03-04-2004 07:20 PM
hi guys!
I have Cisco 3725 Router, running " IOS (tm) 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.3(5a) ". This router is working as gateway for my lan ( 192.168.0.0/24 ). NAT is configured on the router so all users can access internet & Reflexive access lists are also applied.
I want my remote users, who connect to internet via local ISP, to access LAN servers ( behind the router ). I have configured my router and Cisco VPN Client software Version 4.0 on client system ( windows XP professional is installed on client). Cisco VPN Client is configured to " Use IPSec over TCP (NAT/PAT/Firewall) on port 10000.
When try to connect the vpn client to VPN Server (router) it gives following error
7 Sev=Warning/2 IPSEC/0x6370001E
Unexpected TCP control packet received from X.X.X.X, src port 10000, dst port 1057, flags 14h
while on the router there is nothing to see from client, I enabled " debug isakmp ipsec, and other debugging options too. but there is nothing on the router.
my router config is as follows.....
!
version 12.3
service tcp-keepalives-in
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GRID
!
boot-start-marker
boot-end-marker
!
enable secret xxxx
enable password xxxx
!
username xxx password xxxx
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group 3000client
key cisco123
dns 192.168.0.2
wins 192.168.0.4 192.168.0.1
domain abc.net.pk
pool ippool
acl Split-vpn
crypto isakmp profile VPNclient
description VPN Clients Profile
match identity group 3000client
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile VPNclient
!
!
crypto map clientmap 10 ipsec-isakmp dynamic dynmap discover
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.3 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip access-group natinbound in
ip access-group natoutbound out
ip nat inside
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address X.X.X.X X.X.X.X
ip access-group remotein in
ip access-group remoteout out
ip nat outside
duplex auto
speed auto
crypto map clientmap
!
ip local pool ippool 192.168.1.5 192.168.1.50
!
ip access-list extended Split-vpn
permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
-------------------
any help will be appreciated.
Thanx
Zaman
03-08-2004 11:22 AM
Do not use Transparent Tunneling on the Cisco VPN Client (TCP/IPSec). The router is expecting a IPSec pkt.
"7 Sev=Warning/2 IPSEC/0x6370001E
Unexpected TCP control packet received from X.X.X.X, src port 10000, dst port 1057, flags 14h "
This is probably a RST (reset) packet that is saying that the router is not listening on TCP port 10000
For Tacacs - your case is just to use local for XAuth
Local
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide