08-16-2019 05:41 AM
Hello All
I have a task in hand, where by i need to get Site to Site and Remote to site configure in my Branch Router
HQ- Only Site to Site VPN to Branch Router
Branch- Site to Site VPN with HQ router and Client to Branch Site VPN Access
I have following configuration, site to site is working fine but when i connect laptop from out side branch network using Cisco VPN Client ver 5 i, it ask for username and password but after sometime, no connection established. i enabled logging in VPN Client and get following error message which means Phase 2 is not getting negotiated.
If i change the transform-set to esp-aes esp-sha-mac then i loose my site to site VPN connectivity to my HQ router.
I am stuck now and have tried all the possible solution but nothing seems to be working do not know where i am going wrong
Branch Router Config (Cisco 3825)
Interface gigabitethernet 0/0
ip address 192.168.4.1 255.255.255.0
ip nat inside
no shut
!
Interface gigabitethernet 0/1
ip address XX.XX.XX.XX 255.255.255.0
ip nat outside
no shut
!
IP route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
!
IP nat inside source list 199 interface Gigabitethernet 0/1 overload
!
IP access-list extended 199
deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255
permit ip 192.168.4.0 0.0.255.255 any
permit ip 172.16.0.0 0.0.255.255 any
!
IP access-list extended 100
permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
!
IP access-list extended 102
permit ip 172.16.0.0 0.0.255.255 any
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp key XX address XX.XX.XX
crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set MY-SET
match address 100
!
Interface gigabitethernet 0/1
crypto map IPSEC-SITE-TO-SITE-VPN
!
aaa new-model
aaa authentication login users local
aaa authorization network groups local
!
ip local pool VPNPOOL 172.16.0.1 172.16.0.50
!
!
Crypto isakmp Client Configuration group internal
key cisco
pool vpnpool
acl 102
!
crypto dynamic-map d-map 1
set transform-set MY-SET
reverse-route
!
crypto map IPSEC-SITE-TO-SITE-VPN 11 ipsec-isakmp dynamic d-map
!
crypto map IPSEC-SITE-TO-SITE-VPN client configuration address respond
!
crypto map IPSEC-SITE-TO-SITE-VPN isakmp authorization list groups
crypto map IPSEC-SITE-TO-SITE-VPN client authentication list users
!
username XX password XX
!
Cisco VPN Client Log message
Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
684 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100002
Begin connection process
685 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100004
Establish secure connection
686 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100024
Attempt connection with server "xx.xx.xx.xx"
687 18:05:07.982 08/16/19 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xx.xx.xx.xx.
688 18:05:07.982 08/16/19 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
689 18:05:07.998 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.xx.xx.xx
690 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx
691 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from xx.xx.xx.xx
692 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
693 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports DPD
694 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
695 18:05:08.232 08/16/19 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
696 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
697 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
698 18:05:08.123 08/16/19 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
699 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xx.xx.xx.xx
700 18:05:08.123 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
701 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xC613, Remote Port = 0x1194
702 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
703 18:05:08.123 08/16/19 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
704 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx
705 18:05:08.232 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xx.xx.xx.xx
706 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
707 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
708 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx
709 18:05:08.232 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.xx.xx.xx
710 18:05:08.232 08/16/19 Sev=Info/4 CM/0x63100015
Launch xAuth application
711 18:05:08.294 08/16/19 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
712 18:05:08.294 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
713 18:05:12.045 08/16/19 Sev=Info/4 CM/0x63100017
xAuth application returned
714 18:05:12.045 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx
715 18:05:12.248 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx
716 18:05:12.248 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.xx.xx.xx
717 18:05:12.248 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx
718 18:05:12.248 08/16/19 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
719 18:05:12.264 08/16/19 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
720 18:05:12.264 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx
721 18:05:17.529 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
722 18:05:17.529 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx
723 18:05:18.547 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
724 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx
725 18:05:22.673 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816096
726 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
727 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx
728 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
729 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx
730 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx
731 18:05:27.770 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816097
732 18:05:28.804 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
733 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx
734 18:05:32.916 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816098
735 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=45C6D766
736 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=FBE3680929414118 R_Cookie=691F595CFB68BADA) reason = DEL_REASON_IKE_NEG_FAILED
737 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to xx.xx.xx.xx
738 18:05:36.008 08/16/19 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=FBE3680929414118 R_Cookie=691F595CFB68BADA) reason = DEL_REASON_IKE_NEG_FAILED
739 18:05:36.008 08/16/19 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
740 18:05:36.008 08/16/19 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
741 18:05:36.008 08/16/19 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
742 18:05:36.008 08/16/19 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
743 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
744 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
745 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
746 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Any help would be greatly appreciated
Thanks
Manish Sharma
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide