Cisco VPN Configuration Troubles


I'm new to setting up VPNs on Cisco boxes.  I'm currently using a 1760 router and despite reading much was said here about how this could overload the router etc, I have been monitoring CPU utilization over the past week and it never goes above 20% on average, so I don't feel adding a VPN config for 1 user is going to cause any trouble.  With that said, I followed a configuration example from Cisco's web site on using local authentication with the Cisco VPN client and IPSec and for some reason the connection doesn't get established.  When trying to connect, the vpn client authenticates fine and then it gets to the step Securing Communications and it just stays there forever.  At first I thought it had something to do with the simple netgear firewal that was used from the location I attempted to VPN from, however I connected a laptop into a switch in front of the router and tried to establish a VPN from there and it authenticated fine just like before, however again it hung on Securing Communications so I'm guessing there is something wrong with my config.

My config is below and commented.  any help would be appreciated.  IOS version is 12.3(2) XC, only version I can use as I'm using the new 4 Port Fast Ethernet WIC.

Current configuration : 5239 bytes
! Last configuration change at 13:27:31 EST Tue Nov 25 2003 by Y
! NVRAM config last updated at 13:23:31 EST Tue Nov 25 2003 by Y
version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname dicecca
boot system flash flash:c1700-k9o3sy7-mz.123-2.XC.bin
enable secret 5 X
enable password 7 X

***Username and Password assigned to login, used for the authentication of VPN user

username X password 7 X
clock timezone EST -5
clock summer-time EDT recurring
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2

***Setting IPSec Group Name and Key.  I know DNS and WINS and Domain information can/should be
***added here, however, as the domain controller is being migrated to Windows 2003 I left this
***information out.  I didn't think it was necessary to establish the tunnel although I realize that it would
***cause access troubles later on.

crypto isakmp client configuration group Y
 key 0 X
 pool vpn-natpool
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
 set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

***Gave outside interface a secondary ip address as the primary interface ip is used for NAT (or PAT
***depending on how you consider it) and read about some problems with NAT and VPN.  Initially this
***interface was set to full-duplex however Cisco example config showed the outside at half-duplex so I
***changed it thinking that was the problem.  No Luck unfortunately, is there a benefit of Half duplex over
***full duplex?

interface Ethernet0/0
 description Connected to Cisco 1721 router
 ip address X.Y.Z.235 secondary
 ip address X.Y.Z.194
 ip access-group inbound in
 ip nat outside
 crypto map clientmap
interface FastEthernet0/0
 description Connected Internal Network
 ip address X.Y.Z.1
 ip nat inside
 speed auto
interface FastEthernet1/1
 no ip address
interface FastEthernet1/2
 no ip address
interface FastEthernet1/3
 no ip address
interface FastEthernet1/4
 no ip address
interface Vlan1
 no ip address
ip local pool vpn-natpool X.Y.168.1 X.Y.168.254
ip nat inside source list 101 interface Ethernet0/0 overload

***Static Translations for Remote Desktop

ip nat inside source static tcp X.Y.ZZ.1 3390 interface Ethernet0/0 3390
ip nat inside source static tcp X.Y.ZZ.2 3389 interface Ethernet0/0 3389

***Static NAT Translations for Servers

ip nat inside source static X.Y.Z.195 X.Y.Z.195
ip nat inside source static X.Y.Z.196 X.Y.Z.196
ip nat inside source static X.Y.Z.197 X.Y.Z.197
ip nat inside source static X.Y.Z.198 X.Y.Z.198
ip nat inside source static X.Y.Z.199 X.Y.Z.199
ip nat inside source static X.Y.Z.200 X.Y.Z.200
ip nat inside source static X.Y.Z.201 X.Y.Z.201
ip nat inside source static X.Y.Z.202 X.Y.Z.202
ip nat inside source static X.Y.Z.203 X.Y.Z.203
ip nat inside source static X.Y.Z.204 X.Y.Z.204
ip nat inside source static X.Y.Z.205 X.Y.Z.205
ip nat inside source static X.Y.Z.206 X.Y.Z.206
ip nat inside source static X.Y.Z.207 X.Y.Z.207
ip nat inside source static X.Y.Z.208 X.Y.Z.208
ip nat inside source static X.Y.Z.215 X.Y.Z.215
ip nat inside source static X.Y.Z.216 X.Y.Z.216
ip nat inside source static X.Y.Z.217 X.Y.Z.217
ip nat inside source static X.Y.Z.218 X.Y.Z.218
ip nat inside source static X.Y.Z.219 X.Y.Z.219
ip nat inside source static tcp X.Y.Z.254 1433 X.Y.Z.254 1433 extendable
ip nat inside source static udp X.Y.Z.254 1433 X.Y.Z.254 1433 extendable
ip nat inside source static tcp X.Y.Z.254 1434 X.Y.Z.254 1434 extendable
ip nat inside source static udp X.Y.Z.254 1434 X.Y.Z.254 1434 extendable

ip classless
ip route X.Y.Z.193
no ip http server
no ip http secure-server
ip access-list extended inbound
 permit tcp any any established
 permit tcp any X.Y.Z.192 eq www
 permit tcp any host X.Y.Z.254 eq 1433

***Added all these permit commands thinking it had something to do with the access list stopping a
***necessary protocol for the VPN connection, I realize that some of these are actually redundant.  
***Unfortunately, it still didn't help.

 permit ip any host X.Y.Z.235
 permit ahp any host X.Y.Z.235
 permit udp any host X.Y.Z.235
 permit esp any host X.Y.Z.235
 permit ipinip any host X.Y.Z.235
 permit pcp any host X.Y.Z.235
 permit tcp any host X.Y.Z.235
 permit gre any host X.Y.Z.235

***Permit statements for server services

 permit tcp any host X.Y.Z.254 eq 1434
 permit udp any host X.Y.Z.254 eq 1434
 permit udp any host X.Y.Z.254 eq 1433
 permit tcp any X.Y.Z.192 eq 443
 permit tcp any X.Y.Z.192 eq smtp
 permit tcp any X.Y.Z.192 eq pop3
 permit tcp any X.Y.Z.192 eq 22
 permit tcp any X.Y.Z.192 eq ftp
 permit tcp any X.Y.Z.192 eq ftp-data
 permit tcp any X.Y.Z.192 eq domain
 permit udp any eq domain any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
 permit icmp any any unreachable
 permit tcp any host X.Y.Z.194 eq 3389
 permit tcp any host X.Y.Z.194 eq 3390

***Allow all internal traffic

 permit ip X.Y.Z.0 any

***Deny everything else

 deny   ip any any log

***These 2 were added automatically where the IOS was updated to
***3DES IOS no clue why they are here

ip access-list extended key-exchange
ip access-list extended protocol

access-list 101 deny   ip X.Y.Z.192 any
access-list 101 permit ip X.Y.Z.0 any
snmp-server community DiCecca1760 RO
snmp-server enable traps tty
line con 0
line aux 0
line vty 0 4
 password 7 X
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

caplinktechAuthor Commented:
I tried upgrading to Cisco VPn Client 4.0.3 with no luck.  However the new client displays some log information so it might help.

1      13:14:03.254  11/27/03  Sev=Warning/2      IKE/0xA3000062
Attempted incoming connection from X.Y.Z.235. Inbound connections are not allowed.

2      13:14:07.030  11/27/03  Sev=Warning/3      IKE/0xE3000084
The length, 0, of the Mode Config option, INTERNAL_IPV4_NETMASK, is invalid

What I found interesting is that the ip address it lists as attempting an inbound connection from is actually the ip address that I I'm trying to connect to.
Several comments/questions:

>crypto map clientmap client configuration address respond
Should be changed to "initiate"
crypto map clientmap client configuration address initiate <---

Is your local pool a sub-set of your local LAN? It should be.
Example. If your local LAN is 192.168.168.x
Then create a very small pool i.e.  (2 addresses)
>ip local pool vpn-natpool X.Y.168.1 X.Y.168.254

Don't use a secondary IP as the VPN target, use the primary. If you want to use a different IP address, you can use a loopback interface.
ip address X.Y.Z.194

Add only these lines to the inbound acl instead of the ones you have:
 permit udp any eq isakmp X.Y.Z.194 <-- this is the initial key exchange
 permit udp any eq 4500 X.Y.Z.194 <-- 4.0 client uses UDP 4500 instead of ESP

This config tells me that there is yet another router in front of this one. Could there be access-lists on it also?
>interface Ethernet0/0
> description Connected to Cisco 1721 router <----???? access lists on it?

Set your duplex to match the switch that it is plugged in to. If the switch will support full-duplex, suggest leaving it on 'auto'. If you only manually set one end (router) and not the switchport, then you get errors on the switch.

What does your show crypto (ipsec and isakmp) sa address show?  Hanging normally is due to a bad sa peer address left in router memory.  I noticed that any mistake made during configuration - if you don't clear crypto before input the commands, Cisco routers will give you lots of problem because it seems to cache peer sa addresses.  Also did you turn on debug and capture the conversation between pre-share peers.

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

caplinktechAuthor Commented:

lrmoore, it appeared that the entire problem stemmed from using the secondary address as opposed to the primary interface IP.  Using initiate as opposed to respond actually caused it not to work.  The security settings I knew needed to be tightened up but I just opened that up because I wasn't sure if I was missing anything.

However, onto the new problem.  Everything connects fine, but the router assigns the ip address in the wrong subnet and i couldn't find anywhere to change the subnet assignment.  Currently the subnet is /16 which is actually way too large for what we use, but it was set that way before I got here and will soon be changed to a /22.  However, in either case the router seems to like to assign as the subnet mask causing all the internal resources to be inaccessible.  After doing some reading, it seems as though the subnet should not matter as long as the gateway is setup properly.  A quick ipconfig /all on the remote machine shows no address is being assigned for the gateway.  The internal network is currently peer to peer with a domain controller being rolled out soon.  DNS and WINS are configured on the "server" on the internal network and assigned to the remote client via the config but I couldn't find anything on how to assign the gateway.

So basically, I don't know if what I read is true in which case I need to figure out how to assign the gateway address or why it isn't assigning one or if the problem lies in the subnetting, I need to figure out how to change the subnet mask being assigned.

Your continued help is appreciated.
caplinktechAuthor Commented:

Since turning on half-duplex I can't figure out how to get interface Eth0/0 back to speed auto.

I have tried using Speed auto for a command, no half duplex, neither seemed to work.

Lastly, we are getting another public ip range assigned to us in addition to our current range.  From Lrmoore's comments in this thread as well as in some other threads I have read, it seems you do not recommend assigning this new range as a secondary ip to the interface but rather using a different interface and then creating a new access-list and assigning it to the new interface.
caplinktechAuthor Commented:
Did I stump the experts or is everyone on Vacation?
Not on vacation, just on travel..

As far as the subnet goes, the mask should match the classful mask of the 192.168.x.x/24
The issue is that you have a super-net mask on the inside interface, and that is why you can't get to anything other than that one part of the network.

Have you tried the interface command "duplex auto"?
If you issue the command, and it does not complain, you won't see it in the config because that is the default.

If you're getting another IP range, I would suggest putting it on a loopback interface and using that address as the remote's "peer" address for the IPSEC tunnel.

caplinktechAuthor Commented:
I tried using Duplex Auto.  Unfortunately, the only options for duplex is half or full, which didn't make sense to me because I thought that was the correct command.

As for the IP situation, let me ask you this.  As I mentioned previously, the internal network will soon be re-numbered on a /22 subnet in the 172.16.1.X to 172.16.4.X range.  The thing I'm questioning here is that if this becomes the private range, the router is now going to assign a subnet mask of a /16 subnet and I'm going to have the same issue.  Am I better off just making the network a full /16 subnet in the 172.16.X.X range or should I use a loopback interface.

If the latter is the case, how would I go about setting up the loopback interface for the VPN?  What IP should I assign the interface given that the network is currently configured for a /24 using the entire 192.168 range although there are IP address available in that range but I don't think IOS will allow me to assign the network ID to a second interface.
The easiest way to handle that would be to use a full class B subnet on the inside. There's no real value in using a non-classful mask. use a VPN pool that is within this classful network. This way, the VPN client gets an address in the 172.16.x.x subnet with the same mask as your internal network.

As far as the loopback, this is an example of what I'm talking about:

interface Ethernet0/0
 description Connected to Cisco 1721 router
 ip address X.Y.Z.194
 ip access-group inbound in
 ip nat outside
interface loopback 0
 ip address X.Y.W.235

Now, on the remote site, your "peer" can be this X.Y.W.235 IP address, not the .194 interface address

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
caplinktechAuthor Commented:
By using the loopback interface does that exempt me from having to create another access list allowing necessary ports through for that ip range or do I just now have to create the access-list and apply it on the loopback interface.

Thanks for everything, will update the internal network ips a little sooner than anticipated this weekend.
The access-list that is applied to the outside interface still needs to permit the traffic inbound to the loopback IP as the destination:

inbound acl:
permit udp any eq isakmp host <loopback IP> eq isakmp
permit esp any  host <loopback IP>
permit udp any eq 4500 host <loopback IP>

You don't need any acl applied to the loopback interface at all
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.