02-14-2012 08:00 PM - edited 02-21-2020 05:52 PM
We've bought an new Cisco 877 to run our office Remote Access VPN and our old ADSL connection in our office that we want to keep around for if our other internet feed has issues.
Previously we ran this on another router (a cisco 1841) so I thought my best bet for the VPN config, as I'm fairly unfamiliar with it, would be to lift it from the old device and shape it to fit. I think I'm most of the way there but I'm having real problems finishing it off. Essentially when I go to connect it seems the response packets from the router are not being received by the client.
I have attached my config as a text file. They're very similar to the current router, the adsl gets the same IP address, I'm not sure what the problem is.
Anyway, the sympoms are this essentially that the client sends the initial request, the router picks up on it, they agree on a communications method from what I can tell and then the VPN client stops receiving anything from the router. I have attached full debugging from 'debug crypto isakmp' as well but essentially this keeps happening:
.Feb 15 02:48:14.507: ISAKMP (0:0): received packet from 101.169.154.43 dport 500 sport 64292 Global (R) AG_NO_STATE
.Feb 15 02:48:14.507: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
.Feb 15 02:48:14.507: ISAKMP:(0): retransmission skipped (awaiting response from other process)
.Feb 15 02:48:19.487: ISAKMP (0:0): received packet from 101.169.154.43 dport 500 sport 64292 Global (R) AG_NO_STATE
.Feb 15 02:48:19.487: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
.Feb 15 02:48:19.487: ISAKMP:(0): retransmission skipped (awaiting response from other process) .Feb 15 02:48:14.507: ISAKMP (0:0): received packet from 101.169.154.43 dport 500 sport 64292 Global (R) AG_NO_STATE
.Feb 15 02:48:14.507: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
.Feb 15 02:48:14.507: ISAKMP:(0): retransmission skipped (awaiting response from other process)
.Feb 15 02:48:19.487: ISAKMP (0:0): received packet from 101.169.154.43 dport 500 sport 64292 Global (R) AG_NO_STATE
.Feb 15 02:48:19.487: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
.Feb 15 02:48:19.487: ISAKMP:(0): retransmission skipped (awaiting response from other process)
I have also attached the client connection logs.
I doubt it's an internet issue as I can connect a client up physically to one of the other switch ports and give it an IP address on the vpn range (vlan 10) and I can get out to the net and such.
I'm hoping this is just a case of my ignorance showing it's head, I'm happy to be educated! Let me know if there's anything else I can provide to help.
02-15-2012 04:34 PM
For the sake of making it easier to view I thought I'd just post my config here. Hopefully someone will notice even general errors in my config that will help, let alone something that solves the problem:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname L7Router02
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login RASRadiusAuth group radius
aaa authentication ppp default group radius
aaa authorization network RASRadiusAuthorisation group radius
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2097715422
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2097715422
revocation-check none
rsakeypair TP-self-signed-2097715422
!
!
crypto pki certificate chain TP-self-signed-2097715422
certificate self-signed 01
quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name inside.domain
!
vpdn enable
!
!
!
username root privilege 15 secret 5 $1$wApB$oGqTbrq1Jb8gizEvf2iDu1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Staff
key SecureKey
dns 172.31.14.13
domain inside.domain
pool RASPool
acl 109
include-local-lan
split-dns inside.domain
split-dns dev.domain
split-dns prod.domain
netmask 255.255.255.0
banner
*****************************
Unauthorised Access prohibited
*****************************
!
crypto isakmp client configuration group iPhone
key SecureiPhoneKey
dns 172.31.14.13
domain inside.domain
pool RASPool
include-local-lan
netmask 255.255.255.0
banner
**********SmartDevice VPN******************
Unauthorised access prohibited.
This VPN is for smart devices, if you are
on a PC use the regular VPN.
*******************************************
crypto isakmp profile RAS-ike-Profile
match identity group Staff
match identity group iPhone
client authentication list RASRadiusAuth
isakmp authorization list RASRadiusAuthorisation
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set RASSet esp-3des esp-md5-hmac
!
crypto ipsec profile RAS-IPSEC-Profile
set transform-set RASSet
set isakmp-profile RAS-ike-Profile
!
!
crypto dynamic-map RASDynMap 10
set transform-set RASSet
!
!
crypto map RASMap client authentication list RASRadiusAuth
crypto map RASMap isakmp authorization list RASRadiusAuthorisation
crypto map RASMap client configuration address respond
crypto map RASMap 10 ipsec-isakmp dynamic RASDynMap
!
archive
log config
hidekeys
!
!
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface FastEthernet0
switchport trunk allowed vlan 1-6,10,1002-1005
switchport mode trunk
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan10
tunnel mode ipsec ipv4
tunnel protection ipsec profile RAS-IPSEC-Profile
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 172.31.14.70 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan10
description VPN
ip address 172.31.33.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip access-group 107 in
ip access-group 107 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname 0295679958@swiftdsl.com.au
ppp chap password 0 unspecif1ed
!
ip local pool RASPool 172.31.33.100 172.31.33.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 172.31.14.0 255.255.255.0 172.31.33.1
ip route 172.31.16.0 255.255.255.0 172.31.33.1
ip route 172.31.17.0 255.255.255.0 172.31.33.1
ip route 172.31.18.0 255.255.255.0 172.31.33.1
ip route 172.31.19.0 255.255.255.0 172.31.33.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map internet interface Dialer0 overload
ip nat inside source static tcp 172.31.33.3 80 218.214.63.134 80 extendable
ip nat inside source static tcp 172.31.14.25 443 218.214.63.134 443 extendable
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.31.14.0 0.0.0.255
access-list 107 permit ip any any
access-list 109 permit ip 172.31.20.0 0.0.0.255 any
access-list 109 permit ip 172.31.33.0 0.0.0.255 any
access-list 109 permit ip 172.31.14.0 0.0.0.255 any
access-list 109 permit ip 172.31.16.0 0.0.0.255 any
access-list 109 permit ip 10.200.0.0 0.0.255.255 any
access-list 109 permit ip 0.0.0.0 255.255.255.0 any
access-list 145 permit ip host 172.31.16.55 any
access-list 145 permit ip host 172.31.16.16 any
access-list 145 permit ip 172.31.17.0 0.0.0.255 any
access-list 145 permit ip 172.31.19.0 0.0.0.255 any
access-list 145 permit ip host 172.31.14.25 any
access-list 145 permit ip host 172.31.14.105 any
access-list 145 permit ip host 172.31.14.60 any
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 22
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq ftp
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq smtp
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq pop3
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 143
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 1723
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 1818
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 1863
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 3309
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 5222
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq domain
access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq domain
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 123
access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq ntp
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 4443
access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq non500-isakmp
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 500
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 63392
access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq 63392
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 29339
access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq 29339
access-list 145 remark access to internet, acl in trac 15061
access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq isakmp
access-list 145 remark access to internet, acl in trac 15061
access-list 145 permit tcp 172.31.16.0 0.0.0.255 any eq 123
access-list 145 permit udp 172.31.16.0 0.0.0.255 any eq ntp
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any eq 3389
access-list 145 permit udp 172.31.14.0 0.0.0.255 any eq 19305
access-list 145 permit ip host 172.31.14.164 any
access-list 145 permit ip host 172.31.14.128 any
access-list 145 permit ip host 172.31.14.136 any
access-list 145 permit ip host 172.31.14.125 any
access-list 145 permit tcp 172.31.14.0 0.0.0.255 any
access-list 145 permit tcp 172.31.19.0 0.0.0.255 any
access-list 145 permit ip 172.31.20.0 0.0.0.255 any
access-list 145 permit ip 172.31.33.0 0.0.0.255 any
access-list 150 remark Internet_Access_Test
access-list 150 permit ip 172.31.33.0 0.0.0.255 any
access-list 150 permit ip 172.31.20.0 0.0.0.255 any
access-list 150 permit ip 172.31.14.0 0.0.0.255 any
access-list 150 permit ip 172.31.16.0 0.0.0.255 any
access-list 150 permit ip 172.31.19.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map internet permit 10
match ip address 150 145
!
radius-server host 172.31.14.13 auth-port 1645 acct-port 1646
radius-server host 172.31.14.12 auth-port 1645 acct-port 1646
radius-server key 7 08625E1A0D481042115A0557247C65
!
control-plane
!
banner login
------------------------------------------------
L7Router02.inside.domain
Authorized use only
------------------------------------------------
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
scheduler max-task-time 5000
end
02-21-2012 04:42 PM
Any thoughts?
I connected up a machine on the 172.31.33.0/24 subnet and directly connected a client to it, then set the IP address for the VPN as 172.31.33.1 (vlan 10 IP). Basically the same thing happened, it all came to life but it doesn't look like packets are going back to the client, even though they're being received by the router.
Can I do ip unnumbered for the Virtual Template in reference to a vlan Ip address?
Does my general config look correct? Surely there must be an error...
02-22-2012 05:14 PM
Well, after all that it was because I forgot to add the new router as a radius client on our radius server. *Bangs head against table*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide