Solved

Cisco VPN Client + IOS Router

Posted on 2003-12-07
10
26,708 Views
Last Modified: 2011-08-18
Hi there,
           I'm trying to establish a test VPN from a cisco vpn client to a cisco 4500 router. I have followed this article, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml, but am having little success.  

Current configuration:
Building configuration...

Current configuration : 2403 bytes
!
! Last configuration change at 14:57:16 AUST Mon Dec 8 2003 by console
! NVRAM config last updated at 14:50:26 AUST Mon Dec 8 2003 by console
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname R4500B
!
aaa new-model
aaa authentication login default local
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
enable secret 5 *********
enable password *****
!
clock timezone AUST 10
ip subnet-zero
no ip domain-lookup
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 10.10.19.2 255.255.255.0
 no ip mroute-cache
 media-type 10BaseT
!
interface Ethernet1
 no ip address
 no ip proxy-arp
 no ip mroute-cache
 shutdown
 media-type 10BaseT
!
interface Ethernet2
 no ip address
 no ip mroute-cache
 shutdown
 media-type 10BaseT
!
interface Ethernet3
 ip address 14.38.100.201 255.255.0.0
 no ip mroute-cache
 no keepalive
 shutdown
 media-type 10BaseT
!
interface Ethernet4
 no ip address
 no ip mroute-cache
 shutdown
 media-type 10BaseT
!
interface Ethernet5
 no ip address
 no ip proxy-arp
 no ip mroute-cache
 shutdown
 media-type 10BaseT
!
interface FastEthernet0
 description Private IP Network
 ip address 10.2.2.3 255.255.255.0
 full-duplex
 crypto map clientmap
!
interface FastEthernet1
 no ip address
 full-duplex
!
router rip
 version 2
 network 10.0.0.0
 no auto-summary
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.100.1
ip http server
!
access-list 108 permit ip 14.38.0.0 0.0.255.255 14.1.1.0 0.0.0.255
radius-server host 10.2.2.129 auth-port 1645 acct-port 1646 key *****
!
line con 0
 exec-timeout 0 0
 history size 200
line aux 0
 exec-timeout 0 0
 history size 200
 transport input all
line vty 0 4
 exec-timeout 0 0
 password cisco
 history size 200
!
ntp clock-period 17179808
ntp update-calendar
ntp server 10.2.2.129
end




R4500B#show debugging
General OS:
  AAA Authentication debugging is on
  AAA Authorization debugging is on
Radius protocol debugging is on
Cryptographic Subsystem:
  Crypto ISAKMP debugging is on
  Crypto Engine debugging is on
  Crypto IPSEC debugging is on
  BER debug output debugging is on
  verbose debug output debugging is on

Router Output:
00:53:07: ISAKMP (0:0): received packet from 10.2.2.18 (N) NEW SA
00:53:07: ISAKMP: local port 500, remote port 500
00:53:07: ISAKMP (0:1): Setting client config settings 6188A7F0
00:53:07: ISAKMP (0:1): (Re)Setting client xauth list userauthen and state
00:53:07: ISAKMP: Created a peer node for 10.2.2.18
00:53:07: ISAKMP: Locking struct 6188A7F0 from crypto_ikmp_config_initialize_sa
00:53:07: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:07: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:07: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 10.2.2.18
00:53:07: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:08: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:08: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:08: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:12: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:12: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:12: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:12: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:13: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:13: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:13: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:17: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:17: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:17: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:17: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:18: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:18: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:18: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:22: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:23: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:23: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:23: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:24: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:24: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:24: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:56:32: ISAKMP: quick mode timer expired.
00:56:32: ISAKMP (0:1): peer does not do paranoid keepalives.

00:56:32: ISAKMP (0:1): deleting SA reason "QM_TIMER expired" state (R) AG_NO_STATE (peer 10.2.2.18) input queue 0
00:56:32: ISAKMP: Unlocking struct 6188A7F0 on return of attributes
00:57:32: ISAKMP (0:1): purging SA., sa=61889DC4, delme=61889DC4
00:57:32: CryptoEngine0: delete connection 1
00:57:40: ISAKMP: Deleting peer node for 10.2.2.18



Client Output:
24     16:21:21.134  12/08/03  Sev=Info/4        CM/0x63100002
Begin connection process

25     16:21:21.144  12/08/03  Sev=Info/4        CM/0x63100004
Establish secure connection using Ethernet

26     16:21:21.144  12/08/03  Sev=Info/4        CM/0x63100024
Attempt connection with server "10.2.2.3"

27     16:21:21.144  12/08/03  Sev=Info/6        IKE/0x6300003B
Attempting to establish a connection with 10.2.2.3.

28     16:21:21.224  12/08/03  Sev=Info/4        IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to 10.2.2.3

29     16:21:21.835  12/08/03  Sev=Info/4        IPSEC/0x63700014
Deleted all keys

30     16:21:26.241  12/08/03  Sev=Info/4        IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3

31     16:21:31.248  12/08/03  Sev=Info/4        IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3

32     16:21:36.255  12/08/03  Sev=Info/4        IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3

33     16:21:41.262  12/08/03  Sev=Warning/2        IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding

34     16:21:41.262  12/08/03  Sev=Info/4        CM/0x63100014
Unable to establish Phase 1 SA with server "10.2.2.3" because of "DEL_REASON_PEER_NOT_RESPONDING"

35     16:21:41.262  12/08/03  Sev=Info/5        CM/0x63100027
Initializing CVPNDrv

36     16:21:41.363  12/08/03  Sev=Warning/3        DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).

37     16:21:42.374  12/08/03  Sev=Info/4        IPSEC/0x63700014
Deleted all keys
0
Comment
Question by:DiuQiL
10 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9894671
try changing the hash to MD5, the newest VPN clients (> 3.6) don't support algorithm.

ref (search for "SHA"):
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/3_6/361_clnt.htm
0
 
LVL 1

Author Comment

by:DiuQiL
ID: 9894705
I changed configuration to:
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!

and to
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!

The errors appear to be the same.

01:28:46: ISAKMP (0:0): received packet from 10.2.2.18 (N) NEW SA
01:28:46: ISAKMP: local port 500, remote port 500
01:28:46: ISAKMP (0:1): Setting client config settings 617613EC
01:28:46: ISAKMP (0:1): (Re)Setting client xauth list userauthen and state
01:28:46: ISAKMP: Created a peer node for 10.2.2.18
01:28:46: ISAKMP: Locking struct 617613EC from crypto_ikmp_config_initialize_sa
01:28:46: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:46: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:46: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 10.2.2.18
01:28:46: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:47: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:47: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:47: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:28:51: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:28:51: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:51: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:51: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:52: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:52: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:52: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:28:56: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:28:56: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:56: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:56: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:57: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:57: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:57: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:29:01: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:29:01: ISAKMP (0:1): processing SA payload. message ID = 0
01:29:01: ISAKMP (0:1): processing ID payload. message ID = 0
01:29:01: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:29:02: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:29:02: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:29:02: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE

0
 
LVL 13

Expert Comment

by:td_miles
ID: 9895074
Are you sure the RADIUS is happening ? Try using local authentication and see what happens.

(bear in mind that I am just making suggestions based on past experience, I don't have an exact answer to your problems, so I'm pretty much trying to troubleshoot as I go...)
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9895078
what RADIUS server are you using ?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:DiuQiL
ID: 9895452
Well, i can see no attempt to connect to the radius server. Nothing on radius end and nothing on cisco end, so i tend to think it isnt that ?

Radius server is radiator: http://www.open.com.au/radiator/

I've tried alot of things, including local auth. Both seem to give the same error.  Strangely, without any kind of ipsec configuration, the same error results.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9897258
The reference link shows using groupauthor -radius- that matches the groupauth:

aaa authentication login userauthen group radius
aaa authorization network groupauthor group radius

Your config has one radius, and the other local:
>aaa authentication login userauthen group radius
>aaa authorization network groupauthor local <----

Suggest you change the authorization to radius

You have your policy set for 3DES:
>crypto isakmp policy 3
> encr 3des
Yet, you have your transform set for single DES:
>I changed configuration to:
>crypto ipsec transform-set myset esp-3des esp-md5-hmac
>crypto ipsec transform-set myset esp-des esp-md5-hmac <-- this one won't work unless you also change, add to the policy

You also have the crypto map applied to the Private inside interface. Typically, the users are on the outside and the crypto map would be applied to the external interface.
>interface FastEthernet0
> crypto map clientmap

I can only assume that this is the external interface:
>interface Ethernet3
> ip address 14.38.100.201 255.255.0.0
> no ip mroute-cache
> no keepalive
> shutdown  <--- but I see it is shutdown

So your default route:
>ip route 0.0.0.0 0.0.0.0 14.38.100.1

Goes nowhere since the interface is shutdown...

The router is expecting to pass information from one interface to another. If you radius server is on the same subnet as your VPN client (your VPN client is also on 10.2.2.x subnet, or it can't hit the ethernet interface to "connect")

>interface FastEthernet0
> ip address 10.2.2.3 255.255.255.0
> crypto map clientmap

>radius-server host 10.2.2.129 auth-port 1645 acct-port 1646 key *****

Test VPN Client must also be on the same 10.2.2.x subnet, using 10.2.2.3 as it's default gateway??

If this is just a lab environment, set the VPN client up on the 14.x.x.x interface, enable the interface, and move the cry map to that interface...

0
 
LVL 1

Author Comment

by:DiuQiL
ID: 9903477
Thanks for the response guys. I believe the problem was related to the IOS not supporting IKE - agressive mode.  Upon changing systems (Seems like the 4500 didnt have an image which supported this) and IOS, the system worked without any problems.

thanks again

0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12437619
PAQed, with points refunded (250)

modulo
Community Support Moderator
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Let’s list some of the technologies that enable smooth teleworking. 
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now