Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
0
Replies

Remote to Site VPN not woking

manish.sharma@cjpl.in
Level 1
Level 1

‎08-16-2019 05:41 AM

Hello All

I have a task in hand, where by i need to get Site to Site and Remote to site configure in my Branch Router

HQ- Only Site to Site VPN to Branch Router

Branch- Site to Site VPN with HQ router and Client to Branch Site VPN Access

I have following configuration, site to site is working fine but when i connect laptop from out side branch network using Cisco VPN Client ver 5 i, it ask for username and password but after sometime, no connection established. i enabled logging in VPN Client and get following error message which means Phase 2 is not getting negotiated. 

If i change the transform-set to esp-aes esp-sha-mac then i loose my site to site VPN connectivity to my HQ router.

I am stuck now and have tried all the possible solution but nothing seems to be working do not know where i am going wrong

 

 

Branch Router Config (Cisco 3825)


Interface gigabitethernet 0/0
ip address 192.168.4.1 255.255.255.0
ip nat inside
no shut
!


Interface gigabitethernet 0/1
ip address XX.XX.XX.XX 255.255.255.0
ip nat outside
no shut
!


IP route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
!
IP nat inside source list 199 interface Gigabitethernet 0/1 overload

!
IP access-list extended 199
deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.0.255
permit ip 192.168.4.0 0.0.255.255 any
permit ip 172.16.0.0 0.0.255.255 any

!
IP access-list extended 100
permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
!

IP access-list extended 102
permit ip 172.16.0.0 0.0.255.255 any

!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!

crypto isakmp key XX address XX.XX.XX

crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac

crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set MY-SET
match address 100

!

Interface gigabitethernet 0/1
crypto map IPSEC-SITE-TO-SITE-VPN
!

aaa new-model
aaa authentication login users local
aaa authorization network groups local
!
ip local pool VPNPOOL 172.16.0.1 172.16.0.50
!
!
Crypto isakmp Client Configuration group internal
key cisco
pool vpnpool
acl 102
!
crypto dynamic-map d-map 1
set transform-set MY-SET
reverse-route
!

crypto map IPSEC-SITE-TO-SITE-VPN 11 ipsec-isakmp dynamic d-map
!
crypto map IPSEC-SITE-TO-SITE-VPN client configuration address respond
!
crypto map IPSEC-SITE-TO-SITE-VPN isakmp authorization list groups
crypto map IPSEC-SITE-TO-SITE-VPN client authentication list users
!
username XX password XX
!

 

 

Cisco VPN Client Log message

Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1

684 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100002
Begin connection process

685 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100004
Establish secure connection

686 18:05:07.967 08/16/19 Sev=Info/4 CM/0x63100024
Attempt connection with server "xx.xx.xx.xx"

687 18:05:07.982 08/16/19 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xx.xx.xx.xx.

688 18:05:07.982 08/16/19 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

689 18:05:07.998 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.xx.xx.xx

690 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

691 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from xx.xx.xx.xx

692 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

693 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports DPD

694 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text

695 18:05:08.232 08/16/19 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.

696 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

697 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

698 18:05:08.123 08/16/19 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

699 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xx.xx.xx.xx

700 18:05:08.123 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

701 18:05:08.123 08/16/19 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xC613, Remote Port = 0x1194

702 18:05:08.123 08/16/19 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device

703 18:05:08.123 08/16/19 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

704 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

705 18:05:08.232 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from xx.xx.xx.xx

706 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

707 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

708 18:05:08.232 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

709 18:05:08.232 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.xx.xx.xx

710 18:05:08.232 08/16/19 Sev=Info/4 CM/0x63100015
Launch xAuth application

711 18:05:08.294 08/16/19 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

712 18:05:08.294 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

713 18:05:12.045 08/16/19 Sev=Info/4 CM/0x63100017
xAuth application returned

714 18:05:12.045 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx

715 18:05:12.248 08/16/19 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.xx.xx.xx

716 18:05:12.248 08/16/19 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.xx.xx.xx

717 18:05:12.248 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx

718 18:05:12.248 08/16/19 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

719 18:05:12.264 08/16/19 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

720 18:05:12.264 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.xx.xx.xx

721 18:05:17.529 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

722 18:05:17.529 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx

723 18:05:18.547 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

724 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx

725 18:05:22.673 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816096

726 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

727 18:05:22.673 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx

728 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

729 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(Retransmission) to xx.xx.xx.xx

730 18:05:27.770 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx

731 18:05:27.770 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816097

732 18:05:28.804 08/16/19 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

733 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to xx.xx.xx.xx

734 18:05:32.916 08/16/19 Sev=Info/6 IKE/0x6300003D
Sending DPD request to xx.xx.xx.xx, our seq# = 3435816098

735 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=45C6D766

736 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=FBE3680929414118 R_Cookie=691F595CFB68BADA) reason = DEL_REASON_IKE_NEG_FAILED

737 18:05:32.916 08/16/19 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to xx.xx.xx.xx

738 18:05:36.008 08/16/19 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=FBE3680929414118 R_Cookie=691F595CFB68BADA) reason = DEL_REASON_IKE_NEG_FAILED

739 18:05:36.008 08/16/19 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

740 18:05:36.008 08/16/19 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

741 18:05:36.008 08/16/19 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

742 18:05:36.008 08/16/19 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

743 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

744 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

745 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

746 18:05:36.024 08/16/19 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

 

Any help would be greatly appreciated

 

Thanks

Manish Sharma

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents