10-31-2010 04:15 AM - edited 02-21-2020 04:56 PM
Hello All.
I have Cisco 2811, with advipservices.I have connection between my ISP and my router in private network(interface FastEthernet0/0.678). My external ip address is on loopback inteface. When client try to connect he pasess phase 1, then x auth and IKE neg failed.
Message Log from VPN Client:
345 16:55:30.161 10/31/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=BB661789962D39E1 R_Cookie=F38F8F267DFABCC9) reason = DEL_REASON_IKE_NEG_FAILED
Message Log form Router:
Oct 31 11:05:13.973: ISAKMP:(1023):deleting node -260979190 error FALSE reason "Informational (in) state 1"
Oct 31 11:05:13.973: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 31 11:05:13.977: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
Config
aaa authentication login vpn_xauth local
aaa authorization network vpn_grp local
crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key password
dns 192.168.6.10
domain examp.com
pool pl_RmACC
acl 112
configuration version 1
netmask 255.255.255.240
crypto isakmp profile cp_RemVPN
match identity group VPN
client authentication list vpn_xauth
isakmp authorization list vpn_grp
client configuration address initiate
client configuration address respond
client configuration group VPN
!
!
crypto ipsec transform-set ts_transform esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set ts_transform
match address 111
reverse-route
!
!
crypto map cm_vpns local-address Loopback3
crypto map cm_vpns isakmp authorization list vpn_grp
crypto map cm_vpns client configuration address respond
crypto map cm_vpns 10000 ipsec-isakmp dynamic dynmap
!
access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 111 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 111 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 112 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 112 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.15
!
!
ip local pool pl_RmACC 192.168.7.2 192.168.7.14
Where I scew up ?
10-31-2010 05:37 AM
Hi,
can you put Interface configurations ?
10-31-2010 06:00 AM
Hi,
Remove the following Unncessary Lines and try again. And this time port the whole isakmp debug from the router and also from the client.
crypto isakmp profile cp_RemVPN
no client configuration address initiate
no client configuration group VPN
no crypto map cm_vpns isakmp authorization list vpn_grp
no crypto map cm_vpns client configuration address respond
Let me know how it goes.
Regards,
Praveen
10-31-2010 06:12 AM
No, it is still not connected.
Interface config
interface Loopback3
ip address 82.200.163.46 255.255.255.252
ip virtual-reassembly
!
interface FastEthernet0/0.678
encapsulation dot1Q 678
ip address 10.10.1.6 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
crypto map cm_vpns
!
ip route 0.0.0.0 0.0.0.0 10.10.1.5
Debug in attach
10-31-2010 06:20 AM
Hi,
Thank you for the debugs.
debugs show:
map_db_find_best did not find matching map
IPSEC(ipsec_process_proposal): proxy identities not supported
Remove the following line and see what happens:
crypto dynamic-map dynmap 10
no match address 111
Let me know how it goes.
Regards,
Praveen
10-31-2010 06:22 AM
Still Same result, not workig
10-31-2010 06:34 AM
Hi,
Configure the following and get me the debugs from the router again please:
crypto dynamic-map dynmap 10
set isakmp profile cp_RemVPN
Let me know.
Regards,
Praveen
10-31-2010 06:50 AM
10-31-2010 07:27 AM
Hi,
from the debugs i see that till Phase-2 transform set is not matching at all.. Which PC are you trying to connect from? VPN Client Version?
can you try the following transform set and see what happens:
crypto ipsec transform-set ts_transform_2 esp-aes esp-md5-hmac comp-lzs
crypto dynamic-map dynmap 10
set transform-set ts_transform ts_transform_2
Send the output of:
show run | sec crypto isakmp
show run | sec crypto dynamic
show run | sec crypto map
Also Send me the Router debugs.
Regards,
Praveen
10-31-2010 08:20 AM
Still No luck, after all procesess it disconnects.
Cisco Systems VPN Client Version 5.0.07.0410
Client Type(s): Windows, WinNT
Running on: 6.1.7600 ( Windows 7 Ultimate)
show run | sec crypto isakmp
crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 20 3
crypto isakmp client configuration group VPN
key password
dns 192.168.6.10
domain examp.com
pool pl_RmACC
acl 112
configuration version 1
netmask 255.255.255.240
crypto isakmp profile cp_RemVPN
match identity group VPN
client authentication list vpn_xauth
isakmp authorization list vpn_grp
client configuration address respond
show run | sec crypto dynamic
crypto dynamic-map dynmap 10
set transform-set ts_transform_2
set pfs group2
set isakmp-profile cp_RemVPN
reverse-route
show run | sec crypto map
crypto map cm_vpns local-address Loopback3
crypto map cm_vpns 10000 ipsec-isakmp dynamic dynmap
crypto map cm_vpns
10-31-2010 01:49 PM
You need to enable the crypto map on the interface with the address you are actually connecting to, which means lo3 and not the ethernet trunk port.
10-31-2010 06:28 PM
Changing interface do not help. If I applay crypto map on lo3 same thing happen.
Corect me if I am wrong, crypto map must be applyed on physical interface with work with trafic. I my case it is fa0/0.678 and I issued command crypto map cm_vpns local-address Loopback3 to show router that actual addres should be on loopback.
Same problem with crypto map applied on int fa0/0.678 and lo3.
11-01-2010 07:59 AM
Hi guess, All thatnks! I found root cause, crypto dynamic-map dynmap 10 and crypto map cm_vpns 10000 ipsec-isakmp dynamic dynmap makes VPN drop connection. I remembered TAC engineer remark, he told that if numbers are difer it can make problem, after changing crypto dynamic-map dynmap 10 to 10000 all work great. Can anyone explain this "feature" ?
And when I am add in "crypto dynamic-map" match address statement VPN fails too, why?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide