VPN Windows xp client to Cisco 1711

Hi,

I'm trying to establish a VPN connection to a Cisco 1711 router running IOS 12.2 from a Windows XP VPN client. I configured the router with help of the Easy VPN Server wizard. Authentication of the client is done using a preshared key. The Windows VPN connection is configured using L2TP/IPSec. The IKE fails in phase 2.

I can successfully establish a raw IPSec tunnel between the XP machine and the cisco using the Site-to-Site VPN in the cisco SDM. But I'd like to establish a VPN connection to the router. I should mention that I'm a newbie with cisco routers. I'm even not sure if I'm on the right way using Easy VPN Server in the Cisco SDM. Thanks for any hints.

Here is the SECURITY LOG of the client:

KE security association negotiation failed. Mode: Data Protection Mode (Quick Mode)

Filter: Source IP Address 192.168.0.3 Source IP Address Mask 255.255.255.255 Destination IP Address 192.168.0.2 Destination IP Address Mask 255.255.255.255 Protocol 17 Source Port 1701 Destination Port 1701 IKE Local Addr 192.168.0.3 IKE Peer Addr 192.168.0.2

Peer Identity: Preshared key ID. Peer IP Address: 192.168.0.2

Failure Point: Me

Failure Reason: IKE SA deleted by peer before establishment completed

Extra Status:

0x0 0x0

--------------------- Here the CISCO CONFIG --------------

!version 12.2

aaa new-model ! aaa authentication login default local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa session-id common ip subnet-zero no ip source-route ! ! ip tcp synwait-time 10 no ip domain lookup ip domain name yourdomain.com ! ! no ip bootp server ip cef ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 smtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip inspect name DEFAULT100 icmp ip audit notify log ip audit po max-events 100 ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 3 encr 3des group 2 crypto isakmp key 0 mykey address 192.168.0.3 no-xauth crypto isakmp keepalive 60 ! crypto isakmp client configuration group VPN key 0 mykey pool SDM_POOL_1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec df-bit clear ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address initiate crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0 description $FW_OUTSIDE$$ETH-WAN$ ip address 192.168.0.2 255.255.255.0 ip access-group 101 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip route-cache flow duplex auto speed auto no cdp enable crypto map SDM_CMAP_1 ! interface FastEthernet1 no ip address no cdp enable ! interface FastEthernet2 no ip address no cdp enable ! interface FastEthernet3 no ip address no cdp enable ! interface FastEthernet4 no ip address no cdp enable ! interface Async1 no ip address no ip redirects no ip unreachables no ip proxy-arp ! interface Vlan1 description $FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 172.16.4.100 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip route-cache flow ip tcp adjust-mss 1452 ! ip local pool SDM_POOL_1 10.10.10.0 10.10.10.255 ip nat pool outgoing 192.168.0.100 192.168.0.105 netmask 255.255.255.0 ip nat inside source static 172.16.4.1 192.168.0.6 ip nat inside source static 172.16.4.51 192.168.0.5 ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0 permanent ip http server ip http access-class 1 ip http authentication local ip http secure-server ! ! logging trap debugging access-list 1 remark HTTP Access-class list access-list 1 remark SDM_ACL Category=1 access-list 1 permit 172.16.4.0 0.0.0.255 access-list 1 deny any access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 permit udp host 172.16.4.1 eq 1645 host 172.16.4.100 access-list 100 permit udp host 172.16.4.1 eq 1646 host 172.16.4.100 access-list 100 deny ip 192.168.0.0 0.0.0.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit ip host 192.168.0.3 any log access-list 101 permit ip 10.10.10.0 0.0.0.255 any access-list 101 permit udp any host 192.168.0.2 eq non500-isakmp access-list 101 permit udp any host 192.168.0.2 eq isakmp access-list 101 permit esp any host 192.168.0.2 access-list 101 permit ahp any host 192.168.0.2 access-list 101 remark RDP to Internal access-list 101 permit tcp host 192.168.0.3 host 172.16.4.51 eq 3390 log access-list 101 deny ip 172.16.4.0 0.0.0.255 any access-list 101 permit icmp any host 192.168.0.2 echo-reply access-list 101 permit icmp any host 192.168.0.2 time-exceeded access-list 101 permit icmp any host 192.168.0.2 unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any log access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 102 permit ip 172.16.4.0 0.0.0.255 any access-list 102 deny ip any any no cdp run ! radius-server authorization permit missing Service-Type banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 transport output telnet line 1 flush-at-activation stopbits 1 speed 115200 flowcontrol hardware line aux 0 transport output telnet line vty 0 4 access-class 102 in transport input telnet ssh line vty 5 15 access-class 102 in transport input telnet ssh ! scheduler allocate 4000 1000 scheduler interval 500 ! end

Reply to
daniel
Loading thread data ...

Daniel you will need to connect to the router using Cisco VPN Client, the current config which you have on the router does not have any config for L2TP over IPec. If you need that then check the following link: http://cco/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a00800b5d72.htmlYou will need a CCO ID to open that link.

Reply to
rave

The IOS version is 12.2(15)ZL. Sorry I didn't mention the exact version. I'm not sure if that changes anything. Thanks for your help.

Reply to
daniel

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.