Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3817
Views
0
Helpful
6
Replies

Unable to connect to remote IPSec vpn (error 412)

Go to solution
aconticisco
Level 2
Level 2

‎03-14-2013 03:49 PM - edited ‎02-21-2020 06:45 PM

Hello,

Trying to setup IPSec vpn connection but getting error 412: The remote peer is no longer responding.

Cisco router is directly connected to the internet using the dialer interface.

So far I have tried the following;

Disabled Windows Firewall

Ticket IPSec over TCP (got error 414)

Enabled debug crypto ISAKMP and IPSEC (no logs shown)

Enabled logs on the VPN client ver. 5.0.01.0440

(Unable to establish Phase 1 SA with server "xxxxxxxxx" because of "DEL_REASON_PEER_NOT_RESPONDING")

Router Configuration:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login usr_auth local

aaa authorization network grp_auth local

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.3.1 192.168.3.10

!

ip dhcp pool Classes-Pool

   network 192.168.3.0 255.255.255.0

   default-router 192.168.3.1

   dns-server xxxxxxxxxx xxxxxxxxxxx

!

!

no ip bootp server

no ip domain lookup

ip domain name xxxxxxxxx

ip ssh time-out 80

vpdn enable

!

!

!

!

!

username xxxxx password 7 xxxxxx

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

!

crypto isakmp client configuration group client_cfg

key xxxxxxx

dns xxxxxxx

pool vpn_pool

acl 120

max-users 2

crypto isakmp profile vpn-ike-profile-1

   match identity group client_cfg

   client authentication list usr_auth

   isakmp authorization list grp_auth

   client configuration address respond

   virtual-template 2

!

!

crypto ipsec transform-set encrypt-method-1 esp-aes esp-sha-hmac

!

crypto ipsec profile VPN-Profile-1

set transform-set encrypt-method-1

!

!

!

!

interface Loopback0

ip address 10.0.0.1 255.255.255.0

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

no snmp trap link-status

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

no ip address

speed auto

!

interface FastEthernet1

shutdown

!

interface FastEthernet2

switchport access vlan 2

!

interface FastEthernet3

switchport access vlan 3

!

interface FastEthernet4

switchport access vlan 4

duplex half

!

interface Virtual-Template2 type tunnel

ip unnumbered Loopback0

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN-Profile-1

!

interface Vlan1

no ip address

!

interface Vlan2

ip address 192.168.1.100 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

ip access-group 101 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Vlan4

ip address 192.168.4.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username xxxxxx password 7 xxxxxxx

!

ip local pool vpn_pool 10.0.0.10 10.0.0.20

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.1 25 interface Dialer1 25

ip nat inside source static tcp 192.168.1.1 80 interface Dialer1 80

ip nat inside source static udp 192.168.1.1 53 interface Dialer1 53

ip nat inside source static tcp 192.168.1.1 53 interface Dialer1 53

ip nat inside source static tcp 192.168.1.1 1000 interface Dialer1 1000

ip nat inside source static tcp 192.168.1.1 443 interface Dialer1 443

ip nat inside source static tcp 192.168.1.1 143 interface Dialer1 143

!

ip access-list extended WAN-IN

deny   ip 0.0.0.0 0.255.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 100.64.0.0 0.63.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.0.0.0 0.0.0.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 198.18.0.0 0.1.255.255 any

deny   ip 198.51.100.0 0.0.0.255 any

deny   ip 203.0.113.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

permit ip any any

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip any any

access-list 120 permit ip any any

!

control-plane

!

!

line con 0

exec-timeout 5 0

line aux 0

exec-timeout 5 0

password 7 xxxxxxxxxxxx

line vty 0 4

exec-timeout 5 0

password 7 xxxxxxxxxxxx

transport preferred ssh

transport input ssh

line vty 5 15

exec-timeout 5 0

password 7 xxxxxxxxxxxx

transport preferred ssh

transport input ssh

!

end

I am not getting any password prompt so I assume that there is a misconfiguration. Would appreciate if you can assist with this.

Thank You

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to aconticisco

‎03-15-2013 11:24 AM

The pool of 10.0.0.x is correctly configured. You just have to modify the NAT so that the traffic between 192.168.1.x, 3.x and 4.x are exempted from being NAT, hence the config change above.

Your split tunnel ACL says permit ip any any, so please change it to the following:

access-list 120 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-14-2013 09:13 PM

Can you please run the following debugs on the router to see what the issue is:

debug cry isa

debug cry ipsec

Also your NAT ACL needs to be changed as well:

access-list 150 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 150 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 150 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 150 permit ip 192.168.1.0 0.0.0.255 any

access-list 150 permit ip 192.168.3.0 0.0.0.255 any

access-list 150 permit ip 192.168.4.0 0.0.0.255 any

ip nat inside source list 150 interface Dialer1 overload

no ip nat inside source list 1 interface Dialer1 overload

0 Helpful

Go to solution
aconticisco
Level 2
Level 2
In response to Jennifer Halim

‎03-15-2013 12:16 AM

thank you for your response.

What I would like to have is that remote vpn users obtain an ip address within the 10.0.0.x range and have connectivity to the 192.168.1.x network. I am not sure what is the best approach that is if to assign the 192.168.0.x or the 10.0.0.x to the remote users. Connection need to be split tunneled as I do not want requests to the internet to go over the vpn link. I tried to configure a Virtual Template and loopback interface but please suggest any help from your experience.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to aconticisco

‎03-15-2013 11:24 AM

The pool of 10.0.0.x is correctly configured. You just have to modify the NAT so that the traffic between 192.168.1.x, 3.x and 4.x are exempted from being NAT, hence the config change above.

Your split tunnel ACL says permit ip any any, so please change it to the following:

access-list 120 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 120 permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255

0 Helpful

Go to solution
aconticisco
Level 2
Level 2
In response to Jennifer Halim

‎03-16-2013 04:52 AM

completed all configuration as instructed however still getting error 412 and not even being prompted for a username and password. Could this be related to some ports being blocked or connection issue ? The 1721 router is directly connected to the internet using an adsl wic.

Client log shows:

70     12:55:57.851  03/16/13  Sev=Info/4    IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=FF35F9344CC38C7F R_Cookie=5E6F8C50A0614BDF) reason = DEL_REASON_PEER_NOT_RESPONDING

71     12:55:57.851  03/16/13  Sev=Info/4    CM/0x63100014

Unable to establish Phase 1 SA with server "xxx xxx xxx xxx" because of "DEL_REASON_PEER_NOT_RESPONDING"

Thank You

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to aconticisco

‎03-16-2013 02:25 PM

Hi,

What if you run Wireshark on the client's machine?

Do you see ISAKMP packets coming back from the Router? If not, then check from a different spot, your WLAN or ISP might be dropping your VPN connection.

HTH.

0 Helpful

Go to solution
aconticisco
Level 2
Level 2
In response to Javier Portuguez

‎03-16-2013 09:55 PM

Issue resolved by changing Diffie Hellman groupt to 2, changing it back to 5 does not work.

Thank You

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents