01-09-2011 02:24 AM - edited 02-21-2020 05:04 PM
I try to config a Cisco VPN connection to the following destination
http://www.funkwerk-ec.com/prod_bintec_vpn_ipsec_test_access_de,14690,194.html
Since the "Pre-Shared Key Identity" is required, I'm looking for a suitable function.
Solved! Go to Solution.
01-10-2011 09:14 PM
Base on the document: VPN in 5 Minuten - VPN Gateway (page 24) PDF document from the URL given, it seems that they are using phase 2 with PFS set to group 2, so try to add that in your phase 2 policy in the router.
"set pfs group2" under the dynamic crypto map configuration.
01-09-2011 03:26 AM
Don't think you can use Cisco VPN Client to connect. Unfortunately I don't read German, but VPN Access 100 is not a Cisco VPN server product.
There is a VPN Client link at the bottom of the page, ie: Bintec Secure IPSec VPN Client that you might have to use to connect to the VPN Access 100 server.
Here is the link FYI:
http://www.funkwerk-ec.com/download/de/products/vpn_in_5min_client.pdf
Hope that helps.
01-09-2011 05:57 AM
No, this is not the problem
I would like to connect with to a Cisco router, and can not realise the "Pre-Shared Key Identity" function.
??
01-09-2011 11:00 PM
It's the hostname of the vpn peer server. It should really be "vpn-test.bintec.de" not "vpn-test@bintec.de".
"vpn-test.bintec.de" resolves to 212.14.95.38 which is the ipsec gateway.
On Cisco router, it would be specified as follows:
crypto isakmp identity [address | hostname]
"address" would be when the peer is identified by ip address (212.14.95.38)
"hostname" would be when the peer is identified by hostname (vpn-test.bintec.de)
Here is the command reference for your information:
http://www.cisco.com/en/US/partner/docs/ios/security/command/reference/sec_c4.html#wp1060149
Hope that helps.
01-10-2011 11:17 AM
On debug is shown, that the phase 1 is now ok.
But Phase 2 still contains an error.
*Jan 10 18:40:33.907: SA has outstanding requests (local IP port 500, remote IP port 500)
*Jan 10 18:40:33.907: ISAKMP:(2031): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jan 10 18:40:33.907: ISAKMP:(2031):beginning Quick Mode exchange, M-ID of 638886014
*Jan 10 18:40:33.907: ISAKMP:(2031):QM Initiator gets spi
*Jan 10 18:40:33.907: ISAKMP:(2031): sending packet to IP my_port 500 peer_port 500 (I) QM_IDLE
*Jan 10 18:40:33.907: ISAKMP:(2031):Sending an IKE IPv4 Packet.
*Jan 10 18:40:33.907: ISAKMP:(2031):Node 638886014, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jan 10 18:40:33.907: ISAKMP:(2031):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jan 10 18:40:34.003: ISAKMP (2031): received packet from IP dport 500 sport 500 Global (I) QM_IDLE
*Jan 10 18:40:34.003: ISAKMP: set new node -660547041 to QM_IDLE
*Jan 10 18:40:34.003: ISAKMP:(2031
Router#): processing HASH payload. message ID = -660547041
*Jan 10 18:40:34.003: ISAKMP:(2031): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 210632566, message ID = -660547041, sa = 0x866C79CC
*Jan 10 18:40:34.003: ISAKMP:(2031): deleting spi 210632566 message ID = 638886014
*Jan 10 18:40:34.003: ISAKMP:(2031):deleting node 638886014 error TRUE reason "Delete Larval"
*Jan 10 18:40:34.003: ISAKMP:(2031):deleting node -660547041 error FALSE reason "Informational (in) state 1"
*Jan 10 18:40:34.003: ISAKMP:(2031):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jan 10 18:40:34.003: ISAKMP:(2031):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
The error message is the line: *Jan 10 18:40:34.003: ISAKMP:(2031): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
The Bintec expected: Phase 2 Proposal ESP, 3DES/md5
My transform-set is: Router(config)#crypto ipsec transform-set Test esp-3des esp-md5-hmac
What's the mistake?
01-10-2011 09:14 PM
Base on the document: VPN in 5 Minuten - VPN Gateway (page 24) PDF document from the URL given, it seems that they are using phase 2 with PFS set to group 2, so try to add that in your phase 2 policy in the router.
"set pfs group2" under the dynamic crypto map configuration.
01-11-2011 11:07 PM
Thanks Jennifer Halim.
Great,
this was my problem.
Many thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: