1. Home
  2. Cisco Systems
  3. VPN Help

VPN Help

I have had a static VPN running now for about 2 years. I want to add a dynamic VPN using Cisco's VPN client. I have followed the examples and I cannot get it to connect. I have tried different transform sets.. ACL and no ACL.. every combination I can think of and no luck. I'm sure I am missing something obvious. I will paste the config with its matching debug. The router is a 2811 running the following software:

(C2800NM-ADVIPSERVICESK9-M), Version 12.3(11)T3

Thanks for any help you could give.

! aaa authentication login default local group radius aaa authentication login userauthen local aaa authentication ppp default group radius local aaa authorization exec default local aaa authorization network groupauthen local aaa accounting network default start-stop group radius aaa session-id common ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key secretkey address xxx.xxx.xxx.158 no-xauth crypto isakmp key secretkey address xxx.xxx.xxx.56 no-xauth crypto isakmp key secretkey address xxx.xxx.xxx.85 no-xauth ! crypto isakmp client configuration group LSIGroup key secretkey dns xxx.xxx.xxx.13 wins xxx.xxx.xxx.82 pool lsipool netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac crypto ipsec transform-set vpnset esp-des esp-md5-hmac ! crypto dynamic-map dynmap 10 set transform-set vpnset ! ! crypto map SDM_CMAP_1 client authentication list userauthen crypto map SDM_CMAP_1 isakmp authorization list groupauthor crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel Thru L3 to site A set peer xxx.xxx.xxx.158 set transform-set ESP-3DES-SHA match address 100 crypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel Thru UUnet to site A set peer xxx.xxx.xxx.158 set transform-set ESP-3DES-SHA2 match address 102 crypto map SDM_CMAP_1 3 ipsec-isakmp description Tunnel Thru L3 to site B set peer xxx.xxx.xxx.85 set transform-set ESP-3DES-SHA1 match address 101 crypto map SDM_CMAP_1 4 ipsec-isakmp description Tunnel thru UUNet to site B set peer xxx.xxx.xxx.85 set transform-set ESP-3DES-SHA3 match address 103 crypto map SDM_CMAP_1 10 ipsec-isakmp dynamic dynmap ! ! access-list 100 permit ip xxx.xxx.xxx.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 101 permit ip xxx.xxx.xxx.0 0.0.0.255 10.0.2.0 0.0.0.255 access-list 102 permit ip xxx.xxx.xxx.0 0.0.0.255 10.0.1.0 0.0.0.255 access-list 103 permit ip xxx.xxx.xxx.0 0.0.0.255 10.0.2.0 0.0.0.255 access-list 105 permit ip xxx.xxx.xxx.0 0.0.0.255 any !

Router debugs from Cisco VPN Client 4.0.5 ( 4.6 gave the same results )

Router#term mon Router#deb crypto isakmp Crypto ISAKMP debugging is on Router#deb crypto ipsec Crypto IPSEC debugging is on Router#debug crypto eng Crypto Engine debugging is on Router#debug crypto ber BER debug output debugging is on Router#debug crypto verb verbose debug output debugging is on Router# Mar 13 17:04:20.481: ISAKMP (0:0): received packet from xxx.xxx.xxx.22 dport

500 sport 500 Global (N) NEW SA Mar 13 17:04:20.481: ISAKMP: Created a peer struct for xxx.xxx.xxx.22, peer port 500 Mar 13 17:04:20.481: ISAKMP: Locking peer struct 0x44FC6538, IKE refcount 1 for crypto_isakmp_process_block Mar 13 17:04:20.481: ISAKMP:(0:0:N/A:0):Setting client config settings 45D3D360 Mar 13 17:04:20.481: ISAKMP:(0:0:N/A:0):(Re)Setting client xauth list and state Mar 13 17:04:20.481: ISAKMP/xauth: initializing AAA request Mar 13 17:04:20.485: ISAKMP: local port 500, remote port 500 Mar 13 17:04:20.485: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 45CED0DC Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0 Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing ID payload. message ID = 0 Mar 13 17:04:20.485: ISAKMP (0:0): ID payload next-payload : 13 type : 11 group id : LSIGroup protocol : 17 port : 500 length : 16 Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0):: peer matches *none* of the profiles Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing vendor id payload Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 215 mismatch Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID is XAUTH Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing vendor id payload Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID is DPD Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing vendor id payload Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2 Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing vendor id payload Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): processing vendor id payload Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): vendor ID is Unity Mar 13 17:04:20.485: ISAKMP:(0:0:N/A:0): Authentication by xauth preshared Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy Mar 13 17:04:20.489: ISAKMP: encryption AES-CBC Mar 13 17:04:20.489: ISAKMP: hash SHA Mar 13 17:04:20.489: ISAKMP: default group 2 Mar 13 17:04:20.489: ISAKMP: auth XAUTHInitPreShared Mar 13 17:04:20.489: ISAKMP: life type in seconds Mar 13 17:04:20.489: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.489: ISAKMP: keylength of 256 Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against priority 1 policy Mar 13 17:04:20.489: ISAKMP: encryption AES-CBC Mar 13 17:04:20.489: ISAKMP: hash MD5 Mar 13 17:04:20.489: ISAKMP: default group 2 Mar 13 17:04:20.489: ISAKMP: auth XAUTHInitPreShared Mar 13 17:04:20.489: ISAKMP: life type in seconds Mar 13 17:04:20.489: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.489: ISAKMP: keylength of 256 Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.489: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 1 policy Mar 13 17:04:20.493: ISAKMP: encryption AES-CBC Mar 13 17:04:20.493: ISAKMP: hash SHA Mar 13 17:04:20.493: ISAKMP: default group 2 Mar 13 17:04:20.493: ISAKMP: auth pre-share Mar 13 17:04:20.493: ISAKMP: life type in seconds Mar 13 17:04:20.493: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.493: ISAKMP: keylength of 256 Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against priority 1 policy Mar 13 17:04:20.493: ISAKMP: encryption AES-CBC Mar 13 17:04:20.493: ISAKMP: hash MD5 Mar 13 17:04:20.493: ISAKMP: default group 2 Mar 13 17:04:20.493: ISAKMP: auth pre-share Mar 13 17:04:20.493: ISAKMP: life type in seconds Mar 13 17:04:20.493: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.493: ISAKMP: keylength of 256 Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.493: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 against priority 1 policy Mar 13 17:04:20.497: ISAKMP: encryption AES-CBC Mar 13 17:04:20.497: ISAKMP: hash SHA Mar 13 17:04:20.497: ISAKMP: default group 2 Mar 13 17:04:20.497: ISAKMP: auth XAUTHInitPreShared Mar 13 17:04:20.497: ISAKMP: life type in seconds Mar 13 17:04:20.497: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.497: ISAKMP: keylength of 128 Mar 13 17:04:20.497: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.497: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.497: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 6 against priority 1 policy Mar 13 17:04:20.497: ISAKMP: encryption AES-CBC Mar 13 17:04:20.497: ISAKMP: hash MD5 Mar 13 17:04:20.497: ISAKMP: default group 2 Mar 13 17:04:20.497: ISAKMP: auth XAUTHInitPreShared Mar 13 17:04:20.497: ISAKMP: life type in seconds Mar 13 17:04:20.497: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.497: ISAKMP: keylength of 128 Mar 13 17:04:20.497: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.497: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.501: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 7 against priority 1 policy Mar 13 17:04:20.501: ISAKMP: encryption AES-CBC Mar 13 17:04:20.501: ISAKMP: hash SHA Mar 13 17:04:20.501: ISAKMP: default group 2 Mar 13 17:04:20.501: ISAKMP: auth pre-share Mar 13 17:04:20.501: ISAKMP: life type in seconds Mar 13 17:04:20.501: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.501: ISAKMP: keylength of 128 Mar 13 17:04:20.501: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.501: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.501: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 8 against priority 1 policy Mar 13 17:04:20.501: ISAKMP: encryption AES-CBC Mar 13 17:04:20.501: ISAKMP: hash MD5 Mar 13 17:04:20.501: ISAKMP: default group 2 Mar 13 17:04:20.501: ISAKMP: auth pre-share Mar 13 17:04:20.505: ISAKMP: life type in seconds Mar 13 17:04:20.505: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.505: ISAKMP: keylength of 128 Mar 13 17:04:20.505: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy! Mar 13 17:04:20.505: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3 Mar 13 17:04:20.505: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 9 against priority 1 policy Mar 13 17:04:20.505: ISAKMP: encryption 3DES-CBC Mar 13 17:04:20.505: ISAKMP: hash SHA Mar 13 17:04:20.505: ISAKMP: default group 2 Mar 13 17:04:20.505: ISAKMP: auth XAUTHInitPreShared Mar 13 17:04:20.505: ISAKMP: life type in seconds Mar 13 17:04:20.505: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B Mar 13 17:04:20.505: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3 Mar 13 17:04:20.509: CryptoEngine0: generating alg parameter for connid 22 Mar 13 17:04:20.545: CRYPTO_ENGINE: Dh phase 1 status: 0 Mar 13 17:04:20.545: CRYPTO_ENGINE: Dh phase 1 status: OK Mar 13 17:04:20.545: ISAKMP:(0:22:SW:1): processing KE payload. message ID = 0 Mar 13 17:04:20.545: CryptoEngine0: generating alg parameter for connid 0 Mar 13 17:04:20.593: ISAKMP:(0:22:SW:1): processing NONCE payload. message ID = 0 Mar 13 17:04:20.597: ISAKMP:(0:22:SW:1): vendor ID is NAT-T v2 Mar 13 17:04:20.597: ISAKMP (0:134217750): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY Mar 13 17:04:20.597: ISAKMP:(0:22:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH Mar 13 17:04:20.597: ISAKMP:(0:22:SW:1):Old State = IKE_READY New State = IKE_READY

Mar 13 17:04:20.597: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at xxx.xxx.xxx.22 Mar 13 17:04:25.513: ISAKMP (0:134217750): received packet from xxx.xxx.xxx.22 dport 500 sport 500 Global (R) AG_NO_STATE Mar 13 17:04:25.513: ISAKMP:(0:22:SW:1): processing SA payload. message ID = 0 Mar 13 17:04:25.513: ISAKMP:(0:22:SW:1): already processed SA payload! Mar 13 17:04:25.513: ISAKMP (0:134217750): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY Mar 13 17:04:25.513: ISAKMP:(0:22:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH Mar 13 17:04:25.513: ISAKMP:(0:22:SW:1):Old State = IKE_READY New State = IKE_READY

Mar 13 17:04:30.681: ISAKMP (0:134217750): received packet from xxx.xxx.xxx.22 dport 500 sport 500 Global (R) AG_NO_STATE Mar 13 17:04:30.685: ISAKMP:(0:22:SW:1): processing SA payload. message ID = 0 Mar 13 17:04:30.685: ISAKMP:(0:22:SW:1): already processed SA payload! Mar 13 17:04:30.685: ISAKMP (0:134217750): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY Mar 13 17:04:30.685: ISAKMP:(0:22:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH Mar 13 17:04:30.685: ISAKMP:(0:22:SW:1):Old State = IKE_READY New State = IKE_READY

Mar 13 17:04:35.797: ISAKMP (0:134217750): received packet from xxx.xxx.xxx.22 dport 500 sport 500 Global (R) AG_NO_STATE Mar 13 17:04:35.797: ISAKMP:(0:22:SW:1): processing SA payload. message ID = 0 Mar 13 17:04:35.797: ISAKMP:(0:22:SW:1): already processed SA payload! Mar 13 17:04:35.797: ISAKMP (0:134217750): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH: state = IKE_READY Mar 13 17:04:35.797: ISAKMP:(0:22:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH Mar 13 17:04:35.797: ISAKMP:(0:22:SW:1):Old State = IKE_READY New State = IKE_READY

Gordon Montgomery Living Scriptures, Inc snipped-for-privacy@lsi.com (anti spam - replace lsi with livingscriptures) (801) 627-2000

Reply to
Gordon Montgomery
Loading thread data ...

Well, 2 minutes after posting I found this error, but it still does not connect. The debug seems to get further now, so maybe I've got another error I can't see.

Thanks,

Gordon Montgomery Living Scriptures, Inc snipped-for-privacy@lsi.com (anti spam - replace lsi with livingscriptures) (801) 627-2000

Reply to
Gordon Montgomery

you might want to take a look at IPSEC profiles

Configuring an IPsec Router Dynamic LAN-to-LAN Peer and VPN Clients

formatting link

Reply to
Merv

Thanks, that looks a lot like the example from cisco that I was following. I finally got it to work. Other than the typo I found, I had also tried to carve out a pool of 20 addresses from the target's /24. I finally found a reference saying that the pool really needs its own subnet. I did that and I could access the target subnet. Now, I have noticed some oddities that I'm thinking are just the nature of the beast. For example, my router is the VPN server. I have noticed that when connected through the VPN, I cannot telnet, ssh or otherwise contact the router. Disconnect the VPN and I can ssh into it just fine. (Telnet is blocked from the outside.) Also, I have a static VPN to another site from the main site. It has a 10.0.1.0/24 subnet. I assigned 10.0.63.0/24 to the pool used for the dynamic VPN I just created. When connected with the Cisco client, I cannot ping or contact the

10.0.1.0/24 at all. Shouldn't I be able to contact the subnets attached to the same router? Or is that just the nature of VPNs? Anyway, thanks for the input.

Gordon

Gordon Montgomery Living Scriptures, Inc snipped-for-privacy@lsi.com (anti spam - replace lsi with livingscriptures) (801) 627-2000

Reply to
Gordon Montgomery

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.