08-17-2012 06:13 AM - edited 02-21-2020 06:16 PM
Hello,
I get this error if I connected to Cisco IOS router (Version 15.1(4)M3) with Cisco VPN Client (5.0.07.0410):
Secure VPN Connection terminated by Peer.
Reason 433: (Reason Not Specified by Peer)
Debug is in the attachment. I can't find any reason for that behavior.
aaa new-model
aaa authentication login default local
aaa authentication login x-auth local
aaa authentication enable default enable
aaa authorization exec default local
aaa authorization network vpn-auth local
!
ip vrf private
rd 65000:1
ip vrf public
rd 65000:2
!
crypto logging session
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp fragmentation
crypto isakmp keepalive 10 periodic
!
crypto isakmp client configuration group pkapralik
key xxxxxxxx
pool pkapralik
acl vpn-pkapralik
netmask 255.255.255.255
!
crypto isakmp profile dvti
match identity group pkapralik
client authentication list x-auth
isakmp authorization list vpn-auth
client configuration address respond
initiate mode aggressive
virtual-template 1
!
crypto ipsec transform-set 1 esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile 1
set transform-set 1
!
interface Virtual-Template1 type tunnel
ip vrf forwarding public
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile 1
!
interface GigabitEthernet0/1
ip vrf forwarding public
ip address 194.160.24.2 255.255.255.252
no ip redirects
no ip proxy-arp
duplex auto
speed auto
no cdp enable
!
ip local pool pkapralik 100.100.100.100
Greetings
Pali
Solved! Go to Solution.
08-28-2012 12:44 PM
Hello Pavel,
My personal (and unwarranted as of yet) opinion is that your configuration is not properly referring to the VRFs. With IPsec VPNs, you have to distinguish between two VRFs:
Your current configuration does not appear to properly distinguish between these two VRFs and has a couple of issues:
Can you try modifying your Virtual-Template1 configuration as follows?
interface Virtual-Template1 type tunnel
ip vrf forwarding private ! This is the IVRF
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel vrf public ! This is the FVRF
tunnel protection ipsec profile 1
This seems to have worked with me when replicating your setup in Dynagen using a 2691 as an EzVPN client. Without the tunnel vrf, it logically could not have worked - the tunnel endpoints were associated with the global routing table while in reality, they are reachable only through the VRF public (thanks to Gi0/1 being placed into that FVRF).
Of course, adapt the IVRF on the Virtual-Template1 interface as appropriate.
You may be interested in reading more about FVRF/IVRF in this document:
Please keep us informed. Thank you!
Best regards,
Peter
08-28-2012 12:44 PM
Hello Pavel,
My personal (and unwarranted as of yet) opinion is that your configuration is not properly referring to the VRFs. With IPsec VPNs, you have to distinguish between two VRFs:
Your current configuration does not appear to properly distinguish between these two VRFs and has a couple of issues:
Can you try modifying your Virtual-Template1 configuration as follows?
interface Virtual-Template1 type tunnel
ip vrf forwarding private ! This is the IVRF
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel vrf public ! This is the FVRF
tunnel protection ipsec profile 1
This seems to have worked with me when replicating your setup in Dynagen using a 2691 as an EzVPN client. Without the tunnel vrf, it logically could not have worked - the tunnel endpoints were associated with the global routing table while in reality, they are reachable only through the VRF public (thanks to Gi0/1 being placed into that FVRF).
Of course, adapt the IVRF on the Virtual-Template1 interface as appropriate.
You may be interested in reading more about FVRF/IVRF in this document:
Please keep us informed. Thank you!
Best regards,
Peter
08-28-2012 02:07 PM
Peter, you are absolutely right. Thanks for your explanation.
Greetings.
Pavel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide