Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
719
Views
0
Helpful
1
Replies

Unable to connect the VPN Server

abdalians
Level 1
Level 1

‎03-04-2004 07:20 PM

hi guys!

I have Cisco 3725 Router, running " IOS (tm) 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.3(5a) ". This router is working as gateway for my lan ( 192.168.0.0/24 ). NAT is configured on the router so all users can access internet & Reflexive access lists are also applied.

I want my remote users, who connect to internet via local ISP, to access LAN servers ( behind the router ). I have configured my router and Cisco VPN Client software Version 4.0 on client system ( windows XP professional is installed on client). Cisco VPN Client is configured to " Use IPSec over TCP (NAT/PAT/Firewall) on port 10000.

When try to connect the vpn client to VPN Server (router) it gives following error

7 Sev=Warning/2 IPSEC/0x6370001E

Unexpected TCP control packet received from X.X.X.X, src port 10000, dst port 1057, flags 14h

while on the router there is nothing to see from client, I enabled " debug isakmp ipsec, and other debugging options too. but there is nothing on the router.

my router config is as follows.....

!

version 12.3

service tcp-keepalives-in

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname GRID

!

boot-start-marker

boot-end-marker

!

enable secret xxxx

enable password xxxx

!

username xxx password xxxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip source-route

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 60

!

crypto isakmp client configuration group 3000client

key cisco123

dns 192.168.0.2

wins 192.168.0.4 192.168.0.1

domain abc.net.pk

pool ippool

acl Split-vpn

crypto isakmp profile VPNclient

description VPN Clients Profile

match identity group 3000client

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile VPNclient

!

!

crypto map clientmap 10 ipsec-isakmp dynamic dynmap discover

!

!

!

!

interface FastEthernet0/0

ip address 192.168.0.3 255.255.255.0 secondary

ip address 10.10.10.1 255.255.255.0

ip access-group natinbound in

ip access-group natoutbound out

ip nat inside

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address X.X.X.X X.X.X.X

ip access-group remotein in

ip access-group remoteout out

ip nat outside

duplex auto

speed auto

crypto map clientmap

!

ip local pool ippool 192.168.1.5 192.168.1.50

!

ip access-list extended Split-vpn

permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

-------------------

any help will be appreciated.

Thanx

Zaman

Labels:
0 Helpful
1 Reply 1

d-garnett
Level 3
Level 3

‎03-08-2004 11:22 AM

Do not use Transparent Tunneling on the Cisco VPN Client (TCP/IPSec). The router is expecting a IPSec pkt.

"7 Sev=Warning/2 IPSEC/0x6370001E

Unexpected TCP control packet received from X.X.X.X, src port 10000, dst port 1057, flags 14h "

This is probably a RST (reset) packet that is saying that the router is not listening on TCP port 10000

For Tacacs - your case is just to use local for XAuth

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a0080186fda.shtml

Local

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a0080186fda.shtml

0 Helpful
Customers Also Viewed These Support Documents