08-05-2005 01:34 PM
Hi all,
I have ran out of ideas on this.I have 2 sites VPN'ed and working ok. Site1 is connected to the web thru ADSL on a 837 router (IOS 12.3(2)XC2). Now I must setup the 837 for Easy VPN server for Cisco VPN clients. I've tried with SDM, which made the config below:
(VPNClient Remote pool is 10.10.250.0/24, Site1 LAN is 10.10.10.0/24, Site2 LAN is 10.10.20.0/24, Site1 public IP is A.B.C.D, Site2 public IP is E.F.G.H)
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local
<<<isakmp policies i think are fine>>>
crypto isakmp key 0 site-site-key address E.F.G.H no-xauth
crypto isakmp client configuration group REMOTE-VPN
key 0 client-site-key
dns M.N.O.P
pool REMOTE-POOL
acl 100
save-password
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set TR1 esp-3des esp-sha-hmac
crypto ipsec transform-set TR2 esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP_1 1
description User to Site VPN Clients
set security-association lifetime seconds 3600
set transform-set TR1
set pfs group2
match address 100
reverse-route
crypto map MAP1 client authentication list sdm_vpn_xauth_ml_1
crypto map MAP1 isakmp authorization list sdm_vpn_group_ml_1
crypto map MAP1 client configuration address respond
crypto map MAP1 100 ipsec-isakmp
set peer E.F.G.H
set security-association lifetime kilobytes 2097152
set security-association lifetime seconds 43200
set transform-set TR1
set pfs group2
match address 130
reverse-route
crypto map MAP1 65535 ipsec-isakmp dynamic DYNMAP_1
interface Dialer1
ip address negotiated
ip access-group 121 in
ip inspect myfw out
crypto map MAP1
ip local pool REMOTE-POOL 10.10.250.1 10.10.250.254
ip nat inside source route-map nonat interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 100 permit ip 10.10.0.0 0.0.255.255 any
access-list 102 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 102 deny ip 10.10.0.0 0.0.255.255 10.10.250.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 121 permit ip 10.10.250.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 121 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 121 permit ip 10.10.250.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 121 permit ip 10.10.250.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 121 permit udp any eq domain 10.10.10.0 0.0.0.255
access-list 121 permit udp any any eq isakmp
access-list 121 permit ahp host E.F.G.H any
access-list 121 permit ahp any any
access-list 121 permit esp host E.F.G.H any
access-list 121 permit esp any any
access-list 121 permit udp host E.F.G.H any eq isakmp
access-list 121 permit udp host E.F.G.H any eq non500-isakmp
access-list 121 permit udp any any eq non500-isakmp
access-list 121 permit udp any any eq 10000
access-list 121 permit icmp any host A.B.C.D
access-list 121 deny ip any any log
access-list 130 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
route-map nonat permit 10
match ip address 102
Thou site-to-site VPN works ok I can't get the cisco client to connect a tunnel to the router, yet it communicates with it.
Here's part of the router debug :
ISAKMP (0:2): sending packet to 213.103.218.139 my_port 500 peer_port 500 (R) AG_INIT_EXCH
ISAKMP (0:2): Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
ISAKMP (0:2): Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
ISAKMP (0:2): received packet from 213.103.218.139 dport 500 sport 500 Global (R) AG_INIT_EXCH
%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 213.103.218.139 was not encrypted and it should've been.
ISAKMP (0:2): incrementing error counter on sa: reset_retransmission
ISAKMP (0:2): received packet from 213.103.218.139 dport 500 sport 500 Global (R) AG_INIT_EXCH
%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 213.103.218.139 was not encrypted and it should've been.
ISAKMP (0:2): incrementing error counter on sa: reset_retransmission
Thanx alot for any help provided. I have no idea what to try next with this.
regards
Aurélien
08-08-2005 08:41 PM
Hi,
Try removing the 'match address 100' statement from the dynamic-map config.
Regards,
Shijo George.
08-09-2005 12:42 AM
Hi,
Thanks - I have done this and there is a progress : now from the VPN client I get the Xauth dialog box prompting for username/password. But after i have entered credentials it still fails to establish the tunnel.
i believe that now phase 1 completes and failure is in phase 2, if i refer to the router debugs :
(VPNClient Remote pool is 10.10.250.0/24, Site1 LAN is 10.10.10.0/24, Site2 LAN is 10.10.20.0/24, Site1 public IP is A.B.C.D, VPN client public IP is VPN.CLIENT.IP.ADDR)
ISAKMP (0:3): Checking IPSec proposal 11
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-MD5
ISAKMP: encaps is 61443
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP (0:3): atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= A.B.C.D, remote= VPN.CLIENT.IP.ADDR,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 10.10.250.13/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x400
ISAKMP (0:3): IPSec policy invalidated proposal
.../...
ISAKMP (0:3): phase 2 SA policy not acceptable! (local A.B.C.D remote VPN.CLIENT.IP.ADDR)
.../...
ISAKMP (0:3): Input = IKE_MESG_FROM_PEER, IKE_INFO_DELETE
ISAKMP (0:3): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
IPSEC(key_engine): got a queue event with 1 kei messages
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
and here's my modified config (part of) :
crypto isakmp key 0 site-site-vpn-key address E.F.G.H no-xauth
crypto isakmp keepalive 20 10
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 20
crypto isakmp client configuration group SITAB-REMOTE-VPN
key 0 client-site-vpn-key
dns 80.10.246.130 80.10.246.3
pool REMOTE-POOL
acl 103
save-password
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set TR1 esp-3des esp-sha-hmac
crypto ipsec transform-set TR2 esp-3des esp-md5-hmac
crypto ipsec transform-set TR3 esp-3des esp-md5-hmac
crypto dynamic-map SDM_DYNMAP_1 1
description User to Site VPN Clients
set security-association lifetime seconds 3600
set transform-set TR3 TR2 TR1
set pfs group2
reverse-route
crypto map MAP1 client authentication list sdm_vpn_xauth_ml_1
crypto map MAP1 isakmp authorization list sdm_vpn_group_ml_1
crypto map MAP1 client configuration address respond
crypto map MAP1 100 ipsec-isakmp
set peer E.F.G.H
set security-association lifetime kilobytes 2097152
set security-association lifetime seconds 43200
set transform-set TR1
set pfs group2
match address 130
reverse-route
crypto map MAP1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
interface Dialer1
crypto map MAP1
ip local pool REMOTE-POOL 10.10.250.1 10.10.250.254
ip nat inside source route-map nonat interface Dialer1 overload
access-list 102 deny ip any 10.10.250.0 0.0.0.255
access-list 102 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 102 deny ip 10.10.0.0 0.0.255.255 10.10.250.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 103 permit ip 10.10.0.0 0.0.255.255 any
route-map nonat permit 10
match ip address 102
Any idea where the problem comes from ? I am suspicious about the debug message "IPSEC(validate_transform_proposal): invalid transform proposal flags -- 0x400"
I could not find any helpful info about this so far...
Thanks again for all help provided.
Aurélien
09-02-2005 07:18 AM
Sorry i will not help you, i just want to know if you have solved your problem ?
Olivier
09-04-2005 12:11 AM
This issue was solved with help of Cisco expert Haseeb Niazi in this forum. It needed PFS removed from the dynamic crypto map. It is now working.
Aurelien
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide