cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2137
Views
0
Helpful
27
Replies
Thomas Grassi
Beginner

Easy VPN setup error need help

using CCP 2.1 I was trying to assign the ip address to the new loopback interface when I did a show ip interface br it showed the interface unassigned

Virtual-Access1            unassigned      YES unset  down                  down

Loopback1                  unassigned      YES TFTP   up                    up

Virtual-Template2          unassigned      NO  TFTP   down                  down

here is the code that the ccp created

interface Loopback1

no shutdown

ip address 10.69.241.0 255.255.255.0

exit

So I tried to add the ip address thru the console

MyRouter(config)#interface loopback1

MyRouter(config-if)#no shutdown

MyRouter(config-if)#ip address 10.69.241.0 255.255.255.0

Bad mask /24 for address 10.69.241.0

MyRouter(config-if)#

What am I doing wrong?

Thanks

Tom

Thomas R Grassi Jr
27 REPLIES 27

Create an account for yourself at the cisco.com main site. You should be able to use the same userid you use for here (the Cisco support community). Once you've done that, see if it will allow you to download the Cisco VPN client. the link for that download would be this. 32-bit for Windows is the default version but you can choose others from the menu tree on that page.

The only legitimate source for the software is to get it from Cisco. Any third parties distributing it would likely be unauthorized.

I mentioned the preshared key because of your post about RSA and certificates. If you're using PSK, you shouldn't need to be concerend about certificates.

You really should consider a Smartnet contract for your little 800 series router. It should be less than $100 a year and would pay for itself 5 times over just getting you working for this case.

Marvin

I tried that yesterday using my account only gives me guest access and that does not allow me to download the vpn client

This should not be so default cant believe there is not a version that I can test to make sure it works without having to go thru hoops to get it to work this should be straight forward

My router works fine and really should not have to purchase a support contract just to get a client software package

Yes I do not like getting third party software packages who knows what holes they left in the software

If as you say it is free then is there any way you can get me a copy?

Is there any way you can connect to my VPN just to see if it is really working or not?

Let me kow I want to watch the console when you connect so I cansee what is going on

Thanks

Tom

Thomas R Grassi Jr

I sent you a PM re testing.

No you shouldn't have to purchase Smartnet for the client software. If you purchased your router through authorized channels you do get 90 day warranty support at no charge. You should be able to get the TAC to provide the client software under that warranty term. It may take a call as oppposed to opening a case online and you may need your PO number to confirm entitlement. Of course, if you got it on eBay, then all bets are off as far as support.

Smartnet gives you technical support throught the Cisco TAC. They will work with you directly, via Webex if necessary, to identify any configuration problems to get your system working.

I'm just saying one TAC call gives you return on investment for the support cost. I figure for a device like yours, the cost of Smartnet support is less than 2 hours of staff time for a reasonably-compensated engineer, say even three hours for a technician. If you can save that many hours of effort (or more) with TAC support, it's paid for itself after one call.

Marvin

The warrenty period is over I bought it from a cisco retailer but that was over a year or more ago

I called cisco today and they are closed

What is a PM re testing?

Tom

Thomas R Grassi Jr

Cisco TAC is open 24x7, even on Christmas. Use contact numbers listed here. But if you are past warranty and without a service contract that won't help.

PM is a Private Message. You should get an e-mail notification or alternatively can look on this page under "Account, Private Messages" to see them.

Marvin

Thanks

Hey your prior post triggered something when you said about certificates I then went back to using microsofts VPN connection and changed the setting to the preshared key and now I am connecting but not getting any further than that

MyRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
72.88.223.20    192.168.69.101  MM_NO_STATE          0    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

then it times out with error 800 unable to establish the vpn connection

This is what I get when I am connected

I will look at your PM in a while thanks

Tom

Thomas R Grassi Jr

MM_NO_STATE means you failed to connect (IKE Phase 1 negotiation didn't succeed). That is explained here.

I wouldn't expect the Microsoft VPN connection client to work, thus that message.

Marvin

Thanks

the link failed page 404 can you send it again

Tom

I am guessing I dont have the windows vpn connection setup properly but I am one step further along baby steps here I guess.

Thomas R Grassi Jr

Try this link. The section tags seem to be giving cisco.com fits:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

or you can just Google the document title:

"IPsec Troubleshooting: Understanding and Using debug Commands".

In any case, the Microsoft VPN connection is not the right client to use.



Marvin

thanks

I turned on debugging when I attempted to connect

MyRouter#debug crypto isakmp
Crypto ISAKMP debugging is on
MyRouter#debug crypto ipsec
Crypto IPSEC debugging is on
MyRouter#terminal monitor
MyRouter#
.Jan  2 17:28:43.078: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (N) NEW SA
.Jan  2 17:28:43.078: ISAKMP: Created a peer struct for 192.168.69.101, peer por
t 500
.Jan  2 17:28:43.078: ISAKMP: New peer created peer = 0x82B83A40 peer_handle = 0
x80000010
.Jan  2 17:28:43.078: ISAKMP: Locking peer struct 0x82B83A40, refcount 1 for cry
pto_isakmp_process_block
.Jan  2 17:28:43.078: ISAKMP: local port 500, remote port 500
.Jan  2 17:28:43.078: insert sa successfully sa = 82B5F3EC
.Jan  2 17:28:43.078: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
.Jan  2 17:28:43.078: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

.Jan  2 17:28:43.082: ISAKMP:(0): processing SA payload. message ID = 0
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 228 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatc
h
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID is NAT-T v2
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.082: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismat
ch
.Jan  2 17:28:43.082: ISAKMP:(0):No pre-shared key with 192.168.69.101!
.Jan  2 17:28:43.082: ISAKMP : Scanning profiles for xauth ... ciscocp-ike-profi
le-1
.Jan  2 17:28:43.082: ISAKMP:(0): Authentication by xauth preshared
.Jan  2 17:28:43.082: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1
policy
.Jan  2 17:28:43.082: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.082: ISAKMP:      keylength of 256
.Jan  2 17:28:43.082: ISAKMP:      hash SHA
.Jan  2 17:28:43.082: ISAKMP:      unknown DH group 20
.Jan  2 17:28:43.082: ISAKMP:      auth pre-share
.Jan  2 17:28:43.082: ISAKMP:      life type in seconds
.Jan  2 17:28:43.082: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.086: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1
policy
.Jan  2 17:28:43.086: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.086: ISAKMP:      keylength of 128
.Jan  2 17:28:43.086: ISAKMP:      hash SHA
.Jan  2 17:28:43.086: ISAKMP:      unknown DH group 19
.Jan  2 17:28:43.086: ISAKMP:      auth pre-share
.Jan  2 17:28:43.086: ISAKMP:      life type in seconds
.Jan  2 17:28:43.086: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.086: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1
policy
.Jan  2 17:28:43.086: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.086: ISAKMP:      hash SHA
.Jan  2 17:28:43.086: ISAKMP:      unknown DH group 14
.Jan  2 17:28:43.086: ISAKMP:      auth pre-share
.Jan  2 17:28:43.086: ISAKMP:      life type in seconds
.Jan  2 17:28:43.086: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.086: ISAKMP:(0):Preshared authentication offered but does not m
atch policy!
.Jan  2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1
policy
.Jan  2 17:28:43.086: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.086: ISAKMP:      hash SHA
.Jan  2 17:28:43.086: ISAKMP:      default group 2
.Jan  2 17:28:43.086: ISAKMP:      auth pre-share
.Jan  2 17:28:43.086: ISAKMP:      life type in seconds
.Jan  2 17:28:43.086: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.086: ISAKMP:(0):Preshared authentication offered but does not m
atch policy!
.Jan  2 17:28:43.086: ISAKMP:(0):atts are not acceptable. Next payload is 0
.Jan  2 17:28:43.086: ISAKMP:(0):Checking ISAKMP transform 1 against priority 2
policy
.Jan  2 17:28:43.086: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.086: ISAKMP:      keylength of 256
.Jan  2 17:28:43.086: ISAKMP:      hash SHA
.Jan  2 17:28:43.086: ISAKMP:      unknown DH group 20
.Jan  2 17:28:43.086: ISAKMP:      auth pre-share
.Jan  2 17:28:43.090: ISAKMP:      life type in seconds
.Jan  2 17:28:43.090: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 2 against priority 2
policy
.Jan  2 17:28:43.090: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.090: ISAKMP:      keylength of 128
.Jan  2 17:28:43.090: ISAKMP:      hash SHA
.Jan  2 17:28:43.090: ISAKMP:      unknown DH group 19
.Jan  2 17:28:43.090: ISAKMP:      auth pre-share
.Jan  2 17:28:43.090: ISAKMP:      life type in seconds
.Jan  2 17:28:43.090: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 3 against priority 2
policy
.Jan  2 17:28:43.090: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.090: ISAKMP:      hash SHA
.Jan  2 17:28:43.090: ISAKMP:      unknown DH group 14
.Jan  2 17:28:43.090: ISAKMP:      auth pre-share
.Jan  2 17:28:43.090: ISAKMP:      life type in seconds
.Jan  2 17:28:43.090: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 4 against priority 2
policy
.Jan  2 17:28:43.090: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.090: ISAKMP:      hash SHA
.Jan  2 17:28:43.090: ISAKMP:      default group 2
.Jan  2 17:28:43.090: ISAKMP:      auth pre-share
.Jan  2 17:28:43.090: ISAKMP:      life type in seconds
.Jan  2 17:28:43.090: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.090: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.090: ISAKMP:(0):atts are not acceptable. Next payload is 0
.Jan  2 17:28:43.090: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65
535 policy
.Jan  2 17:28:43.090: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.090: ISAKMP:      keylength of 256
.Jan  2 17:28:43.090: ISAKMP:      hash SHA
.Jan  2 17:28:43.090: ISAKMP:      unknown DH group 20
.Jan  2 17:28:43.090: ISAKMP:      auth pre-share
.Jan  2 17:28:43.090: ISAKMP:      life type in seconds
.Jan  2 17:28:43.090: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.094: ISAKMP:(0):Checking ISAKMP transform 2 against priority 65
535 policy
.Jan  2 17:28:43.094: ISAKMP:      encryption AES-CBC
.Jan  2 17:28:43.094: ISAKMP:      keylength of 128
.Jan  2 17:28:43.094: ISAKMP:      hash SHA
.Jan  2 17:28:43.094: ISAKMP:      unknown DH group 19
.Jan  2 17:28:43.094: ISAKMP:      auth pre-share
.Jan  2 17:28:43.094: ISAKMP:      life type in seconds
.Jan  2 17:28:43.094: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.094: ISAKMP:(0):Checking ISAKMP transform 3 against priority 65
535 policy
.Jan  2 17:28:43.094: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.094: ISAKMP:      hash SHA
.Jan  2 17:28:43.094: ISAKMP:      unknown DH group 14
.Jan  2 17:28:43.094: ISAKMP:      auth pre-share
.Jan  2 17:28:43.094: ISAKMP:      life type in seconds
.Jan  2 17:28:43.094: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 3
.Jan  2 17:28:43.094: ISAKMP:(0):Checking ISAKMP transform 4 against priority 65
535 policy
.Jan  2 17:28:43.094: ISAKMP:      encryption 3DES-CBC
.Jan  2 17:28:43.094: ISAKMP:      hash SHA
.Jan  2 17:28:43.094: ISAKMP:      default group 2
.Jan  2 17:28:43.094: ISAKMP:      auth pre-share
.Jan  2 17:28:43.094: ISAKMP:      life type in seconds
.Jan  2 17:28:43.094: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
.Jan  2 17:28:43.094: ISAKMP:(0):Encryption algorithm offered does not match pol
icy!
.Jan  2 17:28:43.094: ISAKMP:(0):atts are not acceptable. Next payload is 0
.Jan  2 17:28:43.094: ISAKMP:(0):no offers accepted!
.Jan  2 17:28:43.094: ISAKMP:(0): phase 1 SA policy not acceptable! (local 72.88
.223.20 remote 192.168.69.101)
.Jan  2 17:28:43.094: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: construct_fail_ag_init
.Jan  2 17:28:43.094: ISAKMP:(0): sending packet to 192.168.69.101 my_port 500 p
eer_port 500 (R) MM_NO_STATE
.Jan  2 17:28:43.094: ISAKMP:(0):peer does not do paranoid keepalives.

