Solved: Re: Unable to establish a VPN connection with a Cisco router con

iuliatanase · ‎01-07-2011

Hei guys,

Please help me on this one as I got pretty stuck on it..

I am trying to connect to a 3700 Cisco router configured as a VPN server using a VPN client, and the VPN connection does not get established.

This is an extract of the log:

130 12:48:30.585 01/07/11 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
131 12:48:30.585 01/07/11 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified
132 12:48:30.600 01/07/11 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
133 12:48:30.600 01/07/11 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:904)
134 12:48:30.600 01/07/11 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 200.100.50.173

I attach the whole log extract.. The bold message is quite obvious, you would say but I am 100% sure that in the Connection entry I typed in correctly the group password : pass

My topology is very basic as I am setting this up only to get a hint of how Cisco VPN works. It's built in GNS3:
- 2 routers 3700 : one of them holds the VPN server configuration and the other would be the ISP through which the remote worker would try to establish a VPN connection. // I also attach the configuration file for the router configured as VPN router.

Behind the second router there is a virtual XP machine on which I have installed the VPN client..

My connection entry in the client is having the following parameters:
Host: 200.100.50.173 //which is the IP of the VPNserver
Authentication -> Group Authentication -> Name : grup1 Password : pass // I am absolutely positive that I typed in the correct password...even though the log messages are related to a faulty authentication credentials.

I have been using only public addresses, as I have noticed there is an issue concerning behind NAT VPN connections and not being very familiar to NAT.

Another aspect that might be of any importance is that "Enable Transport Tunneling" from within Transport tab of the Connection entry is disabled

and that the VPNserver router logs the following error message when trying to establish the connection:

*Mar 1 01:08:47.147: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 200.100.50.34 was not encrypted and it should've been.
*Mar 1 01:08:47.151: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 200.100.50.34 was not encrypted and it should've been.

Have you got any clue why I can't establish the connection? Is there something wrong with my VPN server configuration..or with theconnection entry within VPN client?

Thank you,

Iulia

Jennifer Halim · ‎01-07-2011

According to the router configuration, the group name is grup1 and the password is cheie.

You are also missing the ipsec transform set that you would need to apply to the dynamic-map.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml

Hope that helps.

View solution in original post

Roberto Rafael Lopez Marquez · ‎01-07-2011

Hello Lulia,

Jennifer Halim is completely right, you are missing some important stuffs in your configuration including the ipsec transform set. The group grup1 password is actually cheie and this credentials you must enter in the vpn client, after that you will be prompted to enter a second set o credentials that must match any username configured in the router. I am attaching a sample configuration which you can use a guidance.

Hope it helps,

Best Regards,

Roberto López.

View solution in original post

Jennifer Halim · ‎01-07-2011

Excellent, and great to hear it's working now.

Pls kindly mark the post as answered and rate useful posts so others can learn. Thank you.

View solution in original post

Jennifer Halim · ‎01-07-2011

According to the router configuration, the group name is grup1 and the password is cheie.

You are also missing the ipsec transform set that you would need to apply to the dynamic-map.

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml

Hope that helps.

iuliatanase · ‎01-07-2011

Hy,

You were most helpful. I first added a transform set which I assigned to the dynamic-map...and afterwards I changed the password into cheie [as this was actually the correct password and not the user's password..my bad]. The tunnel has been established..I made a capture with Wireshark and there were only ESPs passing through.

I will read the document you directed me to and the document Roberto attached..as I feel that there are so much more things to explore and it really interests me.

Thank you guys,

Iulia

Jennifer Halim · ‎01-07-2011

Excellent, and great to hear it's working now.

Pls kindly mark the post as answered and rate useful posts so others can learn. Thank you.

Roberto Rafael Lopez Marquez · ‎01-07-2011

Hello Lulia,

Jennifer Halim is completely right, you are missing some important stuffs in your configuration including the ipsec transform set. The group grup1 password is actually cheie and this credentials you must enter in the vpn client, after that you will be prompted to enter a second set o credentials that must match any username configured in the router. I am attaching a sample configuration which you can use a guidance.

Hope it helps,

Best Regards,

Roberto López.

Unable to establish a VPN connection with a Cisco router configured as a Cisco server using VPN client 5.0.00.0340