Dear All,
I am trying to terminate a vpn-client on my 831 router using digital certificates. Are there any examples for 831 and the vpn-client? I only can finde papers for the pix. After the client choose the attributes I get an error:
1:19:45: ISAKMP: encryption 3DES-CBC
01:19:45: ISAKMP: hash SHA
01:19:45: ISAKMP: default group 2
01:19:45: ISAKMP: auth RSA sig
01:19:45: ISAKMP: life type in seconds
01:19:45: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
01:19:45: ISAKMP (0:2): atts are acceptable. Next payload is 3
01:19:46: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
01:19:46: ISAKMP (0:2): Old State = IKE_R_MM1 New State = IKE_R_MM1
01:19:46: ISAKMP (0:2): sending packet to 12.0.0.5 my_port 500 peer_port 500 (R)
MM_SA_SETUP
01:19:46: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
01:19:46: ISAKMP (0:2): Old State = IKE_R_MM1 New State = IKE_R_MM2
01:19:46: ISAKMP (0:2): received packet from 12.0.0.5 dport 500 sport 500 (R) MM_SA_SETUP
01:19:46: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
01:19:46: ISAKMP (0:2): Old State = IKE_R_MM2 New State = IKE_R_MM3
01:19:46: ISAKMP (0:2): processing KE payload. message ID = 0
01:19:46: ISAKMP (0:2): processing NONCE payload. message ID = 0
01:19:46: ISAKMP (0:2): SKEYID state generated
01:19:46: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
01:19:46: ISAKMP (0:2): Old State = IKE_R_MM3 New State = IKE_R_MM3
01:19:46: ISAKMP (0:2): sending packet to 12.0.0.5 my_port 500 peer_port 500 (R)
MM_KEY_EXCH
01:19:46: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
01:19:46: ISAKMP (0:2): Old State = IKE_R_MM3 New State = IKE_R_MM4
01:19:46: ISAKMP (0:2): received packet from 12.0.0.5 dport 500 sport 500 (R) MM_KEY_EXCH
01:19:46: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x10FF)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
01:19:46: IPSECcard: an error coming back 10FF
01:19:46: %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 2) unable to decrypt
packet
01:19:46: ISAKMP (0:2): incrementing error counter on sa: ce_decrypt failed
01:19:51: ISAKMP (0:2): received packet from 12.0.0.5 dport 500 sport 500 (R) MM_KEY_EXCH
01:19:51: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x10FF)
01:19:51: IPSECcard: an error coming back 10FF
01:19:51: %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 2) unable to decrypt
packet
01:19:51: ISAKMP (0:2): incrementing error counter on sa: ce_decrypt failed
01:19:56: ISAKMP (0:2): received packet from 12.0.0.5 dport 500 sport 500 (R) MM_KEY_EXCH
01:19:56: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x10FF)
01:19:56: IPSECcard: an error coming back 10FF
01:19:56: %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 2) unable to decrypt
packet
0
here is my config for the 831:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RouterA
!
!
no ip subnet-zero
ip domain name test.abc
ip name-server 192.168.1.20
!
ip audit notify log
ip audit po max-events 100
!
crypto ca trustpoint winCA
enrollment mode ra
enrollment url http://192.168.2.234:80/certsrv/mscep/mscep.dll
serial-number
crypto ca certificate chain winCA
certificate ca 6F4B59AA487E3DB346D2EAA82F2934DB nvram:ABCCA.cer
certificate 10191F6A00000000000A nvram:ABC.cer
certificate 10192E2000000000000B nvram:ABCCA#1.cer
!
crypto isakmp policy 10
encr 3des
group 2
crypto isakmp key geheim address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group vpn
key geheim
dns 192.168.1.20
!
!
crypto ipsec transform-set SICHER esp-3des esp-md5-hmac
!
crypto dynamic-map cisco 1
set transform-set SICHER
!
!
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
!
!
interface Ethernet0
ip address 12.0.0.1 255.0.0.0
no cdp enable
crypto map dyn-map
hold-queue 100 out
!
interface Ethernet1
ip address 192.168.1.33 255.255.255.0
no cdp enable
!
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
no ip http server
!
no cdp run
...
...
Thank you!
Christian
