DiuQiL
asked on
Cisco VPN Client + IOS Router
Hi there,
I'm trying to establish a test VPN from a cisco vpn client to a cisco 4500 router. I have followed this article, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml, but am having little success.
Current configuration:
Building configuration...
Current configuration : 2403 bytes
!
! Last configuration change at 14:57:16 AUST Mon Dec 8 2003 by console
! NVRAM config last updated at 14:50:26 AUST Mon Dec 8 2003 by console
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname R4500B
!
aaa new-model
aaa authentication login default local
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
enable secret 5 *********
enable password *****
!
clock timezone AUST 10
ip subnet-zero
no ip domain-lookup
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 10.10.19.2 255.255.255.0
no ip mroute-cache
media-type 10BaseT
!
interface Ethernet1
no ip address
no ip proxy-arp
no ip mroute-cache
shutdown
media-type 10BaseT
!
interface Ethernet2
no ip address
no ip mroute-cache
shutdown
media-type 10BaseT
!
interface Ethernet3
ip address 14.38.100.201 255.255.0.0
no ip mroute-cache
no keepalive
shutdown
media-type 10BaseT
!
interface Ethernet4
no ip address
no ip mroute-cache
shutdown
media-type 10BaseT
!
interface Ethernet5
no ip address
no ip proxy-arp
no ip mroute-cache
shutdown
media-type 10BaseT
!
interface FastEthernet0
description Private IP Network
ip address 10.2.2.3 255.255.255.0
full-duplex
crypto map clientmap
!
interface FastEthernet1
no ip address
full-duplex
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.100.1
ip http server
!
access-list 108 permit ip 14.38.0.0 0.0.255.255 14.1.1.0 0.0.0.255
radius-server host 10.2.2.129 auth-port 1645 acct-port 1646 key *****
!
line con 0
exec-timeout 0 0
history size 200
line aux 0
exec-timeout 0 0
history size 200
transport input all
line vty 0 4
exec-timeout 0 0
password cisco
history size 200
!
ntp clock-period 17179808
ntp update-calendar
ntp server 10.2.2.129
end
R4500B#show debugging
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
Radius protocol debugging is on
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto Engine debugging is on
Crypto IPSEC debugging is on
BER debug output debugging is on
verbose debug output debugging is on
Router Output:
00:53:07: ISAKMP (0:0): received packet from 10.2.2.18 (N) NEW SA
00:53:07: ISAKMP: local port 500, remote port 500
00:53:07: ISAKMP (0:1): Setting client config settings 6188A7F0
00:53:07: ISAKMP (0:1): (Re)Setting client xauth list userauthen and state
00:53:07: ISAKMP: Created a peer node for 10.2.2.18
00:53:07: ISAKMP: Locking struct 6188A7F0 from crypto_ikmp_config_initial ize_sa
00:53:07: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:07: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:07: %CRYPTO-6-IKMP_MODE_FAILUR E: Processing of Aggressive mode failed with peer at 10.2.2.18
00:53:07: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:08: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:08: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:08: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:12: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:12: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:12: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:12: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:13: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:13: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:13: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:17: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:17: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:17: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:17: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:18: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:18: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:18: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:22: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:23: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:23: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:23: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:24: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:24: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:24: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:56:32: ISAKMP: quick mode timer expired.
00:56:32: ISAKMP (0:1): peer does not do paranoid keepalives.
00:56:32: ISAKMP (0:1): deleting SA reason "QM_TIMER expired" state (R) AG_NO_STATE (peer 10.2.2.18) input queue 0
00:56:32: ISAKMP: Unlocking struct 6188A7F0 on return of attributes
00:57:32: ISAKMP (0:1): purging SA., sa=61889DC4, delme=61889DC4
00:57:32: CryptoEngine0: delete connection 1
00:57:40: ISAKMP: Deleting peer node for 10.2.2.18
Client Output:
24 16:21:21.134 12/08/03 Sev=Info/4 CM/0x63100002
Begin connection process
25 16:21:21.144 12/08/03 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
26 16:21:21.144 12/08/03 Sev=Info/4 CM/0x63100024
Attempt connection with server "10.2.2.3"
27 16:21:21.144 12/08/03 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 10.2.2.3.
28 16:21:21.224 12/08/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to 10.2.2.3
29 16:21:21.835 12/08/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
30 16:21:26.241 12/08/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3
31 16:21:31.248 12/08/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3
32 16:21:36.255 12/08/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3
33 16:21:41.262 12/08/03 Sev=Warning/2 IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding
34 16:21:41.262 12/08/03 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "10.2.2.3" because of "DEL_REASON_PEER_NOT_RESPO NDING"
35 16:21:41.262 12/08/03 Sev=Info/5 CM/0x63100027
Initializing CVPNDrv
36 16:21:41.363 12/08/03 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).
37 16:21:42.374 12/08/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
I'm trying to establish a test VPN from a cisco vpn client to a cisco 4500 router. I have followed this article, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml, but am having little success.
Current configuration:
Building configuration...
Current configuration : 2403 bytes
!
! Last configuration change at 14:57:16 AUST Mon Dec 8 2003 by console
! NVRAM config last updated at 14:50:26 AUST Mon Dec 8 2003 by console
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname R4500B
!
aaa new-model
aaa authentication login default local
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
enable secret 5 *********
enable password *****
!
clock timezone AUST 10
ip subnet-zero
no ip domain-lookup
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 10.10.19.2 255.255.255.0
no ip mroute-cache
media-type 10BaseT
!
interface Ethernet1
no ip address
no ip proxy-arp
no ip mroute-cache
shutdown
media-type 10BaseT
!
interface Ethernet2
no ip address
no ip mroute-cache
shutdown
media-type 10BaseT
!
interface Ethernet3
ip address 14.38.100.201 255.255.0.0
no ip mroute-cache
no keepalive
shutdown
media-type 10BaseT
!
interface Ethernet4
no ip address
no ip mroute-cache
shutdown
media-type 10BaseT
!
interface Ethernet5
no ip address
no ip proxy-arp
no ip mroute-cache
shutdown
media-type 10BaseT
!
interface FastEthernet0
description Private IP Network
ip address 10.2.2.3 255.255.255.0
full-duplex
crypto map clientmap
!
interface FastEthernet1
no ip address
full-duplex
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.100.1
ip http server
!
access-list 108 permit ip 14.38.0.0 0.0.255.255 14.1.1.0 0.0.0.255
radius-server host 10.2.2.129 auth-port 1645 acct-port 1646 key *****
!
line con 0
exec-timeout 0 0
history size 200
line aux 0
exec-timeout 0 0
history size 200
transport input all
line vty 0 4
exec-timeout 0 0
password cisco
history size 200
!
ntp clock-period 17179808
ntp update-calendar
ntp server 10.2.2.129
end
R4500B#show debugging
General OS:
AAA Authentication debugging is on
AAA Authorization debugging is on
Radius protocol debugging is on
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto Engine debugging is on
Crypto IPSEC debugging is on
BER debug output debugging is on
verbose debug output debugging is on
Router Output:
00:53:07: ISAKMP (0:0): received packet from 10.2.2.18 (N) NEW SA
00:53:07: ISAKMP: local port 500, remote port 500
00:53:07: ISAKMP (0:1): Setting client config settings 6188A7F0
00:53:07: ISAKMP (0:1): (Re)Setting client xauth list userauthen and state
00:53:07: ISAKMP: Created a peer node for 10.2.2.18
00:53:07: ISAKMP: Locking struct 6188A7F0 from crypto_ikmp_config_initial
00:53:07: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:07: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:07: %CRYPTO-6-IKMP_MODE_FAILUR
00:53:07: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:08: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:08: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:08: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:12: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:12: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:12: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:12: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:13: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:13: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:13: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:17: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:17: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:17: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:17: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:18: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:18: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:18: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:22: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:23: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:23: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:23: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:24: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:24: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:24: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:56:32: ISAKMP: quick mode timer expired.
00:56:32: ISAKMP (0:1): peer does not do paranoid keepalives.
00:56:32: ISAKMP (0:1): deleting SA reason "QM_TIMER expired" state (R) AG_NO_STATE (peer 10.2.2.18) input queue 0
00:56:32: ISAKMP: Unlocking struct 6188A7F0 on return of attributes
00:57:32: ISAKMP (0:1): purging SA., sa=61889DC4, delme=61889DC4
00:57:32: CryptoEngine0: delete connection 1
00:57:40: ISAKMP: Deleting peer node for 10.2.2.18
Client Output:
24 16:21:21.134 12/08/03 Sev=Info/4 CM/0x63100002
Begin connection process
25 16:21:21.144 12/08/03 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
26 16:21:21.144 12/08/03 Sev=Info/4 CM/0x63100024
Attempt connection with server "10.2.2.3"
27 16:21:21.144 12/08/03 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 10.2.2.3.
28 16:21:21.224 12/08/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to 10.2.2.3
29 16:21:21.835 12/08/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
30 16:21:26.241 12/08/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3
31 16:21:31.248 12/08/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3
32 16:21:36.255 12/08/03 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3
33 16:21:41.262 12/08/03 Sev=Warning/2 IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding
34 16:21:41.262 12/08/03 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "10.2.2.3" because of "DEL_REASON_PEER_NOT_RESPO
35 16:21:41.262 12/08/03 Sev=Info/5 CM/0x63100027
Initializing CVPNDrv
36 16:21:41.363 12/08/03 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).
37 16:21:42.374 12/08/03 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
ASKER
I changed configuration to:
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
and to
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
The errors appear to be the same.
01:28:46: ISAKMP (0:0): received packet from 10.2.2.18 (N) NEW SA
01:28:46: ISAKMP: local port 500, remote port 500
01:28:46: ISAKMP (0:1): Setting client config settings 617613EC
01:28:46: ISAKMP (0:1): (Re)Setting client xauth list userauthen and state
01:28:46: ISAKMP: Created a peer node for 10.2.2.18
01:28:46: ISAKMP: Locking struct 617613EC from crypto_ikmp_config_initial ize_sa
01:28:46: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:46: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:46: %CRYPTO-6-IKMP_MODE_FAILUR E: Processing of Aggressive mode failed with peer at 10.2.2.18
01:28:46: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:47: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:47: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:47: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:28:51: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:28:51: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:51: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:51: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:52: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:52: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:52: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:28:56: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:28:56: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:56: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:56: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:57: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:57: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:57: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:29:01: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:29:01: ISAKMP (0:1): processing SA payload. message ID = 0
01:29:01: ISAKMP (0:1): processing ID payload. message ID = 0
01:29:01: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:29:02: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:29:02: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:29:02: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
and to
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
The errors appear to be the same.
01:28:46: ISAKMP (0:0): received packet from 10.2.2.18 (N) NEW SA
01:28:46: ISAKMP: local port 500, remote port 500
01:28:46: ISAKMP (0:1): Setting client config settings 617613EC
01:28:46: ISAKMP (0:1): (Re)Setting client xauth list userauthen and state
01:28:46: ISAKMP: Created a peer node for 10.2.2.18
01:28:46: ISAKMP: Locking struct 617613EC from crypto_ikmp_config_initial
01:28:46: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:46: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:46: %CRYPTO-6-IKMP_MODE_FAILUR
01:28:46: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:47: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:47: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:47: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:28:51: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:28:51: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:51: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:51: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:52: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:52: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:52: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:28:56: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:28:56: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:56: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:56: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:57: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:57: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:57: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:29:01: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:29:01: ISAKMP (0:1): processing SA payload. message ID = 0
01:29:01: ISAKMP (0:1): processing ID payload. message ID = 0
01:29:01: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:29:02: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:29:02: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:29:02: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
Are you sure the RADIUS is happening ? Try using local authentication and see what happens.
(bear in mind that I am just making suggestions based on past experience, I don't have an exact answer to your problems, so I'm pretty much trying to troubleshoot as I go...)
(bear in mind that I am just making suggestions based on past experience, I don't have an exact answer to your problems, so I'm pretty much trying to troubleshoot as I go...)
what RADIUS server are you using ?
ASKER
Well, i can see no attempt to connect to the radius server. Nothing on radius end and nothing on cisco end, so i tend to think it isnt that ?
Radius server is radiator: http://www.open.com.au/radiator/
I've tried alot of things, including local auth. Both seem to give the same error. Strangely, without any kind of ipsec configuration, the same error results.
Radius server is radiator: http://www.open.com.au/radiator/
I've tried alot of things, including local auth. Both seem to give the same error. Strangely, without any kind of ipsec configuration, the same error results.
The reference link shows using groupauthor -radius- that matches the groupauth:
aaa authentication login userauthen group radius
aaa authorization network groupauthor group radius
Your config has one radius, and the other local:
>aaa authentication login userauthen group radius
>aaa authorization network groupauthor local <----
Suggest you change the authorization to radius
You have your policy set for 3DES:
>crypto isakmp policy 3
> encr 3des
Yet, you have your transform set for single DES:
>I changed configuration to:
>crypto ipsec transform-set myset esp-3des esp-md5-hmac
>crypto ipsec transform-set myset esp-des esp-md5-hmac <-- this one won't work unless you also change, add to the policy
You also have the crypto map applied to the Private inside interface. Typically, the users are on the outside and the crypto map would be applied to the external interface.
>interface FastEthernet0
> crypto map clientmap
I can only assume that this is the external interface:
>interface Ethernet3
> ip address 14.38.100.201 255.255.0.0
> no ip mroute-cache
> no keepalive
> shutdown <--- but I see it is shutdown
So your default route:
>ip route 0.0.0.0 0.0.0.0 14.38.100.1
Goes nowhere since the interface is shutdown...
The router is expecting to pass information from one interface to another. If you radius server is on the same subnet as your VPN client (your VPN client is also on 10.2.2.x subnet, or it can't hit the ethernet interface to "connect")
>interface FastEthernet0
> ip address 10.2.2.3 255.255.255.0
> crypto map clientmap
>radius-server host 10.2.2.129 auth-port 1645 acct-port 1646 key *****
Test VPN Client must also be on the same 10.2.2.x subnet, using 10.2.2.3 as it's default gateway??
If this is just a lab environment, set the VPN client up on the 14.x.x.x interface, enable the interface, and move the cry map to that interface...
aaa authentication login userauthen group radius
aaa authorization network groupauthor group radius
Your config has one radius, and the other local:
>aaa authentication login userauthen group radius
>aaa authorization network groupauthor local <----
Suggest you change the authorization to radius
You have your policy set for 3DES:
>crypto isakmp policy 3
> encr 3des
Yet, you have your transform set for single DES:
>I changed configuration to:
>crypto ipsec transform-set myset esp-3des esp-md5-hmac
>crypto ipsec transform-set myset esp-des esp-md5-hmac <-- this one won't work unless you also change, add to the policy
You also have the crypto map applied to the Private inside interface. Typically, the users are on the outside and the crypto map would be applied to the external interface.
>interface FastEthernet0
> crypto map clientmap
I can only assume that this is the external interface:
>interface Ethernet3
> ip address 14.38.100.201 255.255.0.0
> no ip mroute-cache
> no keepalive
> shutdown <--- but I see it is shutdown
So your default route:
>ip route 0.0.0.0 0.0.0.0 14.38.100.1
Goes nowhere since the interface is shutdown...
The router is expecting to pass information from one interface to another. If you radius server is on the same subnet as your VPN client (your VPN client is also on 10.2.2.x subnet, or it can't hit the ethernet interface to "connect")
>interface FastEthernet0
> ip address 10.2.2.3 255.255.255.0
> crypto map clientmap
>radius-server host 10.2.2.129 auth-port 1645 acct-port 1646 key *****
Test VPN Client must also be on the same 10.2.2.x subnet, using 10.2.2.3 as it's default gateway??
If this is just a lab environment, set the VPN client up on the 14.x.x.x interface, enable the interface, and move the cry map to that interface...
ASKER
Thanks for the response guys. I believe the problem was related to the IOS not supporting IKE - agressive mode. Upon changing systems (Seems like the 4500 didnt have an image which supported this) and IOS, the system worked without any problems.
thanks again
thanks again
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ref (search for "SHA"):
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/3_6/361_clnt.htm