: life type in seconds
.Jan 2 17:28:43.086: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.086: ISAKMP:(0):Preshared authentication offered but does not m
atch policy!
.Jan 2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan 2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1
policy
.Jan 2 17:28:43.086: ISAKMP: encryption 3DES-CBC
.Jan 2 17:28:43.086: ISAKMP: hash SHA
.Jan 2 17:28:43.086: ISAKMP: default group 2
.Jan 2 17:28:43.086: ISAKMP: auth pre-share
.Jan 2 17:28:43.086: ISAKMP: life type in seconds
.Jan 2 17:28:43.086: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.086: ISAKMP:(0):Preshared authentication offered but does not m
atch policy!
.Jan 2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 0
.Jan 2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2
policy
.Jan 2 17:28:43.086: ISAKMP: encryption AES-CBC
.Jan 2 17:28:43.086: ISAKMP: keylength of 256
.Jan 2 17:28:43.086: ISAKMP: hash SHA
.Jan 2 17:28:43.086: ISAKMP: unknown DH group 20
.Jan 2 17:28:43.086: ISAKMP: auth pre-share
.Jan 2 17:28:43.090: ISAKMP: life type in seconds
.Jan 2 17:28:43.090: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan 2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan 2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2
policy
.Jan 2 17:28:43.090: ISAKMP: encryption AES-CBC
.Jan 2 17:28:43.090: ISAKMP: keylength of 128
.Jan 2 17:28:43.090: ISAKMP: hash SHA
.Jan 2 17:28:43.090: ISAKMP: unknown DH group 19
.Jan 2 17:28:43.090: ISAKMP: auth pre-share
.Jan 2 17:28:43.090: ISAKMP: life type in seconds
.Jan 2 17:28:43.090: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan 2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan 2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2
policy
.Jan 2 17:28:43.090: ISAKMP: encryption 3DES-CBC
.Jan 2 17:28:43.090: ISAKMP: hash SHA
.Jan 2 17:28:43.090: ISAKMP: unknown DH group 14
.Jan 2 17:28:43.090: ISAKMP: auth pre-share
.Jan 2 17:28:43.090: ISAKMP: life type in seconds
.Jan 2 17:28:43.090: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan 2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan 2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2
policy
.Jan 2 17:28:43.090: ISAKMP: encryption 3DES-CBC
.Jan 2 17:28:43.090: ISAKMP: hash SHA
.Jan 2 17:28:43.090: ISAKMP: default group 2
.Jan 2 17:28:43.090: ISAKMP: auth pre-share
.Jan 2 17:28:43.090: ISAKMP: life type in seconds
.Jan 2 17:28:43.090: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan 2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 0
.Jan 2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65
535 policy
.Jan 2 17:28:43.090: ISAKMP: encryption AES-CBC
.Jan 2 17:28:43.090: ISAKMP: keylength of 256
.Jan 2 17:28:43.090: ISAKMP: hash SHA
.Jan 2 17:28:43.090: ISAKMP: unknown DH group 20
.Jan 2 17:28:43.090: ISAKMP: auth pre-share
.Jan 2 17:28:43.090: ISAKMP: life type in seconds
.Jan 2 17:28:43.090: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan 2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan 2 17:28:43.094: ISAKMP:(0):Checking ISAKMP transform 2 against priority 65
535 policy
.Jan 2 17:28:43.094: ISAKMP: encryption AES-CBC
.Jan 2 17:28:43.094: ISAKMP: keylength of 128
.Jan 2 17:28:43.094: ISAKMP: hash SHA
.Jan 2 17:28:43.094: ISAKMP: unknown DH group 19
.Jan 2 17:28:43.094: ISAKMP: auth pre-share
.Jan 2 17:28:43.094: ISAKMP: life type in seconds
.Jan 2 17:28:43.094: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan 2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan 2 17:28:43.094: ISAKMP:(0):Checking ISAKMP transform 3 against priority 65
535 policy
.Jan 2 17:28:43.094: ISAKMP: encryption 3DES-CBC
.Jan 2 17:28:43.094: ISAKMP: hash SHA
.Jan 2 17:28:43.094: ISAKMP: unknown DH group 14
.Jan 2 17:28:43.094: ISAKMP: auth pre-share
.Jan 2 17:28:43.094: ISAKMP: life type in seconds
.Jan 2 17:28:43.094: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan 2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan 2 17:28:43.094: ISAKMP:(0):Checking ISAKMP transform 4 against priority 65
535 policy
.Jan 2 17:28:43.094: ISAKMP: encryption 3DES-CBC
.Jan 2 17:28:43.094: ISAKMP: hash SHA
.Jan 2 17:28:43.094: ISAKMP: default group 2
.Jan 2 17:28:43.094: ISAKMP: auth pre-share
.Jan 2 17:28:43.094: ISAKMP: life type in seconds
.Jan 2 17:28:43.094: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
.Jan 2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan 2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 0
.Jan 2 17:28:43.094: ISAKMP:(0):no offers accepted!
.Jan 2 17:28:43.094: ISAKMP:(0): phase 1 SA policy not acceptable! (local 72.88
.223.20 remote 192.168.69.101)
.Jan 2 17:28:43.094: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: construct_fail_ag_init
.Jan 2 17:28:43.094: ISAKMP:(0): sending packet to 192.168.69.101 my_port 500 p
eer_port 500 (R) MM_NO_STATE
.Jan 2 17:28:43.094: ISAKMP:(0):peer does not do paranoid keepalives.
.Jan 2 17:28:43.094: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) MM_NO_STATE (peer 192.168.69.101)
.Jan 2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 228 mismat
ch
.Jan 2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatc
h
.Jan 2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismat
ch
.Jan 2 17:28:43.098: ISAKMP:(0): vendor ID is NAT-T v2
.Jan 2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismat
ch
.Jan 2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismat
ch
.Jan 2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismat
ch
.Jan 2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan 2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismat
ch
.Jan 2 17:28:43.098: ISAKMP (0:0): FSM action returned error: 2
.Jan 2 17:28:43.098: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD
E
.Jan 2 17:28:43.098: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
.Jan 2 17:28:43.098: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) MM_NO_STATE (peer 192.168.69.101)
.Jan 2 17:28:43.098: ISAKMP: Unlocking peer struct 0x82B83A40 for isadb_mark_sa
_deleted(), count 0
.Jan 2 17:28:43.102: ISAKMP: Deleting peer node by peer_reap for 192.168.69.101
: 82B83A40
.Jan 2 17:28:43.102: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Jan 2 17:28:43.102: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
.Jan 2 17:28:43.102: IPSEC(key_engine): got a queue event with 1 KMI message(s)
.Jan 2 17:28:43.102: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_
STATE (peer 192.168.69.101)
.Jan 2 17:28:43.102: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
.Jan 2 17:28:43.102: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_S
A
.Jan 2 17:28:45.077: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan 2 17:28:48.080: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan 2 17:28:52.079: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan 2 17:29:01.081: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan 2 17:29:18.084: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan 2 17:29:34.092: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan 2 17:29:43.085: ISAKMP:(0):purging SA., sa=82B5F3EC, delme=82B5F3EC
What you think?
Tom
01-02-2012 12:19 PM
Tom,
Debug just gives you the gory details of why Microsoft's built-in client does not work:
Encryption algorithm offered does not match policy!
All those details show the router trying one after another of the Cisco-suppported standard IPSec algorithms and the Microsoft client not matching any of them. You MIGHT be able to wrestle the MS client into working. I see one post out there of a guy who did it with XP:
http://www.smallnetbuilder.com/lanwan/lanwan-howto/24429-howtoxpipsec
The Cisco VPN client will do all that automagically.
01-02-2012 01:08 PM
Marvin
Thaks but not going to switch to a linksys device now
Need to get the cisco vpn client will have to wait till tuesday when they open
You said you connected to my site ok right? are you using cisco vpn client? If so what version? what OS ?
Tom
01-02-2012 06:41 PM
Connection using the Cisco VPN client (version 5.0.07.0440 64-bit binary on Windows 7 Ultimate) gets one to your password prompt after initially specifiying your 72.88.223.20 public IP and the TGCSVPN group with tgcsvpn01 group password. A valid username and password would be required to successfully complete login authentication and validate your VPN setup.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide