Re: Remote Access VPN on Loopback

AZaburdyayev · ‎10-31-2010

Hello All.

I have Cisco 2811, with advipservices.I have connection between my ISP and my router in private network(interface FastEthernet0/0.678). My external ip address is on loopback inteface. When client try to connect he pasess phase 1, then x auth and IKE neg failed.

Message Log from VPN Client:

345 16:55:30.161 10/31/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=BB661789962D39E1 R_Cookie=F38F8F267DFABCC9) reason = DEL_REASON_IKE_NEG_FAILED

Message Log form Router:

Oct 31 11:05:13.973: ISAKMP:(1023):deleting node -260979190 error FALSE reason "Informational (in) state 1"
Oct 31 11:05:13.973: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 31 11:05:13.977: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

Config

aaa authentication login vpn_xauth local
aaa authorization network vpn_grp local

crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key password
dns 192.168.6.10
domain examp.com
pool pl_RmACC
acl 112
configuration version 1
netmask 255.255.255.240
crypto isakmp profile cp_RemVPN
   match identity group VPN
   client authentication list vpn_xauth
   isakmp authorization list vpn_grp
   client configuration address initiate
   client configuration address respond
   client configuration group VPN
!
!
crypto ipsec transform-set ts_transform esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set ts_transform
match address 111
reverse-route
!
!
crypto map cm_vpns local-address Loopback3
crypto map cm_vpns isakmp authorization list vpn_grp
crypto map cm_vpns client configuration address respond
crypto map cm_vpns 10000 ipsec-isakmp dynamic dynmap

!

access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 111 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 111 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.15

access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 112 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 112 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.15

!

ip local pool pl_RmACC 192.168.7.2 192.168.7.14

Where I scew up ?

ali_nasser · ‎10-31-2010

Hi,

can you put Interface configurations ?

Praveena Shanubhogue · ‎10-31-2010

Hi,

Remove the following Unncessary Lines and try again. And this time port the whole isakmp debug from the router and also from the client.

crypto isakmp profile cp_RemVPN

no client configuration address initiate

no client configuration group VPN

no crypto map cm_vpns isakmp authorization list vpn_grp
no crypto map cm_vpns client configuration address respond

Let me know how it goes.

Regards,

Praveen

AZaburdyayev · ‎10-31-2010

No, it is still not connected.

Interface config

interface Loopback3
ip address 82.200.163.46 255.255.255.252
ip virtual-reassembly

!

interface FastEthernet0/0.678
encapsulation dot1Q 678
ip address 10.10.1.6 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
crypto map cm_vpns

!

ip route 0.0.0.0 0.0.0.0 10.10.1.5

Debug in attach

Praveena Shanubhogue · ‎10-31-2010

Hi,

Thank you for the debugs.

debugs show:

map_db_find_best did not find matching map

IPSEC(ipsec_process_proposal): proxy identities not supported

Remove the following line and see what happens:

crypto dynamic-map dynmap 10

no match address 111

Let me know how it goes.

Regards,

Praveen

AZaburdyayev · ‎10-31-2010

Still Same result, not workig

Praveena Shanubhogue · ‎10-31-2010

Hi,

Configure the following and get me the debugs from the router again please:

crypto dynamic-map dynmap 10

set isakmp profile cp_RemVPN

Let me know.

Regards,

Praveen

AZaburdyayev · ‎10-31-2010

Still same problem. My debugs are attached.

Praveena Shanubhogue · ‎10-31-2010

Hi,

from the debugs i see that till Phase-2 transform set is not matching at all.. Which PC are you trying to connect from? VPN Client Version?

can you try the following transform set and see what happens:

crypto ipsec transform-set ts_transform_2 esp-aes esp-md5-hmac comp-lzs

crypto dynamic-map dynmap 10
set transform-set ts_transform ts_transform_2

Send the output of:

show run | sec crypto isakmp

show run | sec crypto dynamic

show run | sec crypto map

Also Send me the Router debugs.

Regards,

Praveen

AZaburdyayev · ‎10-31-2010

Still No luck, after all procesess it disconnects.

Cisco Systems VPN Client Version 5.0.07.0410
Client Type(s): Windows, WinNT
Running on: 6.1.7600 ( Windows 7 Ultimate)

show run | sec crypto isakmp
crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 20 3
crypto isakmp client configuration group VPN
key password
dns 192.168.6.10
domain examp.com
pool pl_RmACC
acl 112
configuration version 1
netmask 255.255.255.240
crypto isakmp profile cp_RemVPN
   match identity group VPN
   client authentication list vpn_xauth
   isakmp authorization list vpn_grp
   client configuration address respond
show run | sec crypto dynamic
crypto dynamic-map dynmap 10
set transform-set ts_transform_2
set pfs group2
set isakmp-profile cp_RemVPN
reverse-route
show run | sec crypto map
crypto map cm_vpns local-address Loopback3
crypto map cm_vpns 10000 ipsec-isakmp dynamic dynmap
crypto map cm_vpns

jan.nielsen · ‎10-31-2010

You need to enable the crypto map on the interface with the address you are actually connecting to, which means lo3 and not the ethernet trunk port.

AZaburdyayev · ‎10-31-2010

Changing interface do not help. If I applay crypto map on lo3 same thing happen.

Corect me if I am wrong, crypto map must be applyed on physical interface with work with trafic. I my case it is fa0/0.678 and I issued command crypto map cm_vpns local-address Loopback3 to show router that actual addres should be on loopback.

Same problem with crypto map applied on int fa0/0.678 and lo3.

AZaburdyayev · ‎11-01-2010

Hi guess, All thatnks! I found root cause, crypto dynamic-map dynmap 10 and crypto map cm_vpns 10000 ipsec-isakmp dynamic dynmap makes VPN drop connection. I remembered TAC engineer remark, he told that if numbers are difer it can make problem, after changing crypto dynamic-map dynmap 10 to 10000 all work great. Can anyone explain this "feature" ?

And when I am add in "crypto dynamic-map" match address statement VPN fails too, why?