Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
867
Views
3
Helpful
4
Replies

URGENT PROBLEM PLEASE HELP !!! VPN client to 837 router

augeiss
Level 1
Level 1

‎08-05-2005 01:34 PM

Hi all,

I have ran out of ideas on this.I have 2 sites VPN'ed and working ok. Site1 is connected to the web thru ADSL on a 837 router (IOS 12.3(2)XC2). Now I must setup the 837 for Easy VPN server for Cisco VPN clients. I've tried with SDM, which made the config below:

(VPNClient Remote pool is 10.10.250.0/24, Site1 LAN is 10.10.10.0/24, Site2 LAN is 10.10.20.0/24, Site1 public IP is A.B.C.D, Site2 public IP is E.F.G.H)

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization network sdm_vpn_group_ml_1 local

<<<isakmp policies i think are fine>>>

crypto isakmp key 0 site-site-key address E.F.G.H no-xauth

crypto isakmp client configuration group REMOTE-VPN

key 0 client-site-key

dns M.N.O.P

pool REMOTE-POOL

acl 100

save-password

crypto ipsec security-association lifetime seconds 86400

crypto ipsec transform-set TR1 esp-3des esp-sha-hmac

crypto ipsec transform-set TR2 esp-3des esp-md5-hmac

crypto dynamic-map DYNMAP_1 1

description User to Site VPN Clients

set security-association lifetime seconds 3600

set transform-set TR1

set pfs group2

match address 100

reverse-route

crypto map MAP1 client authentication list sdm_vpn_xauth_ml_1

crypto map MAP1 isakmp authorization list sdm_vpn_group_ml_1

crypto map MAP1 client configuration address respond

crypto map MAP1 100 ipsec-isakmp

set peer E.F.G.H

set security-association lifetime kilobytes 2097152

set security-association lifetime seconds 43200

set transform-set TR1

set pfs group2

match address 130

reverse-route

crypto map MAP1 65535 ipsec-isakmp dynamic DYNMAP_1

interface Dialer1

ip address negotiated

ip access-group 121 in

ip inspect myfw out

crypto map MAP1

ip local pool REMOTE-POOL 10.10.250.1 10.10.250.254

ip nat inside source route-map nonat interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

access-list 100 permit ip 10.10.0.0 0.0.255.255 any

access-list 102 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 102 deny ip 10.10.0.0 0.0.255.255 10.10.250.0 0.0.0.255

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 121 permit ip 10.10.250.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 121 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 121 permit ip 10.10.250.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 121 permit ip 10.10.250.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 121 permit udp any eq domain 10.10.10.0 0.0.0.255

access-list 121 permit udp any any eq isakmp

access-list 121 permit ahp host E.F.G.H any

access-list 121 permit ahp any any

access-list 121 permit esp host E.F.G.H any

access-list 121 permit esp any any

access-list 121 permit udp host E.F.G.H any eq isakmp

access-list 121 permit udp host E.F.G.H any eq non500-isakmp

access-list 121 permit udp any any eq non500-isakmp

access-list 121 permit udp any any eq 10000

access-list 121 permit icmp any host A.B.C.D

access-list 121 deny ip any any log

access-list 130 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

route-map nonat permit 10

match ip address 102

Thou site-to-site VPN works ok I can't get the cisco client to connect a tunnel to the router, yet it communicates with it.

Here's part of the router debug :

ISAKMP (0:2): sending packet to 213.103.218.139 my_port 500 peer_port 500 (R) AG_INIT_EXCH

ISAKMP (0:2): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY

ISAKMP (0:2): Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

ISAKMP (0:2): received packet from 213.103.218.139 dport 500 sport 500 Global (R) AG_INIT_EXCH

%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 213.103.218.139 was not encrypted and it should've been.

ISAKMP (0:2): incrementing error counter on sa: reset_retransmission

ISAKMP (0:2): received packet from 213.103.218.139 dport 500 sport 500 Global (R) AG_INIT_EXCH

%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 213.103.218.139 was not encrypted and it should've been.

ISAKMP (0:2): incrementing error counter on sa: reset_retransmission

Thanx alot for any help provided. I have no idea what to try next with this.

regards

Aurélien

Labels:
0 Helpful
4 Replies 4

shijogeorge
Level 1
Level 1

‎08-08-2005 08:41 PM

Hi,

Try removing the 'match address 100' statement from the dynamic-map config.

Regards,

Shijo George.

augeiss
Level 1
Level 1
In response to shijogeorge

‎08-09-2005 12:42 AM

Hi,

Thanks - I have done this and there is a progress : now from the VPN client I get the Xauth dialog box prompting for username/password. But after i have entered credentials it still fails to establish the tunnel.

i believe that now phase 1 completes and failure is in phase 2, if i refer to the router debugs :

(VPNClient Remote pool is 10.10.250.0/24, Site1 LAN is 10.10.10.0/24, Site2 LAN is 10.10.20.0/24, Site1 public IP is A.B.C.D, VPN client public IP is VPN.CLIENT.IP.ADDR)

ISAKMP (0:3): Checking IPSec proposal 11

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: authenticator is HMAC-MD5

ISAKMP: encaps is 61443

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

ISAKMP (0:3): atts are acceptable.

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= A.B.C.D, remote= VPN.CLIENT.IP.ADDR,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 10.10.250.13/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400

IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x400

ISAKMP (0:3): IPSec policy invalidated proposal

.../...

ISAKMP (0:3): phase 2 SA policy not acceptable! (local A.B.C.D remote VPN.CLIENT.IP.ADDR)

.../...

ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_INFO_DELETE

ISAKMP (0:3): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

IPSEC(key_engine): got a queue event with 1 kei messages

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

and here's my modified config (part of) :

crypto isakmp key 0 site-site-vpn-key address E.F.G.H no-xauth

crypto isakmp keepalive 20 10

crypto isakmp nat keepalive 20

crypto isakmp xauth timeout 20

crypto isakmp client configuration group SITAB-REMOTE-VPN

key 0 client-site-vpn-key

dns 80.10.246.130 80.10.246.3

pool REMOTE-POOL

acl 103

save-password

crypto ipsec security-association lifetime seconds 86400

crypto ipsec transform-set TR1 esp-3des esp-sha-hmac

crypto ipsec transform-set TR2 esp-3des esp-md5-hmac

crypto ipsec transform-set TR3 esp-3des esp-md5-hmac

crypto dynamic-map SDM_DYNMAP_1 1

description User to Site VPN Clients

set security-association lifetime seconds 3600

set transform-set TR3 TR2 TR1

set pfs group2

reverse-route

crypto map MAP1 client authentication list sdm_vpn_xauth_ml_1

crypto map MAP1 isakmp authorization list sdm_vpn_group_ml_1

crypto map MAP1 client configuration address respond

crypto map MAP1 100 ipsec-isakmp

set peer E.F.G.H

set security-association lifetime kilobytes 2097152

set security-association lifetime seconds 43200

set transform-set TR1

set pfs group2

match address 130

reverse-route

crypto map MAP1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

interface Dialer1

crypto map MAP1

ip local pool REMOTE-POOL 10.10.250.1 10.10.250.254

ip nat inside source route-map nonat interface Dialer1 overload

access-list 102 deny ip any 10.10.250.0 0.0.0.255

access-list 102 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 102 deny ip 10.10.0.0 0.0.255.255 10.10.250.0 0.0.0.255

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 103 permit ip 10.10.0.0 0.0.255.255 any

route-map nonat permit 10

match ip address 102

Any idea where the problem comes from ? I am suspicious about the debug message "IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x400"

I could not find any helpful info about this so far...

Thanks again for all help provided.

Aurélien

0 Helpful

olivier_1968
Level 1
Level 1
In response to augeiss

‎09-02-2005 07:18 AM

Sorry i will not help you, i just want to know if you have solved your problem ?

Olivier

0 Helpful

augeiss
Level 1
Level 1
In response to olivier_1968

‎09-04-2005 12:11 AM

This issue was solved with help of Cisco expert Haseeb Niazi in this forum. It needed PFS removed from the dynamic crypto map. It is now working.

Aurelien

0 Helpful
Customers Also Viewed These Support Documents