Hello, I have a Cisco 2621 router, and I would like to use it for my office VPN access. I configured it with pptp and it work with default local user called "root". I root is just the privilege cisco 2600 user and I just used it to test VPN also.
Now I wanted to do something more complicate and I wanted to configure a IPSec VPN using Cisco VPN client to connect to my c2621, but it does not work and I fail to configure it.
The situation is this, my router has a public IP
131.x.a.band when I am connected in VPN the public IP 131.z.a.c is assigned to me and this works with vpdn PPTP.
How to do it with IPSEC ?
This is really not very well documented around and here I REport the configuration which apparently does not work. Could someone give me a solution to a good configuration for a IPSec VPN using Cisco VPN client to connect to my router ?
here is the router config:
! ! Last configuration change at 08:30:48 CEST Fri Apr 11 2008 by root ! NVRAM config last updated at 08:30:57 CEST Fri Apr 11 2008 by root ! version 12.3 no parser cache service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname r1 ! boot-start-marker boot-end-marker ! enable password 7 104D4252130411 ! clock timezone CEST 1 clock summer-time CEST recurring 4 Sun Mar 0:00 4 Sun Oct 0:00 aaa new-model ! ! aaa authentication login default local aaa authentication login vpnuser local aaa authentication ppp default local aaa session-id common ip subnet-zero ip cef ! ! ip domain name cnaf.infn.it ip name-server 131.x.y.z ! ip audit po max-events 100 vpdn enable ! vpdn-group pptpcnaf ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! ! ! username root password 7 0115020557040206 ! ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpnuser key xxxxxxx dns 131.x.y.z domain cnaf.infn.it pool internalpool ! ! crypto ipsec transform-set default-set esp-3des esp-sha-hmac ! crypto dynamic-map default-map 13 set transform-set default-set ! ! crypto map mobile-map client authentication list vpnuser crypto map mobile-map client configuration address respond crypto map mobile-map 13 ipsec-isakmp dynamic default-map ! ! ! ! interface Loopback0 no ip address ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/1 ip address 131.x.a.b 255.255.255.0 duplex auto speed auto ! interface Virtual-Template1 ip unnumbered FastEthernet0/1 peer default ip address pool internalpool ppp encrypt mppe 128 required ppp authentication ms-chap ms-chap-v2 ! ip local pool internalpool 131.x.a.c ! no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 131.x.a.z ! ! ! snmp-server community public RO snmp-server enable traps tty ! ! dial-peer cor custom ! ! ! ! ! line con 0 line aux 0 line vty 5 15 ! end
And here is the DEBUG output:
1d12h: ISAKMP (0:0): received packet from 131.x.y.h dport 500 sport 500 Glob al (N) NEW SA 1d12h: ISAKMP: Locking peer struct 0x82FEEBB4, IKE refcount 2 for Responding to new initiation 1d12h: ISAKMP: local port 500, remote port 500 1d12h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83 13D0D8 1d12h: ISAKMP (0:2): processing SA payload. message ID = 0 1d12h: ISAKMP (0:2): processing ID payload. message ID = 0 1d12h: ISAKMP (0:2): ID payload next-payload : 13 type : 11 group id : vpnuser protocol : 17 port : 500 length : 15 1d12h: ISAKMP (0:2): peer matches *none* of the profiles 1d12h: ISAKMP (0:2): processing vendor id payload 1d12h: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch 1d12h: ISAKMP (0:2): vendor ID is XAUTH 1d12h: ISAKMP (0:2): processing vendor id payload 1d12h: ISAKMP (0:2): vendor ID is DPD 1d12h: ISAKMP (0:2): processing vendor id payload 1d12h: ISAKMP (0:2): vendor ID is Unity 1d12h: ISAKMP : Scanning profiles for xauth ... 1d12h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash SHA 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth XAUTHInitPreShared 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 256 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash MD5 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth XAUTHInitPreShared 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 256 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash SHA 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth pre-share 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 256 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash MD5 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth pre-share 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 256 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash SHA 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth XAUTHInitPreShared 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 128 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash MD5 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth XAUTHInitPreShared 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 128 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash SHA 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth pre-share 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 128 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3 policyand keeps logging that non ISAKMP transform patch policy encryption...
any hints or suggetions ?
thanks
RJ45