Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1782
Views
0
Helpful
6
Replies

Remote Access VPN - Fails to obtain ip

lukedp
Level 1
Level 1

‎11-26-2013 09:13 PM - edited ‎02-21-2020 07:21 PM

I am in the process of configuring a remote access VPN to my 1841 router.

When i apply the configuration the configuration brings down another point to point vpn and produces the following error when trying to accees via the cisco vpn client.

1      13:03:47.066  11/27/13  Sev=Warning/2    IKE/0xE3000023

No private IP address was assigned by the peer

2      13:03:47.066  11/27/13  Sev=Warning/2    IKE/0xE300009B

Failed to process ModeCfg Reply (NavigatorTM:175)

Labels:
0 Helpful
6 Replies 6

lukedp
Level 1
Level 1

‎11-26-2013 09:35 PM

version 12.4

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

no service password-encryption

!

hostname Router1841

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login VPN_CLIENT_LOGIN local

aaa authorization network VPN_CLIENT_GROUP local

!

!

aaa session-id common

clock timezone WST 8

!

!

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.181.1 192.168.181.31

!

ip dhcp pool dhcp

   network 192.168.181.0 255.255.255.0

   default-router 192.168.181.1

!

ip dhcp pool STATIC-7970

   host 192.168.181.11 255.255.255.0

!

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username test privilege 15 password test

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

crypto isakmp key 23y92137921371097313133fcfdsadfs address 111.111.111.111

crypto isakmp key testkey address 22.22.22.22

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 15

!

crypto isakmp client configuration group VPN_CLIENTS

key ClientVpnKey

  pool VPN_CLIENT_POOL

acl 150

max-users 10

!

!

crypto ipsec transform-set AC_STRONG esp-3des esp-sha-hmac

crypto ipsec transform-set AC_NONE esp-null esp-sha-hmac

crypto ipsec transform-set AC_WEAK esp-des esp-sha-hmac

crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac

!

crypto dynamic-map EXT_DYNAMIC_MAP 10

set transform-set TRANS_3DES_SHA

!

!

crypto map EXT_CRYPTO_MAP local-address Dialer0

crypto map EXT_CRYPTO_MAP client authentication list VPN_CLIENT_LOGIN

crypto map EXT_CRYPTO_MAP isakmp authorization list VPN_CLIENT_GROUP

crypto map EXT_CRYPTO_MAP 10 ipsec-isakmp

description Tunnel to site1 (111.111.111.111)

set peer 111.111.111.111

set transform-set AC_STRONG

match address 100

reverse-route

crypto map EXT_CRYPTO_MAP 30 ipsec-isakmp

description tunnel to site2 (22.22.22.22)

set peer 22.22.22.22

set transform-set 3DES_MD5

match address VPN-ACL

crypto map EXT_CRYPTO_MAP 50 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

!

archive

log config

  hidekeys

!

!

!

class-map match-any P2P

match protocol bittorrent

match protocol edonkey

match protocol gnutella

match protocol kazaa2

class-map match-all VOIP_DATA

match access-group 110

!

!

policy-map VOIP

class VOIP_DATA

    priority percent 10

class P2P

   drop

class class-default

   police cir 9000000 pir 9000000

     conform-action transmit

     exceed-action drop

     violate-action drop

    fair-queue

    queue-limit 5 packets

policy-map TORRENT

class P2P

   drop

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

  pppoe-client dial-pool-number 2

!

hold-queue 224 in

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

description Highway-1 Ethernet Service

no ip address

speed 100

full-duplex

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet1

description ILS-Router1841 FA 0/8 to Switch01 GI 1/0/48

switchport access vlan 80

spanning-tree portfast

!

interface Vlan1

no ip address

!

interface Vlan23

ip address 192.168.17.254 255.255.255.0

ip access-group 120 in

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

service-policy output TORRENT

hold-queue 255 out

!

interface Vlan24

ip address 192.168.181.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

hold-queue 255 out

!

interface Vlan80

ip address 192.168.80.1 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface Dialer0

description Highway 1 PPPoE Connection

bandwidth 10240

ip ddns update hostname Router1841

ip ddns update ISP.com

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly max-reassemblies 64 timeout 5

encapsulation ppp

dialer pool 1

dialer idle-timeout 999999

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname isp.com

ppp chap password XXXXX

ppp pap sent-username XXXXX

crypto map EXT_CRYPTO_MAP

service-policy output VOIP

!

ip local pool VPN_CLIENT_POOL 192.168.99.20 192.168.99.30

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.18.0 255.255.255.0 192.168.80.2

no ip http server

no ip http secure-server

!

!

ip nat inside source static udp 127.0.0.1 46900 interface Dialer0 46900

ip nat inside source route-map No_NAT_Rule interface Dialer0 overload

!

ip access-list extended VPN-ACL

permit ip 192.168.18.0 0.0.0.255 192.168.19.0 0.0.0.255

!

no logging trap

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 100 remark *** Router1841-site1 VPN ***

access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 100 remark *** Router1841-site1 VPN ***

access-list 105 remark Exclude traffic to VPN subnets

access-list 105 remark IPSec Rule - site1

access-list 105 deny   ip 192.168.17.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 105 remark Everything else we NAT

access-list 105 permit ip 192.168.17.0 0.0.0.255 any

access-list 105 permit ip 192.168.181.0 0.0.0.255 any

access-list 105 permit ip 192.168.80.0 0.0.0.255 any

access-list 105 permit ip 192.168.18.0 0.0.0.255 any

access-list 120 deny   udp 192.168.17.0 0.0.0.255 eq 46900 any

access-list 120 permit ip any any

access-list 150 permit ip 192.168.18.0 0.0.0.255 192.168.99.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

!

!

!

route-map No_NAT_Rule permit 1

match ip address 105

!

!

snmp-server community mixnuts RO 2

snmp-server ifindex persist

!

control-plane

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

line vty 0 4

access-class 2 in

exec-timeout 35791 0

privilege level 15

line vty 5 15

!

scheduler max-task-time 5000

ntp server 192.189.54.17

end

0 Helpful

Karsten Iwen
VIP
VIP
In response to lukedp

‎11-26-2013 11:18 PM

the commands "crypto isakmp key ..." are missing the parameters to not do x-auth and mode-config. You have to add them at the end of the command.
How many concurent remote-access-users do you have?


Sent from Cisco Technical Support iPad App

0 Helpful

lukedp
Level 1
Level 1

‎11-27-2013 06:43 AM

Hi Karsten.

I have 3 vpn tunnels I am trying to create.

2 x fixed vpn s site to site. (1 of these worked before I added the remote access vpn.)

1 x remote access vpn (I allocated 10 spaces for remote access. None are in use)

0 Helpful

lukedp
Level 1
Level 1
In response to lukedp

‎11-27-2013 06:45 AM

What does removing x-auth and mode config do

0 Helpful

Karsten Iwen
VIP
VIP
In response to lukedp

‎11-27-2013 07:11 AM

with these parameters you tell your router that you don't want to do x-auth and mode-config for the site-to-site vpns. So after that, you have the same functionality as before.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

lukedp
Level 1
Level 1
In response to Karsten Iwen

‎11-28-2013 01:44 AM

Hello Karsetn,

The no x-auth options appears to work for the site to site vpn.

however the remote access vpn does not appear to work..

i am still seeing the below error.

1      13:03:47.066  11/27/13  Sev=Warning/2    IKE/0xE3000023

No private IP address was assigned by the peer

2      13:03:47.066  11/27/13  Sev=Warning/2    IKE/0xE300009B

Failed to process ModeCfg Reply (NavigatorTM:175)

68     17:42:35.500  11/28/13  Sev=Info/4    IKE/0x63000058

Received an ISAKMP message for a non-active SA, I_Cookie=E8D63EA073B77F38 R_Cookie=6C996DB8662FA83D

69     17:42:35.500  11/28/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(Dropped) from X.X.X.X

70     17:42:38.503  11/28/13  Sev=Info/4    IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=E8D63EA073B77F38 R_Cookie=6C996DB8662FA83D) reason = DEL_REASON_IKE_NEG_FAILED

71     17:42:38.503  11/28/13  Sev=Info/4    CM/0x6310000F

Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

72     17:42:38.503  11/28/13  Sev=Info/5    CM/0x63100025

Initializing CVPNDrv

0 Helpful
Customers Also Viewed These Support Documents