08-25-2003 02:33 AM - edited 02-21-2020 12:44 PM
Dear All,
I am trying to terminate a vpn-client on my 831 router using digital certificates. Are there any examples for 831 and the vpn-client? I only can finde papers for the pix. After the client choose the attributes I get an error:
1:19:45: ISAKMP: encryption 3DES-CBC
01:19:45: ISAKMP: hash SHA
01:19:45: ISAKMP: default group 2
01:19:45: ISAKMP: auth RSA sig
01:19:45: ISAKMP: life type in seconds
01:19:45: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
01:19:45: ISAKMP (0:2): atts are acceptable. Next payload is 3
01:19:46: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
01:19:46: ISAKMP (0:2): Old State = IKE_R_MM1 New State = IKE_R_MM1
01:19:46: ISAKMP (0:2): sending packet to 12.0.0.5 my_port 500 peer_port 500 (R)
MM_SA_SETUP
01:19:46: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
01:19:46: ISAKMP (0:2): Old State = IKE_R_MM1 New State = IKE_R_MM2
01:19:46: ISAKMP (0:2): received packet from 12.0.0.5 dport 500 sport 500 (R) MM_SA_SETUP
01:19:46: ISAKMP (0:2): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
01:19:46: ISAKMP (0:2): Old State = IKE_R_MM2 New State = IKE_R_MM3
01:19:46: ISAKMP (0:2): processing KE payload. message ID = 0
01:19:46: ISAKMP (0:2): processing NONCE payload. message ID = 0
01:19:46: ISAKMP (0:2): SKEYID state generated
01:19:46: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
01:19:46: ISAKMP (0:2): Old State = IKE_R_MM3 New State = IKE_R_MM3
01:19:46: ISAKMP (0:2): sending packet to 12.0.0.5 my_port 500 peer_port 500 (R)
MM_KEY_EXCH
01:19:46: ISAKMP (0:2): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
01:19:46: ISAKMP (0:2): Old State = IKE_R_MM3 New State = IKE_R_MM4
01:19:46: ISAKMP (0:2): received packet from 12.0.0.5 dport 500 sport 500 (R) MM_KEY_EXCH
01:19:46: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x10FF)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
01:19:46: IPSECcard: an error coming back 10FF
01:19:46: %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 2) unable to decrypt
packet
01:19:46: ISAKMP (0:2): incrementing error counter on sa: ce_decrypt failed
01:19:51: ISAKMP (0:2): received packet from 12.0.0.5 dport 500 sport 500 (R) MM_KEY_EXCH
01:19:51: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x10FF)
01:19:51: IPSECcard: an error coming back 10FF
01:19:51: %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 2) unable to decrypt
packet
01:19:51: ISAKMP (0:2): incrementing error counter on sa: ce_decrypt failed
01:19:56: ISAKMP (0:2): received packet from 12.0.0.5 dport 500 sport 500 (R) MM_KEY_EXCH
01:19:56: %HIFN79XX-3-CMD_ERR: Hifn 79XX command returned error: (0x10FF)
01:19:56: IPSECcard: an error coming back 10FF
01:19:56: %CRYPTO-6-IKMP_CRYPT_FAILURE: IKE (connection id 2) unable to decrypt
packet
0
here is my config for the 831:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RouterA
!
!
no ip subnet-zero
ip domain name test.abc
ip name-server 192.168.1.20
!
ip audit notify log
ip audit po max-events 100
!
crypto ca trustpoint winCA
enrollment mode ra
enrollment url http://192.168.2.234:80/certsrv/mscep/mscep.dll
serial-number
crypto ca certificate chain winCA
certificate ca 6F4B59AA487E3DB346D2EAA82F2934DB nvram:ABCCA.cer
certificate 10191F6A00000000000A nvram:ABC.cer
certificate 10192E2000000000000B nvram:ABCCA#1.cer
!
crypto isakmp policy 10
encr 3des
group 2
crypto isakmp key geheim address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group vpn
key geheim
dns 192.168.1.20
!
!
crypto ipsec transform-set SICHER esp-3des esp-md5-hmac
!
crypto dynamic-map cisco 1
set transform-set SICHER
!
!
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
!
!
interface Ethernet0
ip address 12.0.0.1 255.0.0.0
no cdp enable
crypto map dyn-map
hold-queue 100 out
!
interface Ethernet1
ip address 192.168.1.33 255.255.255.0
no cdp enable
!
no ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
no ip http server
!
no cdp run
...
...
Thank you!
Christian
08-28-2003 05:00 AM
You have a problem with your IOS version. Support for Cisco VPN Client, need the feature "Easy VPN Server" on the router, and this feature appears from version 12.3(2) on 831 routers.
You have two alternatives:
1. Use another vpn client that only uses ipsec
2. Upgrade your router ios software to some of the following:
Basic:
IOS 12.3(2)T IP/FW 3DES --->Prod: S831CHK9-12302T
With more QoS features:
IOS 12.3(2)T IP/FW/PLUS 3DES --->Prod: S831CHPK9-12302T
Hope to help,
chabral
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide