Cisco VPN Client + IOS Router

Hi there,
           I'm trying to establish a test VPN from a cisco vpn client to a cisco 4500 router. I have followed this article, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml, but am having little success.  

Current configuration:
Building configuration...

Current configuration : 2403 bytes
!
! Last configuration change at 14:57:16 AUST Mon Dec 8 2003 by console
! NVRAM config last updated at 14:50:26 AUST Mon Dec 8 2003 by console
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname R4500B
!
aaa new-model
aaa authentication login default local
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
enable secret 5 *********
enable password *****
!
clock timezone AUST 10
ip subnet-zero
no ip domain-lookup
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 10.10.19.2 255.255.255.0
 no ip mroute-cache
 media-type 10BaseT
!
interface Ethernet1
 no ip address
 no ip proxy-arp
 no ip mroute-cache
 shutdown
 media-type 10BaseT
!
interface Ethernet2
 no ip address
 no ip mroute-cache
 shutdown
 media-type 10BaseT
!
interface Ethernet3
 ip address 14.38.100.201 255.255.0.0
 no ip mroute-cache
 no keepalive
 shutdown
 media-type 10BaseT
!
interface Ethernet4
 no ip address
 no ip mroute-cache
 shutdown
 media-type 10BaseT
!
interface Ethernet5
 no ip address
 no ip proxy-arp
 no ip mroute-cache
 shutdown
 media-type 10BaseT
!
interface FastEthernet0
 description Private IP Network
 ip address 10.2.2.3 255.255.255.0
 full-duplex
 crypto map clientmap
!
interface FastEthernet1
 no ip address
 full-duplex
!
router rip
 version 2
 network 10.0.0.0
 no auto-summary
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 14.38.100.1
ip http server
!
access-list 108 permit ip 14.38.0.0 0.0.255.255 14.1.1.0 0.0.0.255
radius-server host 10.2.2.129 auth-port 1645 acct-port 1646 key *****
!
line con 0
 exec-timeout 0 0
 history size 200
line aux 0
 exec-timeout 0 0
 history size 200
 transport input all
line vty 0 4
 exec-timeout 0 0
 password cisco
 history size 200
!
ntp clock-period 17179808
ntp update-calendar
ntp server 10.2.2.129
end




R4500B#show debugging
General OS:
  AAA Authentication debugging is on
  AAA Authorization debugging is on
Radius protocol debugging is on
Cryptographic Subsystem:
  Crypto ISAKMP debugging is on
  Crypto Engine debugging is on
  Crypto IPSEC debugging is on
  BER debug output debugging is on
  verbose debug output debugging is on

Router Output:
00:53:07: ISAKMP (0:0): received packet from 10.2.2.18 (N) NEW SA
00:53:07: ISAKMP: local port 500, remote port 500
00:53:07: ISAKMP (0:1): Setting client config settings 6188A7F0
00:53:07: ISAKMP (0:1): (Re)Setting client xauth list userauthen and state
00:53:07: ISAKMP: Created a peer node for 10.2.2.18
00:53:07: ISAKMP: Locking struct 6188A7F0 from crypto_ikmp_config_initialize_sa
00:53:07: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:07: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:07: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 10.2.2.18
00:53:07: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:08: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:08: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:08: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:12: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:12: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:12: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:12: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:13: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:13: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:13: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:17: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:17: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:17: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:17: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:18: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:18: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:18: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:53:22: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
00:53:23: ISAKMP (0:1): processing SA payload. message ID = 0
00:53:23: ISAKMP (0:1): processing ID payload. message ID = 0
00:53:23: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
00:53:24: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
00:53:24: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
00:53:24: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
00:56:32: ISAKMP: quick mode timer expired.
00:56:32: ISAKMP (0:1): peer does not do paranoid keepalives.

00:56:32: ISAKMP (0:1): deleting SA reason "QM_TIMER expired" state (R) AG_NO_STATE (peer 10.2.2.18) input queue 0
00:56:32: ISAKMP: Unlocking struct 6188A7F0 on return of attributes
00:57:32: ISAKMP (0:1): purging SA., sa=61889DC4, delme=61889DC4
00:57:32: CryptoEngine0: delete connection 1
00:57:40: ISAKMP: Deleting peer node for 10.2.2.18



Client Output:
24     16:21:21.134  12/08/03  Sev=Info/4        CM/0x63100002
Begin connection process

25     16:21:21.144  12/08/03  Sev=Info/4        CM/0x63100004
Establish secure connection using Ethernet

26     16:21:21.144  12/08/03  Sev=Info/4        CM/0x63100024
Attempt connection with server "10.2.2.3"

27     16:21:21.144  12/08/03  Sev=Info/6        IKE/0x6300003B
Attempting to establish a connection with 10.2.2.3.

28     16:21:21.224  12/08/03  Sev=Info/4        IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID, VID) to 10.2.2.3

29     16:21:21.835  12/08/03  Sev=Info/4        IPSEC/0x63700014
Deleted all keys

30     16:21:26.241  12/08/03  Sev=Info/4        IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3

31     16:21:31.248  12/08/03  Sev=Info/4        IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3

32     16:21:36.255  12/08/03  Sev=Info/4        IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 10.2.2.3

33     16:21:41.262  12/08/03  Sev=Warning/2        IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding

34     16:21:41.262  12/08/03  Sev=Info/4        CM/0x63100014
Unable to establish Phase 1 SA with server "10.2.2.3" because of "DEL_REASON_PEER_NOT_RESPONDING"

35     16:21:41.262  12/08/03  Sev=Info/5        CM/0x63100027
Initializing CVPNDrv

36     16:21:41.363  12/08/03  Sev=Warning/3        DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).

37     16:21:42.374  12/08/03  Sev=Info/4        IPSEC/0x63700014
Deleted all keys
LVL 1
DiuQiLAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

td_milesCommented:
try changing the hash to MD5, the newest VPN clients (> 3.6) don't support algorithm.

ref (search for "SHA"):
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/3_6/361_clnt.htm
0
DiuQiLAuthor Commented:
I changed configuration to:
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!

and to
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!

The errors appear to be the same.

01:28:46: ISAKMP (0:0): received packet from 10.2.2.18 (N) NEW SA
01:28:46: ISAKMP: local port 500, remote port 500
01:28:46: ISAKMP (0:1): Setting client config settings 617613EC
01:28:46: ISAKMP (0:1): (Re)Setting client xauth list userauthen and state
01:28:46: ISAKMP: Created a peer node for 10.2.2.18
01:28:46: ISAKMP: Locking struct 617613EC from crypto_ikmp_config_initialize_sa
01:28:46: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:46: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:46: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 10.2.2.18
01:28:46: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:47: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:47: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:47: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:28:51: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:28:51: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:51: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:51: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:52: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:52: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:52: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:28:56: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:28:56: ISAKMP (0:1): processing SA payload. message ID = 0
01:28:56: ISAKMP (0:1): processing ID payload. message ID = 0
01:28:56: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:28:57: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:28:57: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:28:57: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE
01:29:01: ISAKMP (0:1): received packet from 10.2.2.18 (R) AG_NO_STATE
01:29:01: ISAKMP (0:1): processing SA payload. message ID = 0
01:29:01: ISAKMP (0:1): processing ID payload. message ID = 0
01:29:01: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission
01:29:02: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...
01:29:02: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
01:29:02: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE

0
td_milesCommented:
Are you sure the RADIUS is happening ? Try using local authentication and see what happens.

(bear in mind that I am just making suggestions based on past experience, I don't have an exact answer to your problems, so I'm pretty much trying to troubleshoot as I go...)
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

td_milesCommented:
what RADIUS server are you using ?
0
DiuQiLAuthor Commented:
Well, i can see no attempt to connect to the radius server. Nothing on radius end and nothing on cisco end, so i tend to think it isnt that ?

Radius server is radiator: http://www.open.com.au/radiator/

I've tried alot of things, including local auth. Both seem to give the same error.  Strangely, without any kind of ipsec configuration, the same error results.
0
lrmooreCommented:
The reference link shows using groupauthor -radius- that matches the groupauth:

aaa authentication login userauthen group radius
aaa authorization network groupauthor group radius

Your config has one radius, and the other local:
>aaa authentication login userauthen group radius
>aaa authorization network groupauthor local <----

Suggest you change the authorization to radius

You have your policy set for 3DES:
>crypto isakmp policy 3
> encr 3des
Yet, you have your transform set for single DES:
>I changed configuration to:
>crypto ipsec transform-set myset esp-3des esp-md5-hmac
>crypto ipsec transform-set myset esp-des esp-md5-hmac <-- this one won't work unless you also change, add to the policy

You also have the crypto map applied to the Private inside interface. Typically, the users are on the outside and the crypto map would be applied to the external interface.
>interface FastEthernet0
> crypto map clientmap

I can only assume that this is the external interface:
>interface Ethernet3
> ip address 14.38.100.201 255.255.0.0
> no ip mroute-cache
> no keepalive
> shutdown  <--- but I see it is shutdown

So your default route:
>ip route 0.0.0.0 0.0.0.0 14.38.100.1

Goes nowhere since the interface is shutdown...

The router is expecting to pass information from one interface to another. If you radius server is on the same subnet as your VPN client (your VPN client is also on 10.2.2.x subnet, or it can't hit the ethernet interface to "connect")

>interface FastEthernet0
> ip address 10.2.2.3 255.255.255.0
> crypto map clientmap

>radius-server host 10.2.2.129 auth-port 1645 acct-port 1646 key *****

Test VPN Client must also be on the same 10.2.2.x subnet, using 10.2.2.3 as it's default gateway??

If this is just a lab environment, set the VPN client up on the 14.x.x.x interface, enable the interface, and move the cry map to that interface...

0
DiuQiLAuthor Commented:
Thanks for the response guys. I believe the problem was related to the IOS not supporting IKE - agressive mode.  Upon changing systems (Seems like the 4500 didnt have an image which supported this) and IOS, the system worked without any problems.

thanks again

0
moduloCommented:
PAQed, with points refunded (250)

modulo
Community Support Moderator
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.