Help with 877 Remote Access VPN

1StopBloke · ‎02-14-2012

We've bought an new Cisco 877 to run our office Remote Access VPN and our old ADSL connection in our office that we want to keep around for if our other internet feed has issues.

Previously we ran this on another router (a cisco 1841) so I thought my best bet for the VPN config, as I'm fairly unfamiliar with it, would be to lift it from the old device and shape it to fit. I think I'm most of the way there but I'm having real problems finishing it off. Essentially when I go to connect it seems the response packets from the router are not being received by the client.

I have attached my config as a text file. They're very similar to the current router, the adsl gets the same IP address, I'm not sure what the problem is.

Anyway, the sympoms are this essentially that the client sends the initial request, the router picks up on it, they agree on a communications method from what I can tell and then the VPN client stops receiving anything from the router. I have attached full debugging from 'debug crypto isakmp' as well but essentially this keeps happening:

.Feb 15 02:48:14.507: ISAKMP (0:0): received packet from 101.169.154.43 dport 500 sport 64292 Global (R) AG_NO_STATE

.Feb 15 02:48:14.507: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

.Feb 15 02:48:14.507: ISAKMP:(0): retransmission skipped (awaiting response from other process)

.Feb 15 02:48:19.487: ISAKMP (0:0): received packet from 101.169.154.43 dport 500 sport 64292 Global (R) AG_NO_STATE

.Feb 15 02:48:19.487: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

.Feb 15 02:48:19.487: ISAKMP:(0): retransmission skipped (awaiting response from other process) .Feb 15 02:48:14.507: ISAKMP (0:0): received packet from 101.169.154.43 dport 500 sport 64292 Global (R) AG_NO_STATE
.Feb 15 02:48:14.507: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
.Feb 15 02:48:14.507: ISAKMP:(0): retransmission skipped (awaiting response from other process)
.Feb 15 02:48:19.487: ISAKMP (0:0): received packet from 101.169.154.43 dport 500 sport 64292 Global (R) AG_NO_STATE
.Feb 15 02:48:19.487: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
.Feb 15 02:48:19.487: ISAKMP:(0): retransmission skipped (awaiting response from other process)

I have also attached the client connection logs.

I doubt it's an internet issue as I can connect a client up physically to one of the other switch ports and give it an IP address on the vpn range (vlan 10) and I can get out to the net and such.

I'm hoping this is just a case of my ignorance showing it's head, I'm happy to be educated! Let me know if there's anything else I can provide to help.

1StopBloke · ‎02-15-2012

For the sake of making it easier to view I thought I'd just post my config here. Hopefully someone will notice even general errors in my config that will help, let alone something that solves the problem:

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname L7Router02

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

aaa authentication login RASRadiusAuth group radius

aaa authentication ppp default group radius

aaa authorization network RASRadiusAuthorisation group radius

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-2097715422

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2097715422

revocation-check none

rsakeypair TP-self-signed-2097715422

!

crypto pki certificate chain TP-self-signed-2097715422

certificate self-signed 01

quit

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool sdm-pool

import all

network 10.10.10.0 255.255.255.248

default-router 10.10.10.1

lease 0 2

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip domain lookup

ip domain name inside.domain

!

vpdn enable

!

username root privilege 15 secret 5 $1$wApB$oGqTbrq1Jb8gizEvf2iDu1

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group Staff

key SecureKey

dns 172.31.14.13

domain inside.domain

pool RASPool

acl 109

include-local-lan

split-dns inside.domain

split-dns dev.domain

split-dns prod.domain

netmask 255.255.255.0

banner

*****************************

Unauthorised Access prohibited

*****************************

!

crypto isakmp client configuration group iPhone

key SecureiPhoneKey

dns 172.31.14.13

domain inside.domain

pool RASPool

include-local-lan

netmask 255.255.255.0

banner

**********SmartDevice VPN******************

Unauthorised access prohibited.

This VPN is for smart devices, if you are

on a PC use the regular VPN.

*******************************************

crypto isakmp profile RAS-ike-Profile

match identity group Staff

match identity group iPhone

client authentication list RASRadiusAuth

isakmp authorization list RASRadiusAuthorisation

client configuration address respond

virtual-template 2

!

crypto ipsec transform-set RASSet esp-3des esp-md5-hmac

!

crypto ipsec profile RAS-IPSEC-Profile

set transform-set RASSet

set isakmp-profile RAS-ike-Profile

!

crypto dynamic-map RASDynMap 10

set transform-set RASSet

!

crypto map RASMap client authentication list RASRadiusAuth

crypto map RASMap isakmp authorization list RASRadiusAuthorisation

crypto map RASMap client configuration address respond

crypto map RASMap 10 ipsec-isakmp dynamic RASDynMap

!

archive

log config

hidekeys

!

ip ssh authentication-retries 2

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

no ip mroute-cache

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

hold-queue 224 in

!

interface FastEthernet0

switchport trunk allowed vlan 1-6,10,1002-1005

switchport mode trunk

!

interface FastEthernet1

switchport access vlan 10

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface Virtual-Template2 type tunnel

ip unnumbered Vlan10

tunnel mode ipsec ipv4

tunnel protection ipsec profile RAS-IPSEC-Profile

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 172.31.14.70 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan10

description VPN

ip address 172.31.33.2 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip access-group 107 in

ip access-group 107 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname 0295679958@swiftdsl.com.au

ppp chap password 0 unspecif1ed

!

ip local pool RASPool 172.31.33.100 172.31.33.200

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 172.31.14.0 255.255.255.0 172.31.33.1

ip route 172.31.16.0 255.255.255.0 172.31.33.1

ip route 172.31.17.0 255.255.255.0 172.31.33.1

ip route 172.31.18.0 255.255.255.0 172.31.33.1

ip route 172.31.19.0 255.255.255.0 172.31.33.1

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map internet interface Dialer0 overload

ip nat inside source static tcp 172.31.33.3 80 218.214.63.134 80 extendable

ip nat inside source static tcp 172.31.14.25 443 218.214.63.134 443 extendable

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 23 permit 172.31.14.0 0.0.0.255

access-list 107 permit ip any any

access-list 109 permit ip 172.31.20.0 0.0.0.255 any

access-list 109 permit ip 172.31.33.0 0.0.0.255 any

access-list 109 permit ip 172.31.14.0 0.0.0.255 any

access-list 109 permit ip 172.31.16.0 0.0.0.255 any

access-list 109 permit ip 10.200.0.0 0.0.255.255 any

access-list 109 permit ip 0.0.0.0 255.255.255.0 any

access-list 145 permit ip host 172.31.16.55 any

access-list 145 permit ip host 172.31.16.16 any

access-list 145 permit ip 172.31.17.0 0.0.0.255 any

access-list 145 permit ip 172.31.19.0 0.0.0.255 any

access-list 145 permit ip host 172.31.14.25 any

access-list 145 permit ip host 172.31.14.105 any

access-list 145 permit ip host 172.31.14.60 any

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 22

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq ftp

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq smtp

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq pop3

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 143

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 1723

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 1818

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 1863

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 3309

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 5222

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq domain

access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq domain

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 123

access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq ntp

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 4443

access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq non500-isakmp

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 500

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 63392

access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq 63392

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 29339

access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq 29339

access-list 145 remark access to internet, acl in trac 15061

access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq isakmp

access-list 145 remark access to internet, acl in trac 15061

access-list 145 permit tcp 172.31.16.0 0.0.0.255 any eq 123

access-list 145 permit udp 172.31.16.0 0.0.0.255 any eq ntp

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 3389

access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq 19305

access-list 145 permit ip host 172.31.14.164 any

access-list 145 permit ip host 172.31.14.128 any

access-list 145 permit ip host 172.31.14.136 any

access-list 145 permit ip host 172.31.14.125 any

access-list 145 permit tcp 172.31.14.0 0.0.0.255 any

access-list 145 permit tcp 172.31.19.0 0.0.0.255 any

access-list 145 permit ip 172.31.20.0 0.0.0.255 any

access-list 145 permit ip 172.31.33.0 0.0.0.255 any

access-list 150 remark Internet_Access_Test

access-list 150 permit ip 172.31.33.0 0.0.0.255 any

access-list 150 permit ip 172.31.20.0 0.0.0.255 any

access-list 150 permit ip 172.31.14.0 0.0.0.255 any

access-list 150 permit ip 172.31.16.0 0.0.0.255 any

access-list 150 permit ip 172.31.19.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

!

route-map internet permit 10

match ip address 150 145

!

radius-server host 172.31.14.13 auth-port 1645 acct-port 1646

radius-server host 172.31.14.12 auth-port 1645 acct-port 1646

radius-server key 7 08625E1A0D481042115A0557247C65

!

control-plane

!

banner login

------------------------------------------------

L7Router02.inside.domain

Authorized use only

------------------------------------------------

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

transport output telnet ssh

!

scheduler max-task-time 5000

end

1StopBloke · ‎02-21-2012

Any thoughts?

I connected up a machine on the 172.31.33.0/24 subnet and directly connected a client to it, then set the IP address for the VPN as 172.31.33.1 (vlan 10 IP). Basically the same thing happened, it all came to life but it doesn't look like packets are going back to the client, even though they're being received by the router.

Can I do ip unnumbered for the Virtual Template in reference to a vlan Ip address?

Does my general config look correct? Surely there must be an error...

1StopBloke · ‎02-22-2012

Well, after all that it was because I forgot to add the new router as a radius client on our radius server. *Bangs head against table*