IPSec VPN with c2600 router

Hello, I have a Cisco 2621 router, and I would like to use it for my office VPN access. I configured it with pptp and it work with default local user called "root". I root is just the privilege cisco 2600 user and I just used it to test VPN also.

Now I wanted to do something more complicate and I wanted to configure a IPSec VPN using Cisco VPN client to connect to my c2621, but it does not work and I fail to configure it.

The situation is this, my router has a public IP

131.x.a.b

and when I am connected in VPN the public IP 131.z.a.c is assigned to me and this works with vpdn PPTP.

How to do it with IPSEC ?

This is really not very well documented around and here I REport the configuration which apparently does not work. Could someone give me a solution to a good configuration for a IPSec VPN using Cisco VPN client to connect to my router ?

here is the router config:

! ! Last configuration change at 08:30:48 CEST Fri Apr 11 2008 by root ! NVRAM config last updated at 08:30:57 CEST Fri Apr 11 2008 by root ! version 12.3 no parser cache service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname r1 ! boot-start-marker boot-end-marker ! enable password 7 104D4252130411 ! clock timezone CEST 1 clock summer-time CEST recurring 4 Sun Mar 0:00 4 Sun Oct 0:00 aaa new-model ! ! aaa authentication login default local aaa authentication login vpnuser local aaa authentication ppp default local aaa session-id common ip subnet-zero ip cef ! ! ip domain name cnaf.infn.it ip name-server 131.x.y.z ! ip audit po max-events 100 vpdn enable ! vpdn-group pptpcnaf ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! ! ! username root password 7 0115020557040206 ! ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpnuser key xxxxxxx dns 131.x.y.z domain cnaf.infn.it pool internalpool ! ! crypto ipsec transform-set default-set esp-3des esp-sha-hmac ! crypto dynamic-map default-map 13 set transform-set default-set ! ! crypto map mobile-map client authentication list vpnuser crypto map mobile-map client configuration address respond crypto map mobile-map 13 ipsec-isakmp dynamic default-map ! ! ! ! interface Loopback0 no ip address ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/1 ip address 131.x.a.b 255.255.255.0 duplex auto speed auto ! interface Virtual-Template1 ip unnumbered FastEthernet0/1 peer default ip address pool internalpool ppp encrypt mppe 128 required ppp authentication ms-chap ms-chap-v2 ! ip local pool internalpool 131.x.a.c ! no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 131.x.a.z ! ! ! snmp-server community public RO snmp-server enable traps tty ! ! dial-peer cor custom ! ! ! ! ! line con 0 line aux 0 line vty 5 15 ! end

And here is the DEBUG output:

1d12h: ISAKMP (0:0): received packet from 131.x.y.h dport 500 sport 500 Glob al (N) NEW SA 1d12h: ISAKMP: Locking peer struct 0x82FEEBB4, IKE refcount 2 for Responding to new initiation 1d12h: ISAKMP: local port 500, remote port 500 1d12h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83 13D0D8 1d12h: ISAKMP (0:2): processing SA payload. message ID = 0 1d12h: ISAKMP (0:2): processing ID payload. message ID = 0 1d12h: ISAKMP (0:2): ID payload next-payload : 13 type : 11 group id : vpnuser protocol : 17 port : 500 length : 15 1d12h: ISAKMP (0:2): peer matches *none* of the profiles 1d12h: ISAKMP (0:2): processing vendor id payload 1d12h: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch 1d12h: ISAKMP (0:2): vendor ID is XAUTH 1d12h: ISAKMP (0:2): processing vendor id payload 1d12h: ISAKMP (0:2): vendor ID is DPD 1d12h: ISAKMP (0:2): processing vendor id payload 1d12h: ISAKMP (0:2): vendor ID is Unity 1d12h: ISAKMP : Scanning profiles for xauth ... 1d12h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash SHA 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth XAUTHInitPreShared 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 256 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash MD5 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth XAUTHInitPreShared 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 256 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash SHA 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth pre-share 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 256 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash MD5 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth pre-share 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 256 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash SHA 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth XAUTHInitPreShared 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 128 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash MD5 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth XAUTHInitPreShared 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 128 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3 policy 1d12h: ISAKMP: encryption AES-CBC 1d12h: ISAKMP: hash SHA 1d12h: ISAKMP: default group 2 1d12h: ISAKMP: auth pre-share 1d12h: ISAKMP: life type in seconds 1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 1d12h: ISAKMP: keylength of 128 1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 1d12h: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3 policy

and keeps logging that non ISAKMP transform patch policy encryption...

any hints or suggetions ?

thanks

RJ45

Reply to
RJ45
Loading thread data ...

There are plenty of configuration examples on the Cisco web site that would have helped you get farther with this task.

Don't include passwords in your post. Type 7 passwords are easily decrypted with readily available utilities. Takes less than 1 sec. Most of us can tell you what your password is, if you need proof. Use the "enable secret" command instead of "enable password". The result is a type 5 password that is not so easily decrypted. Don't include those in your post either.

aaa authorization network vpnuser local

crypto isakmp client configuration address-pool local internalpool

reverse-route

crypto map mobile-map isakmp authorization list vpnuser

crypto map mobile-map

Assuming FastEthernet0/1 is the interface that will terminate the inbound IPSec tunnels.

I've listed what stands out the most, and excluded optional configuration commands. Other posters may find additional requirements I've overlooked.

Presumably your interface ACLs have been setup appropriately for ESP, ISAKMP, and potentially non500-ISAKMP.

Best Regards, News Reader

Reply to
News Reader

Use the "username secret" command instead of the "username password" command. See my prior note on the level of encryption, and the ease with which Type 7 passwords are decrypted.

Consider setting up a specific VPN username in the aaa local database, instead of a generic root user, particularly if that root password is used elsewhere in the organization.

username secret

You may also want to specify a privilege level (lower the better) for that user, in case they try logging into the router.

Reply to
News Reader

hello, thanks for your help, I wrote to the newsgroup because I could not find on the cisco site any help abotu setting up an end user VPN. there are plenty of IOS example with site to site VPN, and the end user vpn examples are only for ASA or PIX hardware and not with normal router hardware and IOS. I tryed to apply your hints but still I have the same error and vpn cannot be established with cisco vpn client. any more hints ? thanks

4d19h: ISAKMP (0:0): received packet from 131.154.3.242 dport 500 sport 500 Glob al (N) NEW SA 4d19h: ISAKMP: Locking peer struct 0x82FEEB8C, IKE refcount 2 for Responding to new initiation 4d19h: ISAKMP: local port 500, remote port 500 4d19h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83 14B168 4d19h: ISAKMP (0:2): processing SA payload. message ID = 0 4d19h: ISAKMP (0:2): processing ID payload. message ID = 0 4d19h: ISAKMP (0:2): ID payload next-payload : 13 type : 11 group id : vpnuser protocol : 17 port : 500 length : 15 4d19h: ISAKMP (0:2): peer matches *none* of the profiles 4d19h: ISAKMP (0:2): processing vendor id payload 4d19h: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch 4d19h: ISAKMP (0:2): vendor ID is XAUTH 4d19h: ISAKMP (0:2): processing vendor id payload 4d19h: ISAKMP (0:2): vendor ID is DPD 4d19h: ISAKMP (0:2): processing vendor id payload 4d19h: ISAKMP (0:2): vendor ID is Unity 4d19h: ISAKMP : Scanning profiles for xauth ... 4d19h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy 4d19h: ISAKMP: encryption AES-CBC 4d19h: ISAKMP: hash SHA 4d19h: ISAKMP: default group 2 4d19h: ISAKMP: auth XAUTHInitPreShared 4d19h: ISAKMP: life type in seconds 4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 4d19h: ISAKMP: keylength of 256 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 4d19h: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy 4d19h: ISAKMP: encryption AES-CBC 4d19h: ISAKMP: hash MD5 4d19h: ISAKMP: default group 2 4d19h: ISAKMP: auth XAUTHInitPreShared 4d19h: ISAKMP: life type in seconds 4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 4d19h: ISAKMP: keylength of 256 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 4d19h: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3 policy 4d19h: ISAKMP: encryption AES-CBC 4d19h: ISAKMP: hash SHA 4d19h: ISAKMP: default group 2 4d19h: ISAKMP: auth pre-share 4d19h: ISAKMP: life type in seconds 4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 4d19h: ISAKMP: keylength of 256 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 4d19h: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3 policy 4d19h: ISAKMP: encryption AES-CBC 4d19h: ISAKMP: hash MD5 4d19h: ISAKMP: default group 2 4d19h: ISAKMP: auth pre-share 4d19h: ISAKMP: life type in seconds 4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 4d19h: ISAKMP: keylength of 256 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 4d19h: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3 policy 4d19h: ISAKMP: encryption AES-CBC 4d19h: ISAKMP: hash SHA 4d19h: ISAKMP: default group 2 4d19h: ISAKMP: auth XAUTHInitPreShared 4d19h: ISAKMP: life type in seconds 4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 4d19h: ISAKMP: keylength of 128 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 4d19h: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3 policy 4d19h: ISAKMP: encryption AES-CBC 4d19h: ISAKMP: hash MD5 4d19h: ISAKMP: default group 2 4d19h: ISAKMP: auth XAUTHInitPreShared 4d19h: ISAKMP: life type in seconds 4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 4d19h: ISAKMP: keylength of 128 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 4d19h: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3 policy 4d19h: ISAKMP: encryption AES-CBC 4d19h: ISAKMP: hash SHA 4d19h: ISAKMP: default group 2 4d19h: ISAKMP: auth pre-share 4d19h: ISAKMP: life type in seconds 4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 4d19h: ISAKMP: keylength of 128 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 4d19h: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3 policy 4d19h: ISAKMP: encryption AES-CBC 4d19h: ISAKMP: hash MD5 4d19h: ISAKMP: default group 2 4d19h: ISAKMP: auth pre-share 4d19h: ISAKMP: life type in seconds 4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 4d19h: ISAKMP: keylength of 128 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy! 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3 4d19h: ISAKMP (0:2): Checking ISAKMP transform 9 against priority 3 policy 4d19h: ISAKMP: encryption 3DES-CBC 4d19h: ISAKMP: hash SHA 4d19h: ISAKMP: default group 2 4d19h: ISAKMP: auth XAUTHInitPreShared 4d19h: ISAKMP: life type in seconds 4d19h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 4d19h: ISAKMP (0:2): Xauth authentication by pre-shared key offered but does not match policy!

Reply to
RJ45

Search for these on the Cisco web site:

Configuring Cisco VPN Client and Cisco IOS Easy VPN Server

Configuring Cisco VPN Client and Easy VPN Server with Xauth

Configuring Cisco VPN Client and Easy VPN Server with Xauth and Split Tunneling

They might be a couple years old, but they should help.

RJ45 wrote:

Best Regards, News Reader

Reply to
News Reader

I posted what I think was a working config for this a while back "combining site to site vpn & vpn client on 837"

Reply to
Bod43

...

I've seen some examples for PPTP endpoint but most of the IPsec info I've come across for IOS is either site-to-site or passthrough. I think it might depend on the feature set you've got, too, which is not always easy to figure out even with assistance from their online tools. Here's that PPTP example I found if it helps at all:

formatting link

-Gary

Reply to
Gary

Define a pool that is not used on the internal network. You want the router to use the reverse-route injected into it's routing table and go back out the interface to which the remote client is connecting.

Notice that the VPN Client is proposing policies (transform 1, 2, etc.) that are being compared to your ISAKMP priority 3 policy (configured on the router), and not finding a match that they can agree on.

I didn't mention this sooner because your ISAKMP policy seemed reasonable (encr 3des, authentication pre-share, group 2).

Presumably, you have only shown us a partial debug. You would want to verify whether the VPN Client is actually proposing policy that is an exact match with your ISAKMP priority 3 policy. I suspect it is, but it would be nice to verify this. Different VPN client versions are likely to support different transforms.

I once ran into such an issue and did not resolve it until I reviewed the supported parameters in the client user manual.

All of the proposals in the portion of the debug provided use AES, and there are other differences between proposals of course.

Best Regards, News Reader

Reply to
News Reader

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.