.Jan  2 17:28:43.094: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) MM_NO_STATE (peer 192.168.69.101)
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 228 mismat
ch
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatc
h
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismat
ch
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID is NAT-T v2
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismat
ch
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 241 mismat
ch
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismat
ch
.Jan  2 17:28:43.098: ISAKMP:(0): processing vendor id payload
.Jan  2 17:28:43.098: ISAKMP:(0): vendor ID seems Unity/DPD but major 134 mismat
ch
.Jan  2 17:28:43.098: ISAKMP (0:0): FSM action returned error: 2
.Jan  2 17:28:43.098: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MOD
E
.Jan  2 17:28:43.098: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

.Jan  2 17:28:43.098: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal n
ot accepted" state (R) MM_NO_STATE (peer 192.168.69.101)
.Jan  2 17:28:43.098: ISAKMP: Unlocking peer struct 0x82B83A40 for isadb_mark_sa
_deleted(), count 0
.Jan  2 17:28:43.102: ISAKMP: Deleting peer node by peer_reap for 192.168.69.101
: 82B83A40
.Jan  2 17:28:43.102: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Jan  2 17:28:43.102: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_DEST_SA

.Jan  2 17:28:43.102: IPSEC(key_engine): got a queue event with 1 KMI message(s)
.Jan  2 17:28:43.102: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_
STATE (peer 192.168.69.101)
.Jan  2 17:28:43.102: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
.Jan  2 17:28:43.102: ISAKMP:(0):Old State = IKE_DEST_SA  New State = IKE_DEST_S
A

.Jan  2 17:28:45.077: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:28:48.080: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:28:52.079: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:29:01.081: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:29:18.084: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:29:34.092: ISAKMP (0:0): received packet from 192.168.69.101 dport 50
0 sport 500 Global (R) MM_NO_STATE
.Jan  2 17:29:43.085: ISAKMP:(0):purging SA., sa=82B5F3EC, delme=82B5F3EC

What you think?

Tom

Thomas R Grassi Jr

Tom,

Debug just gives you the gory details of why Microsoft's built-in client does not work:

     Encryption algorithm offered does not match policy!

All those details show the router trying one after another of the Cisco-suppported standard IPSec algorithms and the Microsoft client not matching any of them. You MIGHT be able to wrestle the MS client into working. I see one post out there of a guy who did it with XP:

http://www.smallnetbuilder.com/lanwan/lanwan-howto/24429-howtoxpipsec

The Cisco VPN client will do all that automagically.

Marvin

Thaks but not going to switch to a linksys device now

Need to get the cisco vpn client will have to wait till tuesday when they open

You said you connected to my site ok right?  are you using cisco vpn client? If so what version? what OS ?

Tom

Thomas R Grassi Jr

Connection using the Cisco VPN client (version 5.0.07.0440 64-bit binary on Windows 7 Ultimate) gets one to your password prompt after initially specifiying your 72.88.223.20 public IP and the TGCSVPN group with tgcsvpn01 group password. A valid username and password would be required to successfully complete login authentication and validate your VPN setup.

View solution in original post

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad