Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
0
Helpful
1
Replies

EzVPN on IOS 12.4T and no traffic from client

Dmitry Samko
Level 1
Level 1

‎03-11-2014 04:34 AM

Hi guys,

I would be appreciated if you give me a hint regarding the issue I have. I configured easy vpn on c2800nm-advipservicesk9-mz.124-15.T15.bin using Xauth and RRI (split tunneling), can even connect using Cisco VPN client (Windows version 5.0.07.0290) or linux latest vpnc client. The problem is that I can't reach anything behind VPN concentrator, including its loopback.

This is ezvpn related config section

========== Start of Config =========

version 12.4

aaa new-model
!
aaa authentication login dmp_vpn_xauth local
aaa authorization network dmp_vpn_group local

!

username example password 7 *****

!

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local EASY-VPN-POOL
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group dmp-group
 key ***
 pool EASY-VPN-POOL
 acl EZVPN_TUNNEL
!                 
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!         
crypto dynamic-map dynmap 1
 set transform-set ESP-AES-SHA
 reverse-route
!         
!         
crypto map dynmap client authentication list dmp_vpn_xauth
crypto map dynmap isakmp authorization list dmp_vpn_group
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap

interface Loopback1
 ip address 192.168.1.1 255.255.255.255
!

interface GigabitEthernet0/0.30
 description Interconnect
 encapsulation dot1Q 30
 ip address 192.168.0.133 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 standby version 2
 standby 0 ip 192.168.0.134
 standby 0 priority 110
 standby 0 preempt

!

interface GigabitEthernet0/0.40
 description ISP-UPLINK
 encapsulation dot1Q 10
 ip address 203.0.113.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 crypto map dynmap

!

ip local pool EASY-VPN-POOL 192.168.1.10 192.168.1.30
ip route 0.0.0.0 0.0.0.0 203.0.113.2
ip route 192.168.0.0 255.255.255.0 192.168.0.129

!

no ip http server
ip http authentication local
no ip http secure-server

!

ip nat inside source list nat interface GigabitEthernet0/0.40 overload
ip nat inside source static tcp 192.168.0.102 5061 interface GigabitEthernet0/0.40 5061
ip nat inside source static udp 192.168.0.102 5061 interface GigabitEthernet0/0.40 5061
ip nat inside source static udp 192.168.0.115 5060 interface GigabitEthernet0/0.40 5060
ip nat inside source static tcp 192.168.0.115 5060 interface GigabitEthernet0/0.40 5060
!        
ip access-list extended EZVPN_TUNNEL
 permit ip 192.168.0.0 0.0.0.255 any

!
ip access-list extended EZVPN_TUNNEL
 permit ip 192.168.0.0 0.0.0.255 any

!

ip access-list extended nat
 permit ip 192.168.0.0 0.0.0.255 any

========== End of Config =========

 

After establishing VPN connection from clien I can see ISAKMP SA like this:

bdr1#sh crypto isakmp sa detail
C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

1020  194.44.254.94   195.160.233.253          ACTIVE aes  sha       2  23:30:19 CX  
       Engine-id:Conn-id =  SW:20

 

Let's enable debug (debug crypto isakmp error) and reconnect again:

bdr1#sh debugging
Cryptographic Subsystem:
  Crypto ISAKMP Error debugging is on

bdr1#

*Mar 11 13:19:46.324: ISAKMP:(0):Proposed key length does not match policy
*Mar 11 13:19:46.324: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Mar 11 13:19:46.328: ISAKMP:(0):Hash algorithm offered does not match policy!
*Mar 11 13:19:46.328: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Mar 11 13:19:46.328: ISAKMP:(0):Proposed key length does not match policy
*Mar 11 13:19:46.328: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Mar 11 13:19:46.328: ISAKMP:(0):Hash algorithm offered does not match policy!
*Mar 11 13:19:46.328: ISAKMP:(0):atts are not acceptable. Next payload is 3 Unknown Attr: 0x7005
*Mar 11 13:19:46.384: ISAKMP (0/1022): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7005)
*Mar 11 13:19:46.384: ISAKMP (0/1022): Unknown Attr: MODECFG_HOSTNAME (0x700A)
*Mar 11 13:19:46.404: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
*Mar 11 13:19:46.404: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
*Mar 11 13:19:46.404: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
*Mar 11 13:19:46.404: ISAKMP:(1022): IPSec policy invalidated proposal with error 256

 

From client side (windows Cisco VPN or linux vpnc does not metter):

$ ip r
default via 10.129.193.1 dev p2p1  proto static
192.168.1.0/24 dev tun0  proto kernel  scope link  src 192.168.1.13
203.0.113.1 via 10.129.193.1 dev p2p1  proto static

$ ip addr ls dev tun0
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1412 qdisc pfifo_fast state UNKNOWN qlen 500
    link/none
    inet 192.168.1.13/24 brd 192.168.1.255 scope global tun0
       valid_lft forever preferred_lft forever

$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
^C
--- 192.168.1.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

 

And Cisco's IPSec SA:

sh crypto ipsec sa

interface: GigabitEthernet0/0.40
    Crypto map tag: dynmap, local addr 203.0.113.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.13/255.255.255.255/0/0)
   current_peer 99.99.99.99 port 57222
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 194.44.254.94, remote crypto endpt.: 195.160.233.253
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.40
     current outbound spi: 0x29F33178(703803768)

     inbound esp sas:
      spi: 0x9F7AC3D3(2675622867)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2031, flow_id: NETGX:31, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4450002/3127)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x29F33178(703803768)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2032, flow_id: NETGX:32, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4450002/3127)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

 

From the output above I can consider that there is no IPSec packets encrypted/decrypted, also some ISAKMP errors during tunnel establishment.

Could you please help me with this.

Thanks.

Labels:
0 Helpful
1 Reply 1

Dmitry Samko
Level 1
Level 1

‎03-14-2014 08:58 AM

Up

0 Helpful
Customers Also Viewed These Support Documents