Solved

Cisco VPN Configuration Troubles

Posted on 2003-11-27
11
4,571 Views
Last Modified: 2010-08-05
Hi,

I'm new to setting up VPNs on Cisco boxes.  I'm currently using a 1760 router and despite reading much was said here about how this could overload the router etc, I have been monitoring CPU utilization over the past week and it never goes above 20% on average, so I don't feel adding a VPN config for 1 user is going to cause any trouble.  With that said, I followed a configuration example from Cisco's web site on using local authentication with the Cisco VPN client and IPSec and for some reason the connection doesn't get established.  When trying to connect, the vpn client authenticates fine and then it gets to the step Securing Communications and it just stays there forever.  At first I thought it had something to do with the simple netgear firewal that was used from the location I attempted to VPN from, however I connected a laptop into a switch in front of the router and tried to establish a VPN from there and it authenticated fine just like before, however again it hung on Securing Communications so I'm guessing there is something wrong with my config.

My config is below and commented.  any help would be appreciated.  IOS version is 12.3(2) XC, only version I can use as I'm using the new 4 Port Fast Ethernet WIC.

Current configuration : 5239 bytes
!
! Last configuration change at 13:27:31 EST Tue Nov 25 2003 by Y
! NVRAM config last updated at 13:23:31 EST Tue Nov 25 2003 by Y
!
version 12.3
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname dicecca
!
boot system flash flash:c1700-k9o3sy7-mz.123-2.XC.bin
enable secret 5 X
enable password 7 X

***Username and Password assigned to login, used for the authentication of VPN user

!
username X password 7 X
clock timezone EST -5
clock summer-time EDT recurring
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2

***Setting IPSec Group Name and Key.  I know DNS and WINS and Domain information can/should be
***added here, however, as the domain controller is being migrated to Windows 2003 I left this
***information out.  I didn't think it was necessary to establish the tunnel although I realize that it would
***cause access troubles later on.

!
crypto isakmp client configuration group Y
 key 0 X
 pool vpn-natpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!

***Gave outside interface a secondary ip address as the primary interface ip is used for NAT (or PAT
***depending on how you consider it) and read about some problems with NAT and VPN.  Initially this
***interface was set to full-duplex however Cisco example config showed the outside at half-duplex so I
***changed it thinking that was the problem.  No Luck unfortunately, is there a benefit of Half duplex over
***full duplex?

!
interface Ethernet0/0
 description Connected to Cisco 1721 router
 ip address X.Y.Z.235 255.255.255.192 secondary
 ip address X.Y.Z.194 255.255.255.192
 ip access-group inbound in
 ip nat outside
 half-duplex
 crypto map clientmap
!
interface FastEthernet0/0
 description Connected Internal Network
 ip address X.Y.Z.1 255.255.0.0
 ip nat inside
 speed auto
!
interface FastEthernet1/1
 no ip address
!
interface FastEthernet1/2
 no ip address
!
interface FastEthernet1/3
 no ip address
!
interface FastEthernet1/4
 no ip address
!
interface Vlan1
 no ip address
!
ip local pool vpn-natpool X.Y.168.1 X.Y.168.254
ip nat inside source list 101 interface Ethernet0/0 overload

***Static Translations for Remote Desktop

ip nat inside source static tcp X.Y.ZZ.1 3390 interface Ethernet0/0 3390
ip nat inside source static tcp X.Y.ZZ.2 3389 interface Ethernet0/0 3389

***Static NAT Translations for Servers

ip nat inside source static X.Y.Z.195 X.Y.Z.195
ip nat inside source static X.Y.Z.196 X.Y.Z.196
ip nat inside source static X.Y.Z.197 X.Y.Z.197
ip nat inside source static X.Y.Z.198 X.Y.Z.198
ip nat inside source static X.Y.Z.199 X.Y.Z.199
ip nat inside source static X.Y.Z.200 X.Y.Z.200
ip nat inside source static X.Y.Z.201 X.Y.Z.201
ip nat inside source static X.Y.Z.202 X.Y.Z.202
ip nat inside source static X.Y.Z.203 X.Y.Z.203
ip nat inside source static X.Y.Z.204 X.Y.Z.204
ip nat inside source static X.Y.Z.205 X.Y.Z.205
ip nat inside source static X.Y.Z.206 X.Y.Z.206
ip nat inside source static X.Y.Z.207 X.Y.Z.207
ip nat inside source static X.Y.Z.208 X.Y.Z.208
ip nat inside source static X.Y.Z.215 X.Y.Z.215
ip nat inside source static X.Y.Z.216 X.Y.Z.216
ip nat inside source static X.Y.Z.217 X.Y.Z.217
ip nat inside source static X.Y.Z.218 X.Y.Z.218
ip nat inside source static X.Y.Z.219 X.Y.Z.219
ip nat inside source static tcp X.Y.Z.254 1433 X.Y.Z.254 1433 extendable
ip nat inside source static udp X.Y.Z.254 1433 X.Y.Z.254 1433 extendable
ip nat inside source static tcp X.Y.Z.254 1434 X.Y.Z.254 1434 extendable
ip nat inside source static udp X.Y.Z.254 1434 X.Y.Z.254 1434 extendable


ip classless
ip route 0.0.0.0 0.0.0.0 X.Y.Z.193
no ip http server
no ip http secure-server
!
!
!
ip access-list extended inbound
 permit tcp any any established
 permit tcp any X.Y.Z.192 0.0.0.63 eq www
 permit tcp any host X.Y.Z.254 eq 1433

***Added all these permit commands thinking it had something to do with the access list stopping a
***necessary protocol for the VPN connection, I realize that some of these are actually redundant.  
***Unfortunately, it still didn't help.

 permit ip any host X.Y.Z.235
 permit ahp any host X.Y.Z.235
 permit udp any host X.Y.Z.235
 permit esp any host X.Y.Z.235
 permit ipinip any host X.Y.Z.235
 permit pcp any host X.Y.Z.235
 permit tcp any host X.Y.Z.235
 permit gre any host X.Y.Z.235

***Permit statements for server services

 permit tcp any host X.Y.Z.254 eq 1434
 permit udp any host X.Y.Z.254 eq 1434
 permit udp any host X.Y.Z.254 eq 1433
 permit tcp any X.Y.Z.192 0.0.0.63 eq 443
 permit tcp any X.Y.Z.192 0.0.0.63 eq smtp
 permit tcp any X.Y.Z.192 0.0.0.63 eq pop3
 permit tcp any X.Y.Z.192 0.0.0.63 eq 22
 permit tcp any X.Y.Z.192 0.0.0.63 eq ftp
 permit tcp any X.Y.Z.192 0.0.0.63 eq ftp-data
 permit tcp any X.Y.Z.192 0.0.0.63 eq domain
 permit udp any eq domain any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any ttl-exceeded
 permit icmp any any packet-too-big
 permit icmp any any unreachable
 permit tcp any host X.Y.Z.194 eq 3389
 permit tcp any host X.Y.Z.194 eq 3390

***Allow all internal traffic

 permit ip X.Y.Z.0 0.0.255.255 any

***Deny everything else

 deny   ip any any log

***These 2 were added automatically where the IOS was updated to
***3DES IOS no clue why they are here

ip access-list extended key-exchange
ip access-list extended protocol


access-list 101 deny   ip X.Y.Z.192 0.0.0.63 any
access-list 101 permit ip X.Y.Z.0 0.0.255.255 any
snmp-server community DiCecca1760 RO
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
 password 7 X
!
!
end
0
Comment
Question by:caplinktech
  • 6
  • 4
11 Comments
 

Author Comment

by:caplinktech
Comment Utility
I tried upgrading to Cisco VPn Client 4.0.3 with no luck.  However the new client displays some log information so it might help.

1      13:14:03.254  11/27/03  Sev=Warning/2      IKE/0xA3000062
Attempted incoming connection from X.Y.Z.235. Inbound connections are not allowed.

2      13:14:07.030  11/27/03  Sev=Warning/3      IKE/0xE3000084
The length, 0, of the Mode Config option, INTERNAL_IPV4_NETMASK, is invalid

What I found interesting is that the ip address it lists as attempting an inbound connection from is actually the ip address that I I'm trying to connect to.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Several comments/questions:

>crypto map clientmap client configuration address respond
Should be changed to "initiate"
crypto map clientmap client configuration address initiate <---

Is your local pool a sub-set of your local LAN? It should be.
Example. If your local LAN is 192.168.168.x
Then create a very small pool i.e. 192.168.168.168 192.168.168.169  (2 addresses)
>ip local pool vpn-natpool X.Y.168.1 X.Y.168.254

Don't use a secondary IP as the VPN target, use the primary. If you want to use a different IP address, you can use a loopback interface.
ip address X.Y.Z.194 255.255.255.192

Add only these lines to the inbound acl instead of the ones you have:
 permit udp any eq isakmp X.Y.Z.194 <-- this is the initial key exchange
 permit udp any eq 4500 X.Y.Z.194 <-- 4.0 client uses UDP 4500 instead of ESP

This config tells me that there is yet another router in front of this one. Could there be access-lists on it also?
>interface Ethernet0/0
> description Connected to Cisco 1721 router <----???? access lists on it?

Set your duplex to match the switch that it is plugged in to. If the switch will support full-duplex, suggest leaving it on 'auto'. If you only manually set one end (router) and not the switchport, then you get errors on the switch.




0
 
LVL 13

Expert Comment

by:Gnart
Comment Utility
What does your show crypto (ipsec and isakmp) sa address show?  Hanging normally is due to a bad sa peer address left in router memory.  I noticed that any mistake made during configuration - if you don't clear crypto before input the commands, Cisco routers will give you lots of problem because it seems to cache peer sa addresses.  Also did you turn on debug and capture the conversation between pre-share peers.

cheers
0
 

Author Comment

by:caplinktech
Comment Utility
Hi,

lrmoore, it appeared that the entire problem stemmed from using the secondary address as opposed to the primary interface IP.  Using initiate as opposed to respond actually caused it not to work.  The security settings I knew needed to be tightened up but I just opened that up because I wasn't sure if I was missing anything.

However, onto the new problem.  Everything connects fine, but the router assigns the ip address in the wrong subnet and i couldn't find anywhere to change the subnet assignment.  Currently the subnet is /16 which is actually way too large for what we use, but it was set that way before I got here and will soon be changed to a /22.  However, in either case the router seems to like to assign 255.255.255.0 as the subnet mask causing all the internal resources to be inaccessible.  After doing some reading, it seems as though the subnet should not matter as long as the gateway is setup properly.  A quick ipconfig /all on the remote machine shows no address is being assigned for the gateway.  The internal network is currently peer to peer with a domain controller being rolled out soon.  DNS and WINS are configured on the "server" on the internal network and assigned to the remote client via the config but I couldn't find anything on how to assign the gateway.

So basically, I don't know if what I read is true in which case I need to figure out how to assign the gateway address or why it isn't assigning one or if the problem lies in the subnetting, I need to figure out how to change the subnet mask being assigned.

Your continued help is appreciated.
0
 

Author Comment

by:caplinktech
Comment Utility
Also,

Since turning on half-duplex I can't figure out how to get interface Eth0/0 back to speed auto.

I have tried using Speed auto for a command, no half duplex, neither seemed to work.

Lastly, we are getting another public ip range assigned to us in addition to our current range.  From Lrmoore's comments in this thread as well as in some other threads I have read, it seems you do not recommend assigning this new range as a secondary ip to the interface but rather using a different interface and then creating a new access-list and assigning it to the new interface.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:caplinktech
Comment Utility
Did I stump the experts or is everyone on Vacation?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Not on vacation, just on travel..

As far as the subnet goes, the mask should match the classful mask of the 192.168.x.x/24
The issue is that you have a super-net mask on the inside interface, and that is why you can't get to anything other than that one part of the network.

Have you tried the interface command "duplex auto"?
If you issue the command, and it does not complain, you won't see it in the config because that is the default.

If you're getting another IP range, I would suggest putting it on a loopback interface and using that address as the remote's "peer" address for the IPSEC tunnel.

0
 

Author Comment

by:caplinktech
Comment Utility
I tried using Duplex Auto.  Unfortunately, the only options for duplex is half or full, which didn't make sense to me because I thought that was the correct command.

As for the IP situation, let me ask you this.  As I mentioned previously, the internal network will soon be re-numbered on a /22 subnet in the 172.16.1.X to 172.16.4.X range.  The thing I'm questioning here is that if this becomes the private range, the router is now going to assign a subnet mask of a /16 subnet and I'm going to have the same issue.  Am I better off just making the network a full /16 subnet in the 172.16.X.X range or should I use a loopback interface.

If the latter is the case, how would I go about setting up the loopback interface for the VPN?  What IP should I assign the interface given that the network is currently configured for a /24 using the entire 192.168 range although there are IP address available in that range but I don't think IOS will allow me to assign the network ID to a second interface.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
The easiest way to handle that would be to use a full class B subnet on the inside. There's no real value in using a non-classful mask. use a VPN pool that is within this classful network. This way, the VPN client gets an address in the 172.16.x.x subnet with the same mask as your internal network.

As far as the loopback, this is an example of what I'm talking about:

interface Ethernet0/0
 description Connected to Cisco 1721 router
 ip address X.Y.Z.194 255.255.255.192
 ip access-group inbound in
 ip nat outside
!
interface loopback 0
 ip address X.Y.W.235 255.255.255.192
!

Now, on the remote site, your "peer" can be this X.Y.W.235 IP address, not the .194 interface address
0
 

Author Comment

by:caplinktech
Comment Utility
By using the loopback interface does that exempt me from having to create another access list allowing necessary ports through for that ip range or do I just now have to create the access-list and apply it on the loopback interface.

Thanks for everything, will update the internal network ips a little sooner than anticipated this weekend.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The access-list that is applied to the outside interface still needs to permit the traffic inbound to the loopback IP as the destination:

inbound acl:
permit udp any eq isakmp host <loopback IP> eq isakmp
permit esp any  host <loopback IP>
permit udp any eq 4500 host <loopback IP>
<etc>

You don't need any acl applied to the loopback interface at all
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now