Good evening,
I am a cisco newbie with a Cisco 1941 ISR trying to set up a IPsec RA VPN.
I've scoured the web for the problem with my configuration but I havne't been able to find it yet.
Testing was preformed using the VPN client integrated with Mac OSX which resulted in no response from the VPN server
The output of the 'show crypto isakmp sa' command is shown below
IPv4 Crypto ISAKMP SA
dst src state conn-id status
xxx.xxx.xxx.149 xxx.xxx.xxx.223 MM_NO_STATE 0 ACTIVE (deleted)
my config is below:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$/PbN$tFMPEDRc4pto2sIYXBXue1
!
aaa new-model
!
!
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
!
!
!
!
!
aaa session-id common
!
clock timezone EST -5 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.9
ip dhcp excluded-address 10.0.1.100 10.0.1.109
ip dhcp excluded-address 10.0.1.200 10.0.1.209
ip dhcp excluded-address 10.0.1.224 10.0.1.239
!
ip dhcp pool HOME
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 4.2.2.2 4.2.2.3
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 4.2.2.2
ip name-server 4.2.2.3
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2706322209
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2706322209
revocation-check none
rsakeypair TP-self-signed-2706322209
!
!
crypto pki certificate chain TP-self-signed-2706322209
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32373036 33323232 3039301E 170D3132 30343035 30313236
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37303633
32323230 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B61D D3140466 15B59B64 DAFEE130 B99A75D5 D28C1430 21AA85A6 386A9B5C
453D8CF8 80CC01BB 5581C137 1E5AFB2F 89AB621A 9E11E3A2 DEB51B57 3CD1AC5A
85E3B753 0F74E30D 04337EC9 1D46C78B BD49420C 8BA68E55 740E9EA5 764190F9
6202E9E2 6194EA09 CEFC2530 0EAB4EF1 571F05DF 4D278298 114E5745 237633C0
B6FF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14D3010E EBCA308A 68976B6A F947AFA7 BB522CC3 4B301D06
03551D0E 04160414 D3010EEB CA308A68 976B6AF9 47AFA7BB 522CC34B 300D0609
2A864886 F70D0101 05050003 81810004 59BC699A 8FA6A1DA 604BED6C 34F29A3B
3390C2B1 7E91B373 1D855A45 13C56F18 430E4EFC B966A738 253FAC8F 2E8C7206
71C6BA85 C6CB310C DE245F40 9B2E72B1 ABF17EB5 C8AB3A8F E56BC86D 6CD120D6
B124E443 C2647B10 00A59926 3012943A 4A730E30 6892C5DE 79C2AE1B 79D58527
DF050814 1F51F292 1E6D3FF8 02FB41
quit
license udi pid CISCO1941/K9 sn FGL161411EG
license boot module c1900 technology-package securityk9
!
!
username xxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxx
username xxxx privilege 0 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
!
!
ip ssh version 2
!
class-map type inspect match-all IN-TO-OUT-CLASS
match access-group name IN-TO-OUT-ACL
class-map type inspect match-all OUT-TO-IN-CLASS
match access-group name OUT-TO-IN-ACL
!
!
policy-map type inspect IN-TO-OUT-POLICY
class type inspect IN-TO-OUT-CLASS
inspect
class class-default
drop log
policy-map type inspect OUT-TO-IN-POLICY
class type inspect OUT-TO-IN-CLASS
pass
class class-default
drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
!
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 2
lifetime 28800
crypto isakmp client configuration address-pool local VPN_CLIENT_POOL
!
crypto isakmp client configuration group VPN_CLIENTS
key xxxxxxxxxx
dns 4.2.2.2 4.2.2.3
domain yourvpndomain.com
pool VPN_CLIENT_POOL
acl 110
!
crypto isakmp client configuration group VPN_TEST
key xxxxxxxxxx
dns 4.2.2.2 4.2.2.3
domain yourvpndomain.com
pool VPN_CLIENT_POOL
acl 110
!
!
crypto ipsec transform-set HOME_IPSECVPN esp-aes esp-sha256-hmac
!
crypto dynamic-map VPN_MAP 10
set transform-set HOME_IPSECVPN
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic VPN_MAP
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INSIDE
ip address 10.0.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description OUTSIDE
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map EXT_MAP
!
ip local pool VPN_CLIENT_POOL 10.0.1.224 10.0.1.239
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NAT_ADDRESSES interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 xx.xxx.xx.x xxx
ip route 0.0.0.0 0.0.0.0 xx.xxx.x.x xxx
ip route 0.0.0.0 0.0.0.0 xxx.x.xxx.x xxx
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended IN-TO-OUT-ACL
permit tcp 10.0.1.0 0.0.0.255 any
permit udp 10.0.1.0 0.0.0.255 any
permit icmp 10.0.1.0 0.0.0.255 any
ip access-list extended NAT_ADDRESSES
deny ip 10.0.1.0 0.0.0.255 10.0.1.224 0.0.0.15
permit ip 10.0.1.0 0.0.0.255 any
ip access-list extended OUT-TO-IN-ACL
permit icmp any 10.0.1.0 0.0.0.255 unreachable
!
access-list 110 permit ip 10.0.1.0 0.0.0.255 10.0.1.224 0.0.0.15
!
...
Thanks in advance for any help you can provide
cisco_prole
