12-03-2013 03:09 AM - edited 02-21-2020 07:21 PM
Hello,
i have problems with remote ipsec access on 877.
here my config:
aaa new-model
!
!
aaa authentication login local_authentication local
aaa authorization network default local
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 3600 periodic
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group euezvpn
key ********
pool ezvpn
acl split-tunneling
crypto isakmp profile eunet
match identity group euezvpn
client authentication list local_authentication
isakmp authorization list default
client configuration address respond
client configuration group euezvpn
!
!
crypto ipsec transform-set set esp-3des esp-md5-hmac
crypto map eu-ezvpn 50 ipsec-isakmp dynamic eu-ezvpn
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp chap hostname aliceadsl
ppp chap password 7 14161E020F012B2F3724
ppp pap sent-username aliceadsl password 7 1108150C14170A081726
ppp ipcp dns request
ppp ipcp wins request
crypto map eu-ezvpn
ip local pool ezvpn 192.168.10.1 192.168.10.20
ip nat inside source static udp 10.30.82.1 4500 interface Dialer0 4500
ip nat inside source list 101 interface Dialer0 overload
access-list 101 deny ip 10.30.82.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 10.30.82.0 0.0.0.255 any
ip access-list extended split-tunneling
permit ip any any
the auth is successfully, but the client can't connect, here the debug of crypto isakmp:
(2035):Checking IPSec proposal 10
*Mar 11 13:24:19.224: ISAKMP:(2035):transform 1, IPPCP LZS
*Mar 11 13:24:19.224: ISAKMP: attributes in transform:
*Mar 11 13:24:19.224: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 11 13:24:19.224: ISAKMP: SA life type in seconds
*Mar 11 13:24:19.224: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 11 13:24:19.228: ISAKMP:(2035):atts are acceptable.
*Mar 11 13:24:19.228: ISAKMP:(2035): IPSec policy invalidated proposal with error 8
*Mar 11 13:24:19.228: ISAKMP:(2035):Checking IPSec proposal 11
*Mar 11 13:24:19.228: ISAKMP: transform 1, ESP_3DES
*Mar 11 13:24:19.228: ISAKMP: attributes in transform:
*Mar 11 13:24:19.228: ISAKMP: authenticator is HMAC-MD5
*Mar 11 13:24:19.228: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 11 13:24:19.228: ISAKMP: SA life type in seconds
*Mar 11 13:24:19.228: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 11 13:24:19.228: ISAKMP:(2035):atts are acceptable.
*Mar 11 13:24:19.228: ISAKMP:(2035): IPSec policy invalidated proposal with error 8
*Mar 11 13:24:19.228: ISAKMP:(2035):Checking IPSec proposal 12
*Mar 11 13:24:19.228: ISAKMP: transform 1, ESP_3DES
*Mar 11 13:24:19.228: ISAKMP: attributes in transform:
*Mar 11 13:24:19.228: ISAKMP: authenticator is HMAC-SHA
*Mar 11 13:24:19.228: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 11 13:24:19.228: ISAKMP: SA life type in seconds
*Mar 11 13:24:19.228: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 11 13:24:19.228: ISAKMP:(2035):atts are acceptable.
*Mar 11 13:24:19.228: ISAKMP:(2035): IPSec policy invalidated proposal with error 8
*Mar 11 13:24:19.228: ISAKMP:(2035):Checking IPSec proposal 13
*Mar 11 13:24:19.228: ISAKMP: transform 1, ESP_DES
*Mar 11 13:24:19.228: ISAKMP: attributes in transform:
*Mar 11 13:24:19.228: ISAKMP: authenticator is HMAC-MD5
*Mar 11 13:24:19.228: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 11 13:24:19.228: ISAKMP: SA life type in seconds
*Mar 11 13:24:19.228: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.
*Mar 11 13:24:19.232: ISAKMP:(2035):Checking IPSec proposal 13
*Mar 11 13:24:19.232: ISAKMP:(2035):transform 1, IPPCP LZS
*Mar 11 13:24:19.232: ISAKMP: attributes in transform:
*Mar 11 13:24:19.232: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 11 13:24:19.232: ISAKMP: SA life type in seconds
*Mar 11 13:24:19.232: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.
*Mar 11 13:24:19.232: ISAKMP:(2035): IPSec policy invalidated proposal with error 8
*Mar 11 13:24:19.232: ISAKMP:(2035):Checking IPSec proposal 14
*Mar 11 13:24:19.232: ISAKMP: transform 1, ESP_DES
*Mar 11 13:24:19.232: ISAKMP: attributes in transform:
*Mar 11 13:24:19.232: ISAKMP: authenticator is HMAC-MD5
*Mar 11 13:24:19.232: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 11 13:24:19.232: ISAKMP: SA life type in seconds
*Mar 11 13:24:19.232: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.
*Mar 11 13:24:19.232: ISAKMP:(2035): IPSec policy invalidated proposal with error 8
*Mar 11 13:24:19.232: ISAKMP:(2035):Checking IPSec proposal 15
*Mar 11 13:24:19.232: ISAKMP: transform 1, ESP_NULL
*Mar 11 13:24:19.232: ISAKMP: attributes in transform:
*Mar 11 13:24:19.232: ISAKMP: authenticator is HMAC-MD5
*Mar 11 13:24:19.232: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 11 13:24:19.232: ISAKMP: SA life type in seconds
*Mar 11 13:24:19.232: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.
*Mar 11 13:24:19.236: ISAKMP:(2035): IPSec policy invalidated proposal with error 8
*Mar 11 13:24:19.236: ISAKMP:(2035):Checking IPSec proposal 16
*Mar 11 13:24:19.236: ISAKMP: transform 1, ESP_NULL
*Mar 11 13:24:19.236: ISAKMP: attributes in transform:
*Mar 11 13:24:19.236: ISAKMP: authenticator is HMAC-SHA
*Mar 11 13:24:19.236: ISAKMP: encaps is 61443 (Tunnel-UDP)
*Mar 11 13:24:19.236: ISAKMP: SA life type in seconds
*Mar 11 13:24:19.236: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 11 13:24:19.236: ISAKMP:(2035):atts are acceptable.
*Mar 11 13:24:19.236: ISAKMP:(2035): IPSec policy invalidated proposal with error 8
*Mar 11 13:24:19.236: ISAKMP:(2035): phase 2 SA policy not acceptable! (local 10.30.82.1 remote *********)
*Mar 11 13:24:19.236: ISAKMP: set new node 1311674722 to QM_IDLE
*Mar 11 13:24:19.236: ISAKMP:(2035):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2208329888, message ID = 1311674722
*Mar 11 13:24:19.236: ISAKMP:(2035): sending packet to ********** my_port 4500 peer_port 55954 (R) QM_IDLE
*Mar 11 13:24:19.236: ISAKMP:(2035):Sending an IKE IPv4 Packet.
*Mar 11 13:24:19.236: ISAKMP:(2035):purging node 1311674722
*Mar 11 13:24:19.236: ISAKMP:(2035):deleting node 1387548713 error TRUE reason "QM rejected"
*Mar 11 13:24:19.240: ISAKMP:(2035):Node 1387548713, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 11 13:24:19.240: ISAKMP:(2035):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 11 13:24:19.296: ISAKMP (0:2035): received packet from ********** dport 4500 sport 55954 Global (R) QM_IDLE
R1#
*Mar 11 13:24:19.296: ISAKMP: set new node -169411968 to QM_IDLE
*Mar 11 13:24:19.296: ISAKMP:(2035): processing HASH payload. message ID = -169411968
*Mar 11 13:24:19.296: ISAKMP:(2035): processing DELETE payload. message ID = -169411968
*Mar 11 13:24:19.300: ISAKMP:(2035):peer does not do paranoid keepalives.
Any ideas??
if i try locally, the vpn works fine.
when i apply the crypto map on local address i'm able to connect, but i can't ping remote lan.
Thank You
12-03-2013 08:22 AM
i forgot internal svi, sry
interface Vlan99
ip address 10.30.82.1 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide