Solved: Remote user IPSec VPN doesn't work

Sylvain Brault · ‎10-16-2013

Hello,

I try to setup a Remote User IPsec VPN on a Cisco Router 1921 but it doesn't work for a reason I don't understand. Does someone have any idea ? Did I forget something?

Thanks in advance for your help!

Here is a part of my configuration :

aaa new-model

!

aaa authentication login AuthentVPN local

aaa authorization network AuthorizVPN local

!

aaa session-id common

!

username xxxxx password 0 xxxxxx 0 encrypted

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

lifetime 3600

!

crypto isakmp client configuration group vpnclient

key XXXXXXXXXXXXXXXXXXXXXXXX

dns 192.168.0.254

domain GVA.INTRA

pool IPPoolVPN

acl 100

!

crypto ipsec transform-set T1 esp-aes esp-sha-hmac

mode tunnel

!

crypto dynamic-map DynMap 10

set transform-set T1

!

crypto map myMap client authentication list AuthentVPN

crypto map myMap isakmp authorization list AuthorizVPN

crypto map myMap client configuration address respond

crypto map myMap 100 ipsec-isakmp dynamic DynMap

!

interface Dialer1

mtu 1492

ip address negotiated

ip access-group RESTRICT_ENTRY_INTERNET in

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp chap hostname xxxxxxxxx

ppp chap password 0 xxxxxxxxx

ppp pap sent-username xxxxxxxxxxxxxx password 0 xxxxxxxxxxxx

crypto map myMap

!

ip local pool IPPoolVPN 192.168.10.0 192.168.10.253

!

ip nat inside source list 110 interface Dialer1 overload

!

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

Patrick Moubarak · ‎10-17-2013

The conflict will cause issues and should be avoided. It might work if you disable split-tunnelling and route-all through the VPN client...

Ideally corporate networks should not use 192.168.0.0/24; 1 or 2 either since these are common in home routers... you can also have them change their home network easily

Patrick

View solution in original post

Patrick Moubarak · ‎10-16-2013

does phase 1 come up? show crypto isakmp sa

try the following phase 1 parameters:

crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2

The VPN Client negotiates several different combinations of phase 1 parameters but I'm not sure it does AES-256...

You can run a debug crypto isakmp to find out the exact combinations it tried.

Here's the config example:

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Patrick

Karsten Iwen · ‎10-17-2013

For Phase 1, the client by default also suggests AES-256 policies, but none with group5. You have to change your ISAKMP-policy to use group2.

And your NAT-config is missing relevant parts, but I assume that's because you didn't post all (which makes helping very hard btw ...)

Sent from Cisco Technical Support iPad App

Sylvain Brault · ‎10-17-2013

Thanks for your advices. I changed to group 2 and install the cisco VPN client instead of the built in windows 7 VPN.

But it is still not working...

Here is what I have with the command show crypto isakmp sa:

IPv4 Crypto ISAKMP SA

dst src state conn-id status

112.6.5.25 109.164.161.35 AG_INIT_EXCH 0 ACTIVE

And on the side of the client, I have this error :

112 10:57:40.217 10/17/13 Sev=Warning/3 IKE/0xE3000057

The received HASH payload cannot be verified

113 10:57:40.217 10/17/13 Sev=Warning/2 IKE/0xE300007E

Hash verification failed... may be configured with invalid group password.

I put the key under the section "crypto isakmp client configuration group vpnclient" on the client side, can you confirm is it the good one ?

Karsten Iwen · ‎10-17-2013

and install the cisco VPN client instead of the built in windows 7 VPN.

The windows build-in-client uses L2TP over IPSec ans need a completely different config. So using the Cisco Client is right for that config.

I put the key under the section "crypto isakmp client configuration group vpnclient" on the client side, can you confirm is it the good one ?

Yes, thats right, but it seems that you have a typo or something like that. Configure it again on the router and on the client and test again.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Sylvain Brault · ‎10-17-2013

I replace the key by XXXXX in this forum for security reason but i do have to good one on the both side, router and client.So do not understand why it doesnt work...

Sylvain Brault · ‎10-17-2013

The connection is up. It was an problem regarding both the group name and username..

But now, i have another one.... I am connected to my network and can ping the remote computer from any computer on the LAN in my office but the opposite doesn't work.

The thing is the IP gateway on the local network of the remote computer is the same with the IP of the router (192.168.0.254) on my office network (also gateway of the VPN coneection). Don't know if I am clear enough... So, how does the remote computer know which gateway to use to send the packets over the network ? Might it be the issue ?

Patrick Moubarak · ‎10-17-2013

The conflict will cause issues and should be avoided. It might work if you disable split-tunnelling and route-all through the VPN client...

Ideally corporate networks should not use 192.168.0.0/24; 1 or 2 either since these are common in home routers... you can also have them change their home network easily

Patrick