[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.6

Cisco VPN Client to Router cannot access VPN network

Asked by frankmcc in IPSec Security Protocol, Virtual Private Networking (VPN), Network Routers

Tags: cisco, vpn, client, access, router

I am in the process of configuring a Cisco 1720 Router to be a VPN server for the Cisco VPN Client software.  We intend on using it for our mobile users alone.  

I have been able to get the VPN running.  The client authenticates through the router to a RADIUS server and phase 2 completes.  That's were things go wrong.

The client is unable to access anything on the VPN network, nor can it access the interent.  I suspect I need to do something in the ACL 110, but I'm not sure what.

Here is the output of the Client LOG:

Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

1      10:41:49.000  12/28/07  Sev=Warning/3      IKE/0xE3000085
The length, 0, of the Mode Config option, INTERNAL_IPV4_NETMASK, is invalid

2      10:41:51.093  12/28/07  Sev=Warning/2      CVPND/0xE3400013
AddRoute failed to add a route: code 87
      Destination      192.168.254.255
      Netmask      255.255.255.255
      Gateway      172.17.0.1
      Interface      172.17.2.36

3      10:41:51.093  12/28/07  Sev=Warning/2      CM/0xA3100024
Unable to add route. Network: c0a8feff, Netmask: ffffffff, Interface: ac110224, Gateway: ac110001.

Debugs on the router have not provided much more information.  But here is the log output anyway (The time on the router is incorrect, I will fix that later):

Log Buffer (16000 bytes):
*Mar  2 23:54:59.720: ISAKMP (0:10): Checking IPSec proposal 9
*Mar  2 23:54:59.724: ISAKMP: transform 1, ESP_3DES
*Mar  2 23:54:59.724: ISAKMP:   attributes in transform:
*Mar  2 23:54:59.724: ISAKMP:      authenticator is HMAC-MD5
*Mar  2 23:54:59.724: ISAKMP:      encaps is 61443 (Tunnel-UDP)
*Mar  2 23:54:59.724: ISAKMP:      SA life type in seconds
*Mar  2 23:54:59.724: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  2 23:54:59.724: ISAKMP (0:10): atts are acceptable.
*Mar  2 23:54:59.724: ISAKMP (0:10): Checking IPSec proposal 9
*Mar  2 23:54:59.724: ISAKMP (0:10): transform 1, IPPCP LZS
*Mar  2 23:54:59.728: ISAKMP:   attributes in transform:
*Mar  2 23:54:59.728: ISAKMP:      encaps is 61443 (Tunnel-UDP)
*Mar  2 23:54:59.728: ISAKMP:      SA life type in seconds
*Mar  2 23:54:59.728: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  2 23:54:59.728: ISAKMP (0:10): atts are acceptable.
*Mar  2 23:54:59.728: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 162.40.32.9, remote= 162.40.32.22,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 172.17.2.36/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
*Mar  2 23:54:59.732: IPSEC(validate_proposal_request): proposal part #2,
  (key eng. msg.) INBOUND local= 162.40.32.9, remote= 162.40.32.22,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 172.17.2.36/255.255.255.255/0/0 (type=1),
    protocol= PCP, transform= comp-lzs  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
*Mar  2 23:54:59.732: IPSEC(kei_proxy): head = clientmap, map->ivrf = , kei->ivrf =
*Mar  2 23:54:59.732: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-md5-hmac comp-lzs }
*Mar  2 23:54:59.732: ISAKMP (0:10): IPSec policy invalidated proposal
*Mar  2 23:54:59.736: ISAKMP (0:10): Checking IPSec proposal 10
*Mar  2 23:54:59.736: ISAKMP: transform 1, ESP_3DES
*Mar  2 23:54:59.736: ISAKMP:   attributes in transform:
*Mar  2 23:54:59.736: ISAKMP:      authenticator is HMAC-SHA
*Mar  2 23:54:59.736: ISAKMP:      encaps is 61443 (Tunnel-UDP)
*Mar  2 23:54:59.736: ISAKMP:      SA life type in seconds
*Mar  2 23:54:59.736: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  2 23:54:59.736: ISAKMP (0:10): atts are acceptable.
*Mar  2 23:54:59.740: ISAKMP (0:10): Checking IPSec proposal 10
*Mar  2 23:54:59.740: ISAKMP (0:10): transform 1, IPPCP LZS
*Mar  2 23:54:59.740: ISAKMP:   attributes in transform:
*Mar  2 23:54:59.740: ISAKMP:      encaps is 61443 (Tunnel-UDP)
*Mar  2 23:54:59.740: ISAKMP:      SA life type in seconds
*Mar  2 23:54:59.740: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  2 23:54:59.740: ISAKMP (0:10): atts are acceptable.
*Mar  2 23:54:59.740: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 162.40.32.9, remote= 162.40.32.22,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 172.17.2.36/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
*Mar  2 23:54:59.744: IPSEC(validate_proposal_request): proposal part #2,
  (key eng. msg.) INBOUND local= 162.40.32.9, remote= 162.40.32.22,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 172.17.2.36/255.255.255.255/0/0 (type=1),
    protocol= PCP, transform= comp-lzs  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
*Mar  2 23:54:59.744: IPSEC(kei_proxy): head = clientmap, map->ivrf = , kei->ivrf =
*Mar  2 23:54:59.744: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-sha-hmac comp-lzs }
*Mar  2 23:54:59.748: ISAKMP (0:10): IPSec policy invalidated proposal
*Mar  2 23:54:59.748: ISAKMP (0:10): Checking IPSec proposal 11
*Mar  2 23:54:59.748: ISAKMP: transform 1, ESP_3DES
*Mar  2 23:54:59.748: ISAKMP:   attributes in transform:
*Mar  2 23:54:59.748: ISAKMP:      authenticator is HMAC-MD5
*Mar  2 23:54:59.748: ISAKMP:      encaps is 61443 (Tunnel-UDP)
*Mar  2 23:54:59.748: ISAKMP:      SA life type in seconds
*Mar  2 23:54:59.748: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  2 23:54:59.752: ISAKMP (0:10): atts are acceptable.
*Mar  2 23:54:59.752: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 162.40.32.9, remote= 162.40.32.22,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 172.17.2.36/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
*Mar  2 23:54:59.752: IPSEC(kei_proxy): head = clientmap, map->ivrf = , kei->ivrf =
*Mar  2 23:54:59.752: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-md5-hmac }
*Mar  2 23:54:59.756: ISAKMP (0:10): IPSec policy invalidated proposal
*Mar  2 23:54:59.756: ISAKMP (0:10): Checking IPSec proposal 12
*Mar  2 23:54:59.756: ISAKMP: transform 1, ESP_3DES
*Mar  2 23:54:59.756: ISAKMP:   attributes in transform:
*Mar  2 23:54:59.756: ISAKMP:      authenticator is HMAC-SHA
*Mar  2 23:54:59.756: ISAKMP:      encaps is 61443 (Tunnel-UDP)
*Mar  2 23:54:59.756: ISAKMP:      SA life type in seconds
*Mar  2 23:54:59.756: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  2 23:54:59.756: ISAKMP (0:10): atts are acceptable.
*Mar  2 23:54:59.760: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 162.40.32.9, remote= 162.40.32.22,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 172.17.2.36/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400
*Mar  2 23:54:59.760: IPSEC(kei_proxy): head = clientmap, map->ivrf = , kei->ivrf =
*Mar  2 23:54:59.760: ISAKMP (0:10): processing NONCE payload. message ID = 914356287
*Mar  2 23:54:59.764: ISAKMP (0:10): processing ID payload. message ID = 914356287
*Mar  2 23:54:59.764: ISAKMP (0:10): processing ID payload. message ID = 914356287
*Mar  2 23:54:59.764: ISAKMP (0:10): asking for 1 spis from ipsec
*Mar  2 23:54:59.764: ISAKMP (0:10): Node 914356287, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  2 23:54:59.764: ISAKMP (0:10): Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Mar  2 23:54:59.764: IPSEC(key_engine): got a queue event...
*Mar  2 23:54:59.768: IPSEC(spi_response): getting spi 2473336454 for SA
        from 162.40.32.9     to 162.40.32.22    for prot 3
*Mar  2 23:54:59.768: ISAKMP: received ke message (2/1)
*Mar  2 23:55:00.224: ISAKMP: Locking peer struct 0x82212B5C, IPSEC refcount 1 for for stuff_ke
*Mar  2 23:55:00.224: ISAKMP (0:10): Creating IPSec SAs
*Mar  2 23:55:00.224:         inbound SA from 162.40.32.22 to 162.40.32.9 (f/i)  0/ 0
        (proxy 172.17.2.36 to 0.0.0.0)
*Mar  2 23:55:00.228:         has spi 0x936C1E86 and conn_id 2000 and flags 400
*Mar  2 23:55:00.228:         lifetime of 2147483 seconds
*Mar  2 23:55:00.228:         has client flags 0x10
*Mar  2 23:55:00.228:         outbound SA from 162.40.32.9     to 162.40.32.22    (f/i)  0/ 0 (proxy 0.0.0.0         to 172.17.2.36    )
*Mar  2 23:55:00.228:         has spi 605580969 and conn_id 2001 and flags 408
*Mar  2 23:55:00.228:         lifetime of 2147483 seconds
*Mar  2 23:55:00.228:         has client flags 0x10
*Mar  2 23:55:00.232: ISAKMP (0:10): sending packet to 162.40.32.22 my_port 4500 peer_port 2026 (R) QM_IDLE      
*Mar  2 23:55:00.232: ISAKMP (0:10): Node 914356287, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*Mar  2 23:55:00.232: ISAKMP (0:10): Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
*Mar  2 23:55:00.236: IPSEC(key_engine): got a queue event...
*Mar  2 23:55:00.236: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 162.40.32.9, remote= 162.40.32.22,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 172.17.2.36/0.0.0.0/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel-UDP),
    lifedur= 2147483s and 0kb,
    spi= 0x936C1E86(2473336454), conn_id= 2000, keysize= 0, flags= 0x400
*Mar  2 23:55:00.236: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 162.40.32.9, remote= 162.40.32.22,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 172.17.2.36/0.0.0.0/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel-UDP),
    lifedur= 2147483s and 0kb,
    spi= 0x24186EA9(605580969), conn_id= 2001, keysize= 0, flags= 0x408
*Mar  2 23:55:00.240: IPSEC(kei_proxy): head = clientmap, map->ivrf = , kei->ivrf =
*Mar  2 23:55:00.240: IPSEC(add mtree): src 0.0.0.0, dest 172.17.2.36, dest_port 0

*Mar  2 23:55:00.240: IPSEC(create_sa): sa created,
  (sa) sa_dest= 162.40.32.9, sa_prot= 50,
    sa_spi= 0x936C1E86(2473336454),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000
*Mar  2 23:55:00.244: IPSEC(create_sa): sa created,
  (sa) sa_dest= 162.40.32.22, sa_prot= 50,
    sa_spi= 0x24186EA9(605580969),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001
*Mar  2 23:55:00.248: ISAKMP (0:10): received packet from 162.40.32.22 dport 4500 sport 2026 Global (R) QM_IDLE      
*Mar  2 23:55:00.248: ISAKMP (0:10): deleting node 914356287 error FALSE reason "quick mode done (await)"
*Mar  2 23:55:00.248: ISAKMP (0:10): Node 914356287, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  2 23:55:00.252: ISAKMP (0:10): Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*Mar  2 23:55:00.252: IPSEC(key_engine): got a queue event...
*Mar  2 23:55:00.252: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Mar  2 23:55:00.252: IPSEC(key_engine_enable_outbound): enable SA with spi 605580969/50 for 162.40.32.22
*Mar  2 23:55:09.572: ISAKMP (0:10): received packet from 162.40.32.22 dport 4500 sport 2026 Global (R) QM_IDLE      
*Mar  2 23:55:09.572: ISAKMP: set new node 314993000 to QM_IDLE      
*Mar  2 23:55:09.576: ISAKMP (0:10): processing HASH payload. message ID = 314993000
*Mar  2 23:55:09.576: ISAKMP (0:10): processing NOTIFY R_U_THERE protocol 1
        spi 0, message ID = 314993000, sa = 822B807C
*Mar  2 23:55:09.576: ISAKMP (0:10): deleting node 314993000 error FALSE reason "informational (in) state 1"
*Mar  2 23:55:09.576: ISAKMP (0:10): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  2 23:55:09.576: ISAKMP (0:10): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  2 23:55:09.576: ISAKMP (0:10): DPD/R_U_THERE received from peer 162.40.32.22, sequence 0x4ED0CD79
*Mar  2 23:55:09.580: ISAKMP: set new node 1231782143 to QM_IDLE      
*Mar  2 23:55:09.580: ISAKMP (0:10): Sending NOTIFY R_U_THERE_ACK protocol 1
         spi 2179399104, message ID = 1231782143 seq. no 0x4ED0CD79
*Mar  2 23:55:09.580: ISAKMP (0:10): sending packet to 162.40.32.22 my_port 4500 peer_port 2026 (R) QM_IDLE      
*Mar  2 23:55:09.584: ISAKMP (0:10): purging node 1231782143
*Mar  2 23:55:09.584: ISAKMP (0:10): Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Mar  2 23:55:09.584: ISAKMP (0:10): Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  2 23:55:15.412: ISAKMP (0:10): received packet from 162.40.32.22 dport 4500 sport 2026 Global (R) QM_IDLE      
*Mar  2 23:55:15.412: ISAKMP: set new node -1817182271 to QM_IDLE      
*Mar  2 23:55:15.416: ISAKMP (0:10): processing HASH payload. message ID = -1817182271
*Mar  2 23:55:15.416: ISAKMP (0:10): processing DELETE payload. message ID = -1817182271
*Mar  2 23:55:15.416: ISAKMP (0:10): peer does not do paranoid keepalives.

*Mar  2 23:55:15.416: ISAKMP (0:10): peer does not do paranoid keepalives.

*Mar  2 23:55:15.416: ISAKMP (0:10): deleting node -1817182271 error FALSE reason "informational (in) state 1"
*Mar  2 23:55:15.416: ISAKMP (0:10): received packet from 162.40.32.22 dport 4500 sport 2026 Global (R) QM_IDLE      
*Mar  2 23:55:15.420: ISAKMP: set new node 1044263402 to QM_IDLE      
*Mar  2 23:55:15.420: ISAKMP (0:10): processing HASH payload. message ID = 1044263402
*Mar  2 23:55:15.424: ISAKMP:received payload type 18
*Mar  2 23:55:15.424: ISAKMP (0:10): processing DELETE_WITH_REASON payload, message ID = 1044263402, reason: DELETE_BY_USER_COMMAND
*Mar  2 23:55:15.424: ISAKMP (0:10): peer does not do paranoid keepalives.

*Mar  2 23:55:15.424: ISAKMP (0:10): deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE       (peer 162.40.32.22) input queue 0
*Mar  2 23:55:15.424: ISAKMP (0:10): deleting node 1044263402 error FALSE reason "informational (in) state 1"
*Mar  2 23:55:15.424: IPSEC(key_engine): got a queue event...
*Mar  2 23:55:15.424: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Mar  2 23:55:15.428: IPSEC(key_engine_delete_sas): delete SA with spi 605580969/50 for 162.40.32.22
*Mar  2 23:55:15.428: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 162.40.32.9, sa_prot= 50,
    sa_spi= 0x936C1E86(2473336454),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000
*Mar  2 23:55:15.428: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,
  (sa) sa_dest= 162.40.32.22, sa_prot= 50,
    sa_spi= 0x24186EA9(605580969),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001,
  (identity) local= 162.40.32.9, remote= 162.40.32.22,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 172.17.2.36/255.255.255.255/0/0 (type=1)
*Mar  2 23:55:15.432: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 162.40.32.22, sa_prot= 50,
    sa_spi= 0x24186EA9(605580969),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001
*Mar  2 23:55:15.432: ISAKMP: Unlocking IPSEC struct 0x82212B5C from delete_siblings, count 0
*Mar  2 23:55:15.432: IPSEC(key_engine): got a queue event...
*Mar  2 23:55:15.432: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Mar  2 23:55:15.436: ISAKMP (0:10): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  2 23:55:15.436: ISAKMP (0:10): Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Mar  2 23:55:15.436: ISAKMP (0:10): deleting SA reason "" state (R) QM_IDLE       (peer 162.40.32.22) input queue 0
*Mar  2 23:55:15.436: ISAKMP (0:10): returning address 172.17.2.36 to pool
*Mar  2 23:55:15.440: ISAKMP: Unlocking IKE struct 0x82212B5C for isadb_mark_sa_deleted(), count 0
*Mar  2 23:55:15.440: ISAKMP: returning address 172.17.2.36 to pool
*Mar  2 23:55:15.440: ISAKMP: Deleting peer node by peer_reap for 162.40.32.22: 82212B5C
*Mar  2 23:55:15.440: ISAKMP (0:10): deleting node -1720911968 error FALSE reason ""
*Mar  2 23:55:15.440: ISAKMP (0:10): deleting node 327213268 error FALSE reason ""
*Mar  2 23:55:15.444: ISAKMP (0:10): deleting node -1086291021 error FALSE reason ""
*Mar  2 23:55:15.444: ISAKMP (0:10): deleting node 914356287 error FALSE reason ""
*Mar  2 23:55:15.444: ISAKMP (0:10): deleting node 314993000 error FALSE reason ""
*Mar  2 23:55:15.444: ISAKMP (0:10): deleting node -1817182271 error FALSE reason ""
*Mar  2 23:55:15.444: ISAKMP (0:10): deleting node 1044263402 error FALSE reason ""
*Mar  2 23:55:15.444: ISAKMP (0:10): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  2 23:55:15.444: ISAKMP (0:10): Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Mar  2 23:56:05.440: ISAKMP (0:10): purging node -1720911968
*Mar  2 23:56:05.444: ISAKMP (0:10): purging node 327213268
*Mar  2 23:56:05.444: ISAKMP (0:10): purging node -1086291021
*Mar  2 23:56:05.444: ISAKMP (0:10): purging node 914356287
*Mar  2 23:56:05.444: ISAKMP (0:10): purging node 314993000
*Mar  2 23:56:05.444: ISAKMP (0:10): purging node -1817182271
*Mar  2 23:56:05.448: ISAKMP (0:10): purging node 1044263402
*Mar  2 23:56:15.444: ISAKMP (0:10): purging SA., sa=822B807C, delme=822B807C

I hope that is enough info.  I've lost a lot of hair over "EZVPN" 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:

Current configuration : 4775 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HCRT2
!
boot-start-marker
boot-end-marker
!
logging buffered 16000 debugging
no logging console guaranteed
no logging console
enable secret 5 <REMOVED>
enable password <REMOVED>
!
memory-size iomem 25
clock timezone PCTime -5
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login userauthen group radius
aaa authorization network groupauthor local 
aaa session-id common
ip subnet-zero
!
!
ip domain name hollandcomputers.net
ip name-server 172.17.2.3
ip name-server 172.17.2.5
ip name-server 162.40.32.104
ip name-server 162.40.32.105
!
ip cef
ip audit po max-events 100
!
!
username administrator password 0 <REMOVED>
username VPN password 0 hcvpn5
!
!         
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local vpnpool
!
crypto isakmp client configuration group HCVPN
 key <REMOVED> <------------------ IT'S NOT "cisco" AS SOME DOCUMENTATION READS --<
 dns 172.17.2.5 172.17.2.3
 wins 172.17.2.5 172.17.2.3
 domain hollandcomputers.net
 pool vpnpool
!
!
crypto ipsec transform-set HCset esp-3des esp-sha-hmac 
!
crypto dynamic-map dynmap 10
 set transform-set HCset 
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
!
!
!
!
interface Ethernet0
 ip address 172.17.2.251 255.255.255.0
 ip nat inside
 half-duplex
!
interface FastEthernet0
 ip address 162.40.32.9 255.255.252.0
 ip nat outside
 speed auto
 crypto map clientmap
!
router eigrp 1
 auto-summary
!
ip local pool vpnpool 172.17.2.30 172.17.2.39
ip nat inside source route-map nonat interface FastEthernet0 overload
 
<IRRELEVANT NAT ENTRIES REMOVED>
 
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
no ip http server
no ip http secure-server
!
!
!
ip access-list extended Outbound
 permit icmp any any
 permit ip any any
logging history size 500
logging history emergencies
logging trap debugging
logging 172.17.2.164
logging 162.40.32.122
access-list 110 permit ip 172.17.2.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 110
!         
snmp-server community <REMOVED> RW
snmp-server community <REMOVED> RO
snmp-server enable traps tty
radius-server host 172.17.2.5 auth-port 1645 acct-port 1646 key <REMOVED>
!
line con 0
 password <REMOVED>
line aux 0
line vty 0 4
 password <REMOVED>
!
end
[+][-]12/28/07 10:51 AM, ID: 20544026Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: IPSec Security Protocol, Virtual Private Networking (VPN), Network Routers
Tags: cisco, vpn, client, access, router
Sign Up Now!
Solution Provided By: poweruser32
Participating Experts: 1
Solution Grade: B
 
[+][-]12/28/07 10:02 AM, ID: 20543658Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]12/28/07 10:07 AM, ID: 20543703Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12/28/07 10:15 AM, ID: 20543753Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]12/28/07 10:22 AM, ID: 20543804Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12/28/07 10:27 AM, ID: 20543838Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]12/28/07 10:37 AM, ID: 20543921Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12/28/07 11:01 AM, ID: 20544109Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-92 / EE_QW_2_20070628