caplinktech
asked on
Cisco VPN Configuration Troubles
Hi,
I'm new to setting up VPNs on Cisco boxes. I'm currently using a 1760 router and despite reading much was said here about how this could overload the router etc, I have been monitoring CPU utilization over the past week and it never goes above 20% on average, so I don't feel adding a VPN config for 1 user is going to cause any trouble. With that said, I followed a configuration example from Cisco's web site on using local authentication with the Cisco VPN client and IPSec and for some reason the connection doesn't get established. When trying to connect, the vpn client authenticates fine and then it gets to the step Securing Communications and it just stays there forever. At first I thought it had something to do with the simple netgear firewal that was used from the location I attempted to VPN from, however I connected a laptop into a switch in front of the router and tried to establish a VPN from there and it authenticated fine just like before, however again it hung on Securing Communications so I'm guessing there is something wrong with my config.
My config is below and commented. any help would be appreciated. IOS version is 12.3(2) XC, only version I can use as I'm using the new 4 Port Fast Ethernet WIC.
Current configuration : 5239 bytes
!
! Last configuration change at 13:27:31 EST Tue Nov 25 2003 by Y
! NVRAM config last updated at 13:23:31 EST Tue Nov 25 2003 by Y
!
version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname dicecca
!
boot system flash flash:c1700-k9o3sy7-mz.123
enable secret 5 X
enable password 7 X
***Username and Password assigned to login, used for the authentication of VPN user
!
username X password 7 X
clock timezone EST -5
clock summer-time EDT recurring
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
***Setting IPSec Group Name and Key. I know DNS and WINS and Domain information can/should be
***added here, however, as the domain controller is being migrated to Windows 2003 I left this
***information out. I didn't think it was necessary to establish the tunnel although I realize that it would
***cause access troubles later on.
!
crypto isakmp client configuration group Y
key 0 X
pool vpn-natpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
***Gave outside interface a secondary ip address as the primary interface ip is used for NAT (or PAT
***depending on how you consider it) and read about some problems with NAT and VPN. Initially this
***interface was set to full-duplex however Cisco example config showed the outside at half-duplex so I
***changed it thinking that was the problem. No Luck unfortunately, is there a benefit of Half duplex over
***full duplex?
!
interface Ethernet0/0
description Connected to Cisco 1721 router
ip address X.Y.Z.235 255.255.255.192 secondary
ip address X.Y.Z.194 255.255.255.192
ip access-group inbound in
ip nat outside
half-duplex
crypto map clientmap
!
interface FastEthernet0/0
description Connected Internal Network
ip address X.Y.Z.1 255.255.0.0
ip nat inside
speed auto
!
interface FastEthernet1/1
no ip address
!
interface FastEthernet1/2
no ip address
!
interface FastEthernet1/3
no ip address
!
interface FastEthernet1/4
no ip address
!
interface Vlan1
no ip address
!
ip local pool vpn-natpool X.Y.168.1 X.Y.168.254
ip nat inside source list 101 interface Ethernet0/0 overload
***Static Translations for Remote Desktop
ip nat inside source static tcp X.Y.ZZ.1 3390 interface Ethernet0/0 3390
ip nat inside source static tcp X.Y.ZZ.2 3389 interface Ethernet0/0 3389
***Static NAT Translations for Servers
ip nat inside source static X.Y.Z.195 X.Y.Z.195
ip nat inside source static X.Y.Z.196 X.Y.Z.196
ip nat inside source static X.Y.Z.197 X.Y.Z.197
ip nat inside source static X.Y.Z.198 X.Y.Z.198
ip nat inside source static X.Y.Z.199 X.Y.Z.199
ip nat inside source static X.Y.Z.200 X.Y.Z.200
ip nat inside source static X.Y.Z.201 X.Y.Z.201
ip nat inside source static X.Y.Z.202 X.Y.Z.202
ip nat inside source static X.Y.Z.203 X.Y.Z.203
ip nat inside source static X.Y.Z.204 X.Y.Z.204
ip nat inside source static X.Y.Z.205 X.Y.Z.205
ip nat inside source static X.Y.Z.206 X.Y.Z.206
ip nat inside source static X.Y.Z.207 X.Y.Z.207
ip nat inside source static X.Y.Z.208 X.Y.Z.208
ip nat inside source static X.Y.Z.215 X.Y.Z.215
ip nat inside source static X.Y.Z.216 X.Y.Z.216
ip nat inside source static X.Y.Z.217 X.Y.Z.217
ip nat inside source static X.Y.Z.218 X.Y.Z.218
ip nat inside source static X.Y.Z.219 X.Y.Z.219
ip nat inside source static tcp X.Y.Z.254 1433 X.Y.Z.254 1433 extendable
ip nat inside source static udp X.Y.Z.254 1433 X.Y.Z.254 1433 extendable
ip nat inside source static tcp X.Y.Z.254 1434 X.Y.Z.254 1434 extendable
ip nat inside source static udp X.Y.Z.254 1434 X.Y.Z.254 1434 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 X.Y.Z.193
no ip http server
no ip http secure-server
!
!
!
ip access-list extended inbound
permit tcp any any established
permit tcp any X.Y.Z.192 0.0.0.63 eq www
permit tcp any host X.Y.Z.254 eq 1433
***Added all these permit commands thinking it had something to do with the access list stopping a
***necessary protocol for the VPN connection, I realize that some of these are actually redundant.
***Unfortunately, it still didn't help.
permit ip any host X.Y.Z.235
permit ahp any host X.Y.Z.235
permit udp any host X.Y.Z.235
permit esp any host X.Y.Z.235
permit ipinip any host X.Y.Z.235
permit pcp any host X.Y.Z.235
permit tcp any host X.Y.Z.235
permit gre any host X.Y.Z.235
***Permit statements for server services
permit tcp any host X.Y.Z.254 eq 1434
permit udp any host X.Y.Z.254 eq 1434
permit udp any host X.Y.Z.254 eq 1433
permit tcp any X.Y.Z.192 0.0.0.63 eq 443
permit tcp any X.Y.Z.192 0.0.0.63 eq smtp
permit tcp any X.Y.Z.192 0.0.0.63 eq pop3
permit tcp any X.Y.Z.192 0.0.0.63 eq 22
permit tcp any X.Y.Z.192 0.0.0.63 eq ftp
permit tcp any X.Y.Z.192 0.0.0.63 eq ftp-data
permit tcp any X.Y.Z.192 0.0.0.63 eq domain
permit udp any eq domain any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
permit icmp any any unreachable
permit tcp any host X.Y.Z.194 eq 3389
permit tcp any host X.Y.Z.194 eq 3390
***Allow all internal traffic
permit ip X.Y.Z.0 0.0.255.255 any
***Deny everything else
deny ip any any log
***These 2 were added automatically where the IOS was updated to
***3DES IOS no clue why they are here
ip access-list extended key-exchange
ip access-list extended protocol
access-list 101 deny ip X.Y.Z.192 0.0.0.63 any
access-list 101 permit ip X.Y.Z.0 0.0.255.255 any
snmp-server community DiCecca1760 RO
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
password 7 X
!
!
end
I'm new to setting up VPNs on Cisco boxes. I'm currently using a 1760 router and despite reading much was said here about how this could overload the router etc, I have been monitoring CPU utilization over the past week and it never goes above 20% on average, so I don't feel adding a VPN config for 1 user is going to cause any trouble. With that said, I followed a configuration example from Cisco's web site on using local authentication with the Cisco VPN client and IPSec and for some reason the connection doesn't get established. When trying to connect, the vpn client authenticates fine and then it gets to the step Securing Communications and it just stays there forever. At first I thought it had something to do with the simple netgear firewal that was used from the location I attempted to VPN from, however I connected a laptop into a switch in front of the router and tried to establish a VPN from there and it authenticated fine just like before, however again it hung on Securing Communications so I'm guessing there is something wrong with my config.
My config is below and commented. any help would be appreciated. IOS version is 12.3(2) XC, only version I can use as I'm using the new 4 Port Fast Ethernet WIC.
Current configuration : 5239 bytes
!
! Last configuration change at 13:27:31 EST Tue Nov 25 2003 by Y
! NVRAM config last updated at 13:23:31 EST Tue Nov 25 2003 by Y
!
version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname dicecca
!
boot system flash flash:c1700-k9o3sy7-mz.123
enable secret 5 X
enable password 7 X
***Username and Password assigned to login, used for the authentication of VPN user
!
username X password 7 X
clock timezone EST -5
clock summer-time EDT recurring
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
***Setting IPSec Group Name and Key. I know DNS and WINS and Domain information can/should be
***added here, however, as the domain controller is being migrated to Windows 2003 I left this
***information out. I didn't think it was necessary to establish the tunnel although I realize that it would
***cause access troubles later on.
!
crypto isakmp client configuration group Y
key 0 X
pool vpn-natpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
***Gave outside interface a secondary ip address as the primary interface ip is used for NAT (or PAT
***depending on how you consider it) and read about some problems with NAT and VPN. Initially this
***interface was set to full-duplex however Cisco example config showed the outside at half-duplex so I
***changed it thinking that was the problem. No Luck unfortunately, is there a benefit of Half duplex over
***full duplex?
!
interface Ethernet0/0
description Connected to Cisco 1721 router
ip address X.Y.Z.235 255.255.255.192 secondary
ip address X.Y.Z.194 255.255.255.192
ip access-group inbound in
ip nat outside
half-duplex
crypto map clientmap
!
interface FastEthernet0/0
description Connected Internal Network
ip address X.Y.Z.1 255.255.0.0
ip nat inside
speed auto
!
interface FastEthernet1/1
no ip address
!
interface FastEthernet1/2
no ip address
!
interface FastEthernet1/3
no ip address
!
interface FastEthernet1/4
no ip address
!
interface Vlan1
no ip address
!
ip local pool vpn-natpool X.Y.168.1 X.Y.168.254
ip nat inside source list 101 interface Ethernet0/0 overload
***Static Translations for Remote Desktop
ip nat inside source static tcp X.Y.ZZ.1 3390 interface Ethernet0/0 3390
ip nat inside source static tcp X.Y.ZZ.2 3389 interface Ethernet0/0 3389
***Static NAT Translations for Servers
ip nat inside source static X.Y.Z.195 X.Y.Z.195
ip nat inside source static X.Y.Z.196 X.Y.Z.196
ip nat inside source static X.Y.Z.197 X.Y.Z.197
ip nat inside source static X.Y.Z.198 X.Y.Z.198
ip nat inside source static X.Y.Z.199 X.Y.Z.199
ip nat inside source static X.Y.Z.200 X.Y.Z.200
ip nat inside source static X.Y.Z.201 X.Y.Z.201
ip nat inside source static X.Y.Z.202 X.Y.Z.202
ip nat inside source static X.Y.Z.203 X.Y.Z.203
ip nat inside source static X.Y.Z.204 X.Y.Z.204
ip nat inside source static X.Y.Z.205 X.Y.Z.205
ip nat inside source static X.Y.Z.206 X.Y.Z.206
ip nat inside source static X.Y.Z.207 X.Y.Z.207
ip nat inside source static X.Y.Z.208 X.Y.Z.208
ip nat inside source static X.Y.Z.215 X.Y.Z.215
ip nat inside source static X.Y.Z.216 X.Y.Z.216
ip nat inside source static X.Y.Z.217 X.Y.Z.217
ip nat inside source static X.Y.Z.218 X.Y.Z.218
ip nat inside source static X.Y.Z.219 X.Y.Z.219
ip nat inside source static tcp X.Y.Z.254 1433 X.Y.Z.254 1433 extendable
ip nat inside source static udp X.Y.Z.254 1433 X.Y.Z.254 1433 extendable
ip nat inside source static tcp X.Y.Z.254 1434 X.Y.Z.254 1434 extendable
ip nat inside source static udp X.Y.Z.254 1434 X.Y.Z.254 1434 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 X.Y.Z.193
no ip http server
no ip http secure-server
!
!
!
ip access-list extended inbound
permit tcp any any established
permit tcp any X.Y.Z.192 0.0.0.63 eq www
permit tcp any host X.Y.Z.254 eq 1433
***Added all these permit commands thinking it had something to do with the access list stopping a
***necessary protocol for the VPN connection, I realize that some of these are actually redundant.
***Unfortunately, it still didn't help.
permit ip any host X.Y.Z.235
permit ahp any host X.Y.Z.235
permit udp any host X.Y.Z.235
permit esp any host X.Y.Z.235
permit ipinip any host X.Y.Z.235
permit pcp any host X.Y.Z.235
permit tcp any host X.Y.Z.235
permit gre any host X.Y.Z.235
***Permit statements for server services
permit tcp any host X.Y.Z.254 eq 1434
permit udp any host X.Y.Z.254 eq 1434
permit udp any host X.Y.Z.254 eq 1433
permit tcp any X.Y.Z.192 0.0.0.63 eq 443
permit tcp any X.Y.Z.192 0.0.0.63 eq smtp
permit tcp any X.Y.Z.192 0.0.0.63 eq pop3
permit tcp any X.Y.Z.192 0.0.0.63 eq 22
permit tcp any X.Y.Z.192 0.0.0.63 eq ftp
permit tcp any X.Y.Z.192 0.0.0.63 eq ftp-data
permit tcp any X.Y.Z.192 0.0.0.63 eq domain
permit udp any eq domain any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
permit icmp any any unreachable
permit tcp any host X.Y.Z.194 eq 3389
permit tcp any host X.Y.Z.194 eq 3390
***Allow all internal traffic
permit ip X.Y.Z.0 0.0.255.255 any
***Deny everything else
deny ip any any log
***These 2 were added automatically where the IOS was updated to
***3DES IOS no clue why they are here
ip access-list extended key-exchange
ip access-list extended protocol
access-list 101 deny ip X.Y.Z.192 0.0.0.63 any
access-list 101 permit ip X.Y.Z.0 0.0.255.255 any
snmp-server community DiCecca1760 RO
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
password 7 X
!
!
end
Several comments/questions:
>crypto map clientmap client configuration address respond
Should be changed to "initiate"
crypto map clientmap client configuration address initiate <---
Is your local pool a sub-set of your local LAN? It should be.
Example. If your local LAN is 192.168.168.x
Then create a very small pool i.e. 192.168.168.168 192.168.168.169 (2 addresses)
>ip local pool vpn-natpool X.Y.168.1 X.Y.168.254
Don't use a secondary IP as the VPN target, use the primary. If you want to use a different IP address, you can use a loopback interface.
ip address X.Y.Z.194 255.255.255.192
Add only these lines to the inbound acl instead of the ones you have:
permit udp any eq isakmp X.Y.Z.194 <-- this is the initial key exchange
permit udp any eq 4500 X.Y.Z.194 <-- 4.0 client uses UDP 4500 instead of ESP
This config tells me that there is yet another router in front of this one. Could there be access-lists on it also?
>interface Ethernet0/0
> description Connected to Cisco 1721 router <----???? access lists on it?
Set your duplex to match the switch that it is plugged in to. If the switch will support full-duplex, suggest leaving it on 'auto'. If you only manually set one end (router) and not the switchport, then you get errors on the switch.
>crypto map clientmap client configuration address respond
Should be changed to "initiate"
crypto map clientmap client configuration address initiate <---
Is your local pool a sub-set of your local LAN? It should be.
Example. If your local LAN is 192.168.168.x
Then create a very small pool i.e. 192.168.168.168 192.168.168.169 (2 addresses)
>ip local pool vpn-natpool X.Y.168.1 X.Y.168.254
Don't use a secondary IP as the VPN target, use the primary. If you want to use a different IP address, you can use a loopback interface.
ip address X.Y.Z.194 255.255.255.192
Add only these lines to the inbound acl instead of the ones you have:
permit udp any eq isakmp X.Y.Z.194 <-- this is the initial key exchange
permit udp any eq 4500 X.Y.Z.194 <-- 4.0 client uses UDP 4500 instead of ESP
This config tells me that there is yet another router in front of this one. Could there be access-lists on it also?
>interface Ethernet0/0
> description Connected to Cisco 1721 router <----???? access lists on it?
Set your duplex to match the switch that it is plugged in to. If the switch will support full-duplex, suggest leaving it on 'auto'. If you only manually set one end (router) and not the switchport, then you get errors on the switch.
What does your show crypto (ipsec and isakmp) sa address show? Hanging normally is due to a bad sa peer address left in router memory. I noticed that any mistake made during configuration - if you don't clear crypto before input the commands, Cisco routers will give you lots of problem because it seems to cache peer sa addresses. Also did you turn on debug and capture the conversation between pre-share peers.
cheers
cheers
ASKER
Hi,
lrmoore, it appeared that the entire problem stemmed from using the secondary address as opposed to the primary interface IP. Using initiate as opposed to respond actually caused it not to work. The security settings I knew needed to be tightened up but I just opened that up because I wasn't sure if I was missing anything.
However, onto the new problem. Everything connects fine, but the router assigns the ip address in the wrong subnet and i couldn't find anywhere to change the subnet assignment. Currently the subnet is /16 which is actually way too large for what we use, but it was set that way before I got here and will soon be changed to a /22. However, in either case the router seems to like to assign 255.255.255.0 as the subnet mask causing all the internal resources to be inaccessible. After doing some reading, it seems as though the subnet should not matter as long as the gateway is setup properly. A quick ipconfig /all on the remote machine shows no address is being assigned for the gateway. The internal network is currently peer to peer with a domain controller being rolled out soon. DNS and WINS are configured on the "server" on the internal network and assigned to the remote client via the config but I couldn't find anything on how to assign the gateway.
So basically, I don't know if what I read is true in which case I need to figure out how to assign the gateway address or why it isn't assigning one or if the problem lies in the subnetting, I need to figure out how to change the subnet mask being assigned.
Your continued help is appreciated.
lrmoore, it appeared that the entire problem stemmed from using the secondary address as opposed to the primary interface IP. Using initiate as opposed to respond actually caused it not to work. The security settings I knew needed to be tightened up but I just opened that up because I wasn't sure if I was missing anything.
However, onto the new problem. Everything connects fine, but the router assigns the ip address in the wrong subnet and i couldn't find anywhere to change the subnet assignment. Currently the subnet is /16 which is actually way too large for what we use, but it was set that way before I got here and will soon be changed to a /22. However, in either case the router seems to like to assign 255.255.255.0 as the subnet mask causing all the internal resources to be inaccessible. After doing some reading, it seems as though the subnet should not matter as long as the gateway is setup properly. A quick ipconfig /all on the remote machine shows no address is being assigned for the gateway. The internal network is currently peer to peer with a domain controller being rolled out soon. DNS and WINS are configured on the "server" on the internal network and assigned to the remote client via the config but I couldn't find anything on how to assign the gateway.
So basically, I don't know if what I read is true in which case I need to figure out how to assign the gateway address or why it isn't assigning one or if the problem lies in the subnetting, I need to figure out how to change the subnet mask being assigned.
Your continued help is appreciated.
ASKER
Also,
Since turning on half-duplex I can't figure out how to get interface Eth0/0 back to speed auto.
I have tried using Speed auto for a command, no half duplex, neither seemed to work.
Lastly, we are getting another public ip range assigned to us in addition to our current range. From Lrmoore's comments in this thread as well as in some other threads I have read, it seems you do not recommend assigning this new range as a secondary ip to the interface but rather using a different interface and then creating a new access-list and assigning it to the new interface.
Since turning on half-duplex I can't figure out how to get interface Eth0/0 back to speed auto.
I have tried using Speed auto for a command, no half duplex, neither seemed to work.
Lastly, we are getting another public ip range assigned to us in addition to our current range. From Lrmoore's comments in this thread as well as in some other threads I have read, it seems you do not recommend assigning this new range as a secondary ip to the interface but rather using a different interface and then creating a new access-list and assigning it to the new interface.
ASKER
Did I stump the experts or is everyone on Vacation?
Not on vacation, just on travel..
As far as the subnet goes, the mask should match the classful mask of the 192.168.x.x/24
The issue is that you have a super-net mask on the inside interface, and that is why you can't get to anything other than that one part of the network.
Have you tried the interface command "duplex auto"?
If you issue the command, and it does not complain, you won't see it in the config because that is the default.
If you're getting another IP range, I would suggest putting it on a loopback interface and using that address as the remote's "peer" address for the IPSEC tunnel.
As far as the subnet goes, the mask should match the classful mask of the 192.168.x.x/24
The issue is that you have a super-net mask on the inside interface, and that is why you can't get to anything other than that one part of the network.
Have you tried the interface command "duplex auto"?
If you issue the command, and it does not complain, you won't see it in the config because that is the default.
If you're getting another IP range, I would suggest putting it on a loopback interface and using that address as the remote's "peer" address for the IPSEC tunnel.
ASKER
I tried using Duplex Auto. Unfortunately, the only options for duplex is half or full, which didn't make sense to me because I thought that was the correct command.
As for the IP situation, let me ask you this. As I mentioned previously, the internal network will soon be re-numbered on a /22 subnet in the 172.16.1.X to 172.16.4.X range. The thing I'm questioning here is that if this becomes the private range, the router is now going to assign a subnet mask of a /16 subnet and I'm going to have the same issue. Am I better off just making the network a full /16 subnet in the 172.16.X.X range or should I use a loopback interface.
If the latter is the case, how would I go about setting up the loopback interface for the VPN? What IP should I assign the interface given that the network is currently configured for a /24 using the entire 192.168 range although there are IP address available in that range but I don't think IOS will allow me to assign the network ID to a second interface.
As for the IP situation, let me ask you this. As I mentioned previously, the internal network will soon be re-numbered on a /22 subnet in the 172.16.1.X to 172.16.4.X range. The thing I'm questioning here is that if this becomes the private range, the router is now going to assign a subnet mask of a /16 subnet and I'm going to have the same issue. Am I better off just making the network a full /16 subnet in the 172.16.X.X range or should I use a loopback interface.
If the latter is the case, how would I go about setting up the loopback interface for the VPN? What IP should I assign the interface given that the network is currently configured for a /24 using the entire 192.168 range although there are IP address available in that range but I don't think IOS will allow me to assign the network ID to a second interface.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
By using the loopback interface does that exempt me from having to create another access list allowing necessary ports through for that ip range or do I just now have to create the access-list and apply it on the loopback interface.
Thanks for everything, will update the internal network ips a little sooner than anticipated this weekend.
Thanks for everything, will update the internal network ips a little sooner than anticipated this weekend.
The access-list that is applied to the outside interface still needs to permit the traffic inbound to the loopback IP as the destination:
inbound acl:
permit udp any eq isakmp host <loopback IP> eq isakmp
permit esp any host <loopback IP>
permit udp any eq 4500 host <loopback IP>
<etc>
You don't need any acl applied to the loopback interface at all
inbound acl:
permit udp any eq isakmp host <loopback IP> eq isakmp
permit esp any host <loopback IP>
permit udp any eq 4500 host <loopback IP>
<etc>
You don't need any acl applied to the loopback interface at all
ASKER
1 13:14:03.254 11/27/03 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from X.Y.Z.235. Inbound connections are not allowed.
2 13:14:07.030 11/27/03 Sev=Warning/3 IKE/0xE3000084
The length, 0, of the Mode Config option, INTERNAL_IPV4_NETMASK, is invalid
What I found interesting is that the ip address it lists as attempting an inbound connection from is actually the ip address that I I'm trying to connect to.