Solved: VFR aware Remote Access - Reason 433: (Reason Not Specified by P

pkapralik · ‎08-17-2012

Hello,

I get this error if I connected to Cisco IOS router (Version 15.1(4)M3) with Cisco VPN Client (5.0.07.0410):

Secure VPN Connection terminated by Peer.

Reason 433: (Reason Not Specified by Peer)

Debug is in the attachment. I can't find any reason for that behavior.

aaa new-model

aaa authentication login default local

aaa authentication login x-auth local

aaa authentication enable default enable

aaa authorization exec default local

aaa authorization network vpn-auth local

!

ip vrf private

rd 65000:1

ip vrf public

rd 65000:2

!

crypto logging session

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!

crypto isakmp fragmentation

crypto isakmp keepalive 10 periodic

!

crypto isakmp client configuration group pkapralik

key xxxxxxxx

pool pkapralik

acl vpn-pkapralik

netmask 255.255.255.255

!

crypto isakmp profile dvti

match identity group pkapralik

client authentication list x-auth

isakmp authorization list vpn-auth

client configuration address respond

initiate mode aggressive

virtual-template 1

!

crypto ipsec transform-set 1 esp-aes 256 esp-sha-hmac

crypto ipsec df-bit clear

!

crypto ipsec profile 1

set transform-set 1

!

interface Virtual-Template1 type tunnel

ip vrf forwarding public

ip unnumbered GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile 1

!

interface GigabitEthernet0/1

ip vrf forwarding public

ip address 194.160.24.2 255.255.255.252

no ip redirects

no ip proxy-arp

duplex auto

speed auto

no cdp enable

!

ip local pool pkapralik 100.100.100.100

Greetings

Pali

Peter Paluch · ‎08-28-2012

Hello Pavel,

My personal (and unwarranted as of yet) opinion is that your configuration is not properly referring to the VRFs. With IPsec VPNs, you have to distinguish between two VRFs:

Front-door VRF or simply Front VRF which is the VRF of the outside interface that connects your router to the ISP
Internal VRF which is the VRF of internal networks that you want to access via the IPsec tunnel

Your current configuration does not appear to properly distinguish between these two VRFs and has a couple of issues:

The Gi0/1 interface obviously used to access the ISP is placed into the VRF public, yet the Virtual-Template1 is not associated with this VRF as its FVRF (the tunnel vrf command is missing)
The VRF private does not appear to be used at all, nor is there any other interface placed into the same VRF

Can you try modifying your Virtual-Template1 configuration as follows?

interface Virtual-Template1 type tunnel

ip vrf forwarding private ! This is the IVRF

ip unnumbered GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel vrf public ! This is the FVRF

tunnel protection ipsec profile 1

This seems to have worked with me when replicating your setup in Dynagen using a 2691 as an EzVPN client. Without the tunnel vrf, it logically could not have worked - the tunnel endpoints were associated with the global routing table while in reality, they are reachable only through the VRF public (thanks to Gi0/1 being placed into that FVRF).

Of course, adapt the IVRF on the Virtual-Template1 interface as appropriate.

You may be interested in reading more about FVRF/IVRF in this document:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

Please keep us informed. Thank you!

Best regards,

Peter

View solution in original post

Peter Paluch · ‎08-28-2012

Hello Pavel,

My personal (and unwarranted as of yet) opinion is that your configuration is not properly referring to the VRFs. With IPsec VPNs, you have to distinguish between two VRFs:

Front-door VRF or simply Front VRF which is the VRF of the outside interface that connects your router to the ISP
Internal VRF which is the VRF of internal networks that you want to access via the IPsec tunnel

Your current configuration does not appear to properly distinguish between these two VRFs and has a couple of issues:

The Gi0/1 interface obviously used to access the ISP is placed into the VRF public, yet the Virtual-Template1 is not associated with this VRF as its FVRF (the tunnel vrf command is missing)
The VRF private does not appear to be used at all, nor is there any other interface placed into the same VRF

Can you try modifying your Virtual-Template1 configuration as follows?

interface Virtual-Template1 type tunnel

ip vrf forwarding private ! This is the IVRF

ip unnumbered GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel vrf public ! This is the FVRF

tunnel protection ipsec profile 1

This seems to have worked with me when replicating your setup in Dynagen using a 2691 as an EzVPN client. Without the tunnel vrf, it logically could not have worked - the tunnel endpoints were associated with the global routing table while in reality, they are reachable only through the VRF public (thanks to Gi0/1 being placed into that FVRF).

Of course, adapt the IVRF on the Virtual-Template1 interface as appropriate.

You may be interested in reading more about FVRF/IVRF in this document:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

Please keep us informed. Thank you!

Best regards,

Peter

pkapralik · ‎08-28-2012

Peter, you are absolutely right. Thanks for your explanation.

Greetings.

Pavel

VFR aware Remote Access - Reason 433: (Reason Not Specified by Peer)