cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1729
Views
0
Helpful
6
Replies

Remote Access VPN - Fails to obtain ip

lukedp
Level 1
Level 1

I am in the process of configuring a remote access VPN to my 1841 router.

When i apply the configuration the configuration brings down another point to point vpn and produces the following error when trying to accees via the cisco vpn client.

1      13:03:47.066  11/27/13  Sev=Warning/2    IKE/0xE3000023

No private IP address was assigned by the peer

2      13:03:47.066  11/27/13  Sev=Warning/2    IKE/0xE300009B

Failed to process ModeCfg Reply (NavigatorTM:175)

6 Replies 6

lukedp
Level 1
Level 1

version 12.4

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

no service password-encryption

!

hostname Router1841

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login VPN_CLIENT_LOGIN local

aaa authorization network VPN_CLIENT_GROUP local

!

!

aaa session-id common

clock timezone WST 8

!

!

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.181.1 192.168.181.31

!

ip dhcp pool dhcp

   network 192.168.181.0 255.255.255.0

   default-router 192.168.181.1

!

ip dhcp pool STATIC-7970

   host 192.168.181.11 255.255.255.0

!

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username test privilege 15 password test

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

crypto isakmp key 23y92137921371097313133fcfdsadfs address 111.111.111.111

crypto isakmp key testkey address 22.22.22.22

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 15

!

crypto isakmp client configuration group VPN_CLIENTS

key ClientVpnKey

  pool VPN_CLIENT_POOL

acl 150

max-users 10

!

!

crypto ipsec transform-set AC_STRONG esp-3des esp-sha-hmac

crypto ipsec transform-set AC_NONE esp-null esp-sha-hmac

crypto ipsec transform-set AC_WEAK esp-des esp-sha-hmac

crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac

!

crypto dynamic-map EXT_DYNAMIC_MAP 10

set transform-set TRANS_3DES_SHA

!

!

crypto map EXT_CRYPTO_MAP local-address Dialer0

crypto map EXT_CRYPTO_MAP client authentication list VPN_CLIENT_LOGIN

crypto map EXT_CRYPTO_MAP isakmp authorization list VPN_CLIENT_GROUP

crypto map EXT_CRYPTO_MAP 10 ipsec-isakmp

description Tunnel to site1 (111.111.111.111)

set peer 111.111.111.111

set transform-set AC_STRONG

match address 100

reverse-route

crypto map EXT_CRYPTO_MAP 30 ipsec-isakmp

description tunnel to site2 (22.22.22.22)

set peer 22.22.22.22

set transform-set 3DES_MD5

match address VPN-ACL

crypto map EXT_CRYPTO_MAP 50 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

!

archive

log config

  hidekeys

!

!

!

class-map match-any P2P

match protocol bittorrent

match protocol edonkey

match protocol gnutella

match protocol kazaa2

class-map match-all VOIP_DATA

match access-group 110

!

!

policy-map VOIP

class VOIP_DATA

    priority percent 10

class P2P

   drop

class class-default

   police cir 9000000 pir 9000000

     conform-action transmit

     exceed-action drop

     violate-action drop

    fair-queue

    queue-limit 5 packets

policy-map TORRENT

class P2P

   drop

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

  pppoe-client dial-pool-number 2

!

hold-queue 224 in

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

description Highway-1 Ethernet Service

no ip address

speed 100

full-duplex

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet1

description ILS-Router1841 FA 0/8 to Switch01 GI 1/0/48

switchport access vlan 80

spanning-tree portfast

!

interface Vlan1

no ip address

!

interface Vlan23

ip address 192.168.17.254 255.255.255.0

ip access-group 120 in

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

service-policy output TORRENT

hold-queue 255 out

!

interface Vlan24

ip address 192.168.181.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

hold-queue 255 out

!

interface Vlan80

ip address 192.168.80.1 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface Dialer0

description Highway 1 PPPoE Connection

bandwidth 10240

ip ddns update hostname Router1841

ip ddns update ISP.com

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly max-reassemblies 64 timeout 5

encapsulation ppp

dialer pool 1

dialer idle-timeout 999999

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname isp.com

ppp chap password XXXXX

ppp pap sent-username XXXXX

crypto map EXT_CRYPTO_MAP

service-policy output VOIP

!

ip local pool VPN_CLIENT_POOL 192.168.99.20 192.168.99.30

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.18.0 255.255.255.0 192.168.80.2

no ip http server

no ip http secure-server

!

!

ip nat inside source static udp 127.0.0.1 46900 interface Dialer0 46900

ip nat inside source route-map No_NAT_Rule interface Dialer0 overload

!

ip access-list extended VPN-ACL

permit ip 192.168.18.0 0.0.0.255 192.168.19.0 0.0.0.255

!

no logging trap

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 100 remark *** Router1841-site1 VPN ***

access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 100 remark *** Router1841-site1 VPN ***

access-list 105 remark Exclude traffic to VPN subnets

access-list 105 remark IPSec Rule - site1

access-list 105 deny   ip 192.168.17.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 105 remark Everything else we NAT

access-list 105 permit ip 192.168.17.0 0.0.0.255 any

access-list 105 permit ip 192.168.181.0 0.0.0.255 any

access-list 105 permit ip 192.168.80.0 0.0.0.255 any

access-list 105 permit ip 192.168.18.0 0.0.0.255 any

access-list 120 deny   udp 192.168.17.0 0.0.0.255 eq 46900 any

access-list 120 permit ip any any

access-list 150 permit ip 192.168.18.0 0.0.0.255 192.168.99.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 2 protocol ip permit

!

!

!

!

route-map No_NAT_Rule permit 1

match ip address 105

!

!

snmp-server community mixnuts RO 2

snmp-server ifindex persist

!

control-plane

line con 0

exec-timeout 0 0

privilege level 15

logging synchronous

line aux 0

line vty 0 4

access-class 2 in

exec-timeout 35791 0

privilege level 15

line vty 5 15

!

scheduler max-task-time 5000

ntp server 192.189.54.17

end

the commands "crypto isakmp key ..." are missing the parameters to not do x-auth and mode-config. You have to add them at the end of the command.
How many concurent remote-access-users do you have?


Sent from Cisco Technical Support iPad App

lukedp
Level 1
Level 1

Hi Karsten.

I have 3 vpn tunnels I am trying to create.

2 x fixed vpn s site to site. (1 of these worked before I added the remote access vpn.)

1 x remote access vpn (I allocated 10 spaces for remote access. None are in use)

What does removing x-auth and mode config do

with these parameters you tell your router that you don't want to do x-auth and mode-config for the site-to-site vpns. So after that, you have the same functionality as before.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hello Karsetn,

The no x-auth options appears to work for the site to site vpn.

however the remote access vpn does not appear to work..

i am still seeing the below error.

1      13:03:47.066  11/27/13  Sev=Warning/2    IKE/0xE3000023

No private IP address was assigned by the peer

2      13:03:47.066  11/27/13  Sev=Warning/2    IKE/0xE300009B

Failed to process ModeCfg Reply (NavigatorTM:175)

68     17:42:35.500  11/28/13  Sev=Info/4    IKE/0x63000058

Received an ISAKMP message for a non-active SA, I_Cookie=E8D63EA073B77F38 R_Cookie=6C996DB8662FA83D

69     17:42:35.500  11/28/13  Sev=Info/4    IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(Dropped) from X.X.X.X

70     17:42:38.503  11/28/13  Sev=Info/4    IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=E8D63EA073B77F38 R_Cookie=6C996DB8662FA83D) reason = DEL_REASON_IKE_NEG_FAILED

71     17:42:38.503  11/28/13  Sev=Info/4    CM/0x6310000F

Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

72     17:42:38.503  11/28/13  Sev=Info/5    CM/0x63100025

Initializing CVPNDrv

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: