03-14-2013 03:49 PM - edited 02-21-2020 06:45 PM
Hello,
Trying to setup IPSec vpn connection but getting error 412: The remote peer is no longer responding.
Cisco router is directly connected to the internet using the dialer interface.
So far I have tried the following;
Disabled Windows Firewall
Ticket IPSec over TCP (got error 414)
Enabled debug crypto ISAKMP and IPSEC (no logs shown)
Enabled logs on the VPN client ver. 5.0.01.0440
(Unable to establish Phase 1 SA with server "xxxxxxxxx" because of "DEL_REASON_PEER_NOT_RESPONDING")
Router Configuration:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login usr_auth local
aaa authorization network grp_auth local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.10
!
ip dhcp pool Classes-Pool
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server xxxxxxxxxx xxxxxxxxxxx
!
!
no ip bootp server
no ip domain lookup
ip domain name xxxxxxxxx
ip ssh time-out 80
vpdn enable
!
!
!
!
!
username xxxxx password 7 xxxxxx
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
!
crypto isakmp client configuration group client_cfg
key xxxxxxx
dns xxxxxxx
pool vpn_pool
acl 120
max-users 2
crypto isakmp profile vpn-ike-profile-1
match identity group client_cfg
client authentication list usr_auth
isakmp authorization list grp_auth
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-aes esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
!
!
!
interface Loopback0
ip address 10.0.0.1 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
no ip address
speed auto
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 3
!
interface FastEthernet4
switchport access vlan 4
duplex half
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 192.168.1.100 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxx password 7 xxxxxxx
!
ip local pool vpn_pool 10.0.0.10 10.0.0.20
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.1 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.1 80 interface Dialer1 80
ip nat inside source static udp 192.168.1.1 53 interface Dialer1 53
ip nat inside source static tcp 192.168.1.1 53 interface Dialer1 53
ip nat inside source static tcp 192.168.1.1 1000 interface Dialer1 1000
ip nat inside source static tcp 192.168.1.1 443 interface Dialer1 443
ip nat inside source static tcp 192.168.1.1 143 interface Dialer1 143
!
ip access-list extended WAN-IN
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 100.64.0.0 0.63.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
permit ip any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 120 permit ip any any
!
control-plane
!
!
line con 0
exec-timeout 5 0
line aux 0
exec-timeout 5 0
password 7 xxxxxxxxxxxx
line vty 0 4
exec-timeout 5 0
password 7 xxxxxxxxxxxx
transport preferred ssh
transport input ssh
line vty 5 15
exec-timeout 5 0
password 7 xxxxxxxxxxxx
transport preferred ssh
transport input ssh
!
end
I am not getting any password prompt so I assume that there is a misconfiguration. Would appreciate if you can assist with this.
Thank You
Solved! Go to Solution.
03-15-2013 11:24 AM
The pool of 10.0.0.x is correctly configured. You just have to modify the NAT so that the traffic between 192.168.1.x, 3.x and 4.x are exempted from being NAT, hence the config change above.
Your split tunnel ACL says permit ip any any, so please change it to the following:
access-list 120 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
03-14-2013 09:13 PM
Can you please run the following debugs on the router to see what the issue is:
debug cry isa
debug cry ipsec
Also your NAT ACL needs to be changed as well:
access-list 150 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 150 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 150 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
access-list 150 permit ip 192.168.3.0 0.0.0.255 any
access-list 150 permit ip 192.168.4.0 0.0.0.255 any
ip nat inside source list 150 interface Dialer1 overload
no ip nat inside source list 1 interface Dialer1 overload
03-15-2013 12:16 AM
thank you for your response.
What I would like to have is that remote vpn users obtain an ip address within the 10.0.0.x range and have connectivity to the 192.168.1.x network. I am not sure what is the best approach that is if to assign the 192.168.0.x or the 10.0.0.x to the remote users. Connection need to be split tunneled as I do not want requests to the internet to go over the vpn link. I tried to configure a Virtual Template and loopback interface but please suggest any help from your experience.
03-15-2013 11:24 AM
The pool of 10.0.0.x is correctly configured. You just have to modify the NAT so that the traffic between 192.168.1.x, 3.x and 4.x are exempted from being NAT, hence the config change above.
Your split tunnel ACL says permit ip any any, so please change it to the following:
access-list 120 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 192.168.3.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 192.168.4.0 0.0.0.255 10.0.0.0 0.0.0.255
03-16-2013 04:52 AM
completed all configuration as instructed however still getting error 412 and not even being prompted for a username and password. Could this be related to some ports being blocked or connection issue ? The 1721 router is directly connected to the internet using an adsl wic.
Client log shows:
70 12:55:57.851 03/16/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=FF35F9344CC38C7F R_Cookie=5E6F8C50A0614BDF) reason = DEL_REASON_PEER_NOT_RESPONDING
71 12:55:57.851 03/16/13 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "xxx xxx xxx xxx" because of "DEL_REASON_PEER_NOT_RESPONDING"
Thank You
03-16-2013 02:25 PM
Hi,
What if you run Wireshark on the client's machine?
Do you see ISAKMP packets coming back from the Router? If not, then check from a different spot, your WLAN or ISP might be dropping your VPN connection.
HTH.
03-16-2013 09:55 PM
Issue resolved by changing Diffie Hellman groupt to 2, changing it back to 5 does not work.
Thank You
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: