greenbeanx81
asked on
VPN clients not connecting. "No private IP address was assigned by the peer" in vpn client log
Hello All,
I have a client that is having a problem connecting to VPN using Cisco VPN client 5.0. He was fine until we configured his router with an additional T1 for the internet. When I have a client connect to the router I am not recieving isakmp or ipsec debugging information. On the vpn client side the log says "No private IP address was assigned by the peer". We did not change any config related to VPN access. The full router configuration and vpn client log is below. Any suggestions? Nothing makes sense as to why this is happening.
1841 router configuration
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname nYko-HQ
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$tB5L$oW20fbjyF3Sqr4PwiV
!
aaa new-model
!
!
aaa authentication login l-authen local
aaa authentication login no-authen none
aaa authorization network l-author local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
no ip domain lookup
ip name-server 198.6.1.2
!
!
crypto pki trustpoint TP-self-signed-1617998121
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1617998121
!
!
crypto pki certificate chain TP-self-signed-1617998121
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363137 39393831 3231301E 170D3038 30313235 31303539
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36313739
39383132 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BE0A 43FDD49E D5BA30EA D4075326 AFBC4964 92427DB2 E8E6EAC2 20E4BD7E
7C6BAEEC 2EBA0051 F6F12B3C 9980B7B7 48B243C0 5FC92C01 321BC241 9426B0C9
393CBA78 A1866CF3 2317E7F7 FAF656B4 B2738730 A22CB458 BB6946EE 21FD31CB
9D952C75 32742692 6F83A065 6D178D25 8C4BE9FA A08E1391 6304A752 84F1C487
45490203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 076E596B 6F2D4851 301F0603 551D2304 18301680 148F6FD0
9CAAC43F A62B598F 65364758 598EB9E5 13301D06 03551D0E 04160414 8F6FD09C
AAC43FA6 2B598F65 36475859 8EB9E513 300D0609 2A864886 F70D0101 04050003
81810003 A0CD507C 740B98BE 6B0F14BC E66BA46A D414D100 F3A3B99A E90EC616
D944E22A 7B4AB754 1236899D C1F4D8C3 C10DD323 C04FC816 2979C287 FAE6CAE3
394FD61B FCD052FC 3C1A6FA0 21A48AF5 EF1D170C 78B8EEDD 9422DCD2 31024E02
8CA5698C 7144FAB2 9440D76D 0ADCA7BF AB9D70DC 8C38B322 C265A80B E297EBEC A82C85
quit
username netops privilege 15 secret 5 $1$5B3O$RJC9xKbbb/viPl/UBk
username nspectre privilege 15 secret 5 $1$Usu7$hpeivx3NmH0yJS0Flb
username nyko_ezvpn secret 5 $1$b29u$j6YWWj3HKi8XELtinu
!
!
!
crypto isakmp policy 50
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group NYKOEZVPN
key nYko_Connect
dns 198.6.100.25 198.6.1.146
domain nyko.com
pool nyko_pool
!
!
crypto ipsec transform-set nyko_set esp-3des esp-sha-hmac
!
crypto dynamic-map nyko_dynmap 50
set transform-set nyko_set
reverse-route
!
!
crypto map secure client authentication list l-authen
crypto map secure isakmp authorization list l-author
crypto map secure client configuration address respond
crypto map secure 50 ipsec-isakmp dynamic nyko_dynmap
!
!
!
interface MFR1
mtu 4470
no ip address
no ip redirects
no ip proxy-arp
no ip mroute-cache
load-interval 30
no arp frame-relay
frame-relay multilink bid to gw
frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
ip address 63.x.x.x 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
crypto map secure
!
interface FastEthernet0/0
ip address 192.168.110.254 255.255.255.0 secondary
ip address 63.x.x.x 255.255.255.224
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description To Verizon (U49456)
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
ip virtual-reassembly
encapsulation frame-relay MFR1
load-interval 30
service-module t1 timeslots 1-24
no arp frame-relay
!
interface Serial0/1/0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
ip virtual-reassembly
encapsulation frame-relay MFR1
load-interval 30
service-module t1 timeslots 1-24
no arp frame-relay
!
ip local pool nyko_pool 172.16.110.50 172.16.110.55
no ip classless
ip route 0.0.0.0 0.0.0.0 MFR1.500
!
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.110.111 9996
ip flow-top-talkers
top 25
sort-by bytes
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool TheNet 63.x.x.x 63.x.x.x netmask 255.255.255.224
ip nat inside source route-map NONAT pool TheNet overload
ip nat inside source static tcp 192.168.110.222 407 63.x.x.x 407 extendable
ip nat inside source static tcp 192.168.110.250 5250 63.x.x.x 5250 extendable
ip nat inside source static tcp 192.168.110.250 5251 63.x.x.x 5251 extendable
ip nat inside source static tcp 192.168.110.250 5631 63.x.x.x 5633 extendable
ip nat inside source static tcp 192.168.110.250 5632 63.x.x.x 5634 extendable
!
access-list 1 deny 63.x.x.x
access-list 1 deny 192.168.110.254
access-list 1 permit 192.168.110.0 0.0.0.255
access-list 100 permit ip any host 63.x.x.x
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host 192.43.244.18 eq ntp any eq ntp
access-list 101 permit tcp any host 63.x.x.x eq 5634
access-list 101 permit tcp any host 63.x.x.x eq 5633
access-list 101 permit tcp any host 63.x.x.x eq 5251
access-list 101 permit tcp any host 63.x.x.x eq 5250
access-list 101 permit tcp any host 63.x.x.x eq 407
access-list 101 permit udp host 198.6.100.25 eq domain host 63.x.x.x
access-list 101 permit udp host 198.6.1.146 eq domain host 63.x.x.x
access-list 101 permit udp host 198.6.1.2 eq domain host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 199.171.54.34 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 199.171.54.42 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 153.39.16.40 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 153.39.16.42 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 147.225.26.91 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 147.225.26.93 host 63.x.x.x
access-list 101 remark Access for Barry Reyes
access-list 101 permit ip host 66.x.x.x host 63.x.x.x
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 110 deny ip 192.168.110.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 permit ip 192.168.110.0 0.0.0.255 any
snmp-server community NYKODOM RO
snmp-server ifindex persist
!
!
route-map NONAT permit 10
match ip address 110
!
!
!
control-plane
!
!
line con 0
login authentication no-authen
line aux 0
login authentication no-authen
line vty 0 4
privilege level 15
login authentication l-authen
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17177880
ntp server 192.43.244.18
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
VPN client log:
Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
1 14:08:22.884 02/04/08 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 63.117.127.65.
2 14:08:22.914 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 63.117.127.65
3 14:08:22.995 02/04/08 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
4 14:08:22.995 02/04/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
5 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
6 14:08:23.055 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 63.117.127.65
7 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
8 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x63000001
Peer supports DPD
9 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
10 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
11 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
12 14:08:23.085 02/04/08 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
13 14:08:23.085 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT
14 14:08:23.085 02/04/08 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
15 14:08:23.085 02/04/08 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0670, Remote Port = 0x1194
16 14:08:23.085 02/04/08 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
17 14:08:23.115 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
18 14:08:23.115 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIM
19 14:08:23.115 02/04/08 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
20 14:08:23.115 02/04/08 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
21 14:08:23.115 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
22 14:08:23.115 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 63.117.127.65
23 14:08:25.338 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 63.117.127.65
24 14:08:25.398 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
25 14:08:25.398 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 63.117.127.65
26 14:08:25.398 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 63.117.127.65
27 14:08:25.428 02/04/08 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
28 14:08:25.428 02/04/08 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
29 14:08:25.428 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 63.117.127.65
30 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
31 14:08:25.458 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 63.117.127.65
32 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 198.6.100.25
33 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 198.6.1.146
34 14:08:25.458 02/04/08 Sev=Info/5 IKE/0xA3000017
MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) attribute and value (-972684910) is not supported
35 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
36 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = nyko.com
37 14:08:25.458 02/04/08 Sev=Info/5 IKE/0xA3000015
MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAM
38 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(6)T6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 08-Dec-06 13:36 by kellythw
39 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
40 14:08:25.458 02/04/08 Sev=Warning/2 IKE/0xE3000023
No private IP address was assigned by the peer
41 14:08:25.458 02/04/08 Sev=Warning/2 IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)
42 14:08:25.468 02/04/08 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=46F085CE878BCB3D
43 14:08:25.468 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 63.117.127.65
44 14:08:25.468 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
45 14:08:25.468 02/04/08 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=46F085CE878BCB3D R_Cookie=B401A837E9423FDF
46 14:08:25.468 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 63.117.127.65
47 14:08:28.493 02/04/08 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=46F085CE878BCB3D
48 14:08:28.523 02/04/08 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
49 14:08:29.004 02/04/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
50 14:08:29.004 02/04/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
51 14:08:29.004 02/04/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
52 14:08:29.004 02/04/08 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I have a client that is having a problem connecting to VPN using Cisco VPN client 5.0. He was fine until we configured his router with an additional T1 for the internet. When I have a client connect to the router I am not recieving isakmp or ipsec debugging information. On the vpn client side the log says "No private IP address was assigned by the peer". We did not change any config related to VPN access. The full router configuration and vpn client log is below. Any suggestions? Nothing makes sense as to why this is happening.
1841 router configuration
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname nYko-HQ
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$tB5L$oW20fbjyF3Sqr4PwiV
!
aaa new-model
!
!
aaa authentication login l-authen local
aaa authentication login no-authen none
aaa authorization network l-author local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
no ip domain lookup
ip name-server 198.6.1.2
!
!
crypto pki trustpoint TP-self-signed-1617998121
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1617998121
!
!
crypto pki certificate chain TP-self-signed-1617998121
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363137 39393831 3231301E 170D3038 30313235 31303539
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36313739
39383132 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BE0A 43FDD49E D5BA30EA D4075326 AFBC4964 92427DB2 E8E6EAC2 20E4BD7E
7C6BAEEC 2EBA0051 F6F12B3C 9980B7B7 48B243C0 5FC92C01 321BC241 9426B0C9
393CBA78 A1866CF3 2317E7F7 FAF656B4 B2738730 A22CB458 BB6946EE 21FD31CB
9D952C75 32742692 6F83A065 6D178D25 8C4BE9FA A08E1391 6304A752 84F1C487
45490203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 076E596B 6F2D4851 301F0603 551D2304 18301680 148F6FD0
9CAAC43F A62B598F 65364758 598EB9E5 13301D06 03551D0E 04160414 8F6FD09C
AAC43FA6 2B598F65 36475859 8EB9E513 300D0609 2A864886 F70D0101 04050003
81810003 A0CD507C 740B98BE 6B0F14BC E66BA46A D414D100 F3A3B99A E90EC616
D944E22A 7B4AB754 1236899D C1F4D8C3 C10DD323 C04FC816 2979C287 FAE6CAE3
394FD61B FCD052FC 3C1A6FA0 21A48AF5 EF1D170C 78B8EEDD 9422DCD2 31024E02
8CA5698C 7144FAB2 9440D76D 0ADCA7BF AB9D70DC 8C38B322 C265A80B E297EBEC A82C85
quit
username netops privilege 15 secret 5 $1$5B3O$RJC9xKbbb/viPl/UBk
username nspectre privilege 15 secret 5 $1$Usu7$hpeivx3NmH0yJS0Flb
username nyko_ezvpn secret 5 $1$b29u$j6YWWj3HKi8XELtinu
!
!
!
crypto isakmp policy 50
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group NYKOEZVPN
key nYko_Connect
dns 198.6.100.25 198.6.1.146
domain nyko.com
pool nyko_pool
!
!
crypto ipsec transform-set nyko_set esp-3des esp-sha-hmac
!
crypto dynamic-map nyko_dynmap 50
set transform-set nyko_set
reverse-route
!
!
crypto map secure client authentication list l-authen
crypto map secure isakmp authorization list l-author
crypto map secure client configuration address respond
crypto map secure 50 ipsec-isakmp dynamic nyko_dynmap
!
!
!
interface MFR1
mtu 4470
no ip address
no ip redirects
no ip proxy-arp
no ip mroute-cache
load-interval 30
no arp frame-relay
frame-relay multilink bid to gw
frame-relay lmi-type ansi
!
interface MFR1.500 point-to-point
ip address 63.x.x.x 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
no arp frame-relay
frame-relay interface-dlci 500 IETF
crypto map secure
!
interface FastEthernet0/0
ip address 192.168.110.254 255.255.255.0 secondary
ip address 63.x.x.x 255.255.255.224
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description To Verizon (U49456)
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
ip virtual-reassembly
encapsulation frame-relay MFR1
load-interval 30
service-module t1 timeslots 1-24
no arp frame-relay
!
interface Serial0/1/0
mtu 4470
bandwidth 1536
no ip address
no ip redirects
no ip proxy-arp
ip virtual-reassembly
encapsulation frame-relay MFR1
load-interval 30
service-module t1 timeslots 1-24
no arp frame-relay
!
ip local pool nyko_pool 172.16.110.50 172.16.110.55
no ip classless
ip route 0.0.0.0 0.0.0.0 MFR1.500
!
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 192.168.110.111 9996
ip flow-top-talkers
top 25
sort-by bytes
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool TheNet 63.x.x.x 63.x.x.x netmask 255.255.255.224
ip nat inside source route-map NONAT pool TheNet overload
ip nat inside source static tcp 192.168.110.222 407 63.x.x.x 407 extendable
ip nat inside source static tcp 192.168.110.250 5250 63.x.x.x 5250 extendable
ip nat inside source static tcp 192.168.110.250 5251 63.x.x.x 5251 extendable
ip nat inside source static tcp 192.168.110.250 5631 63.x.x.x 5633 extendable
ip nat inside source static tcp 192.168.110.250 5632 63.x.x.x 5634 extendable
!
access-list 1 deny 63.x.x.x
access-list 1 deny 192.168.110.254
access-list 1 permit 192.168.110.0 0.0.0.255
access-list 100 permit ip any host 63.x.x.x
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host 192.43.244.18 eq ntp any eq ntp
access-list 101 permit tcp any host 63.x.x.x eq 5634
access-list 101 permit tcp any host 63.x.x.x eq 5633
access-list 101 permit tcp any host 63.x.x.x eq 5251
access-list 101 permit tcp any host 63.x.x.x eq 5250
access-list 101 permit tcp any host 63.x.x.x eq 407
access-list 101 permit udp host 198.6.100.25 eq domain host 63.x.x.x
access-list 101 permit udp host 198.6.1.146 eq domain host 63.x.x.x
access-list 101 permit udp host 198.6.1.2 eq domain host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 199.171.54.34 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 199.171.54.42 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 153.39.16.40 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 153.39.16.42 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 147.225.26.91 host 63.x.x.x
access-list 101 remark VerizonBusiness Uptime Monitor
access-list 101 permit icmp host 147.225.26.93 host 63.x.x.x
access-list 101 remark Access for Barry Reyes
access-list 101 permit ip host 66.x.x.x host 63.x.x.x
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 110 deny ip 192.168.110.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 permit ip 192.168.110.0 0.0.0.255 any
snmp-server community NYKODOM RO
snmp-server ifindex persist
!
!
route-map NONAT permit 10
match ip address 110
!
!
!
control-plane
!
!
line con 0
login authentication no-authen
line aux 0
login authentication no-authen
line vty 0 4
privilege level 15
login authentication l-authen
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17177880
ntp server 192.43.244.18
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
VPN client log:
Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
1 14:08:22.884 02/04/08 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 63.117.127.65.
2 14:08:22.914 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 63.117.127.65
3 14:08:22.995 02/04/08 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
4 14:08:22.995 02/04/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
5 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
6 14:08:23.055 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 63.117.127.65
7 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
8 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x63000001
Peer supports DPD
9 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
10 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
11 14:08:23.055 02/04/08 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
12 14:08:23.085 02/04/08 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
13 14:08:23.085 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONT
14 14:08:23.085 02/04/08 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
15 14:08:23.085 02/04/08 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0670, Remote Port = 0x1194
16 14:08:23.085 02/04/08 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
17 14:08:23.115 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
18 14:08:23.115 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIM
19 14:08:23.115 02/04/08 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
20 14:08:23.115 02/04/08 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
21 14:08:23.115 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
22 14:08:23.115 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 63.117.127.65
23 14:08:25.338 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 63.117.127.65
24 14:08:25.398 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
25 14:08:25.398 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 63.117.127.65
26 14:08:25.398 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 63.117.127.65
27 14:08:25.428 02/04/08 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
28 14:08:25.428 02/04/08 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
29 14:08:25.428 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 63.117.127.65
30 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
31 14:08:25.458 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 63.117.127.65
32 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 198.6.100.25
33 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 198.6.1.146
34 14:08:25.458 02/04/08 Sev=Info/5 IKE/0xA3000017
MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) attribute and value (-972684910) is not supported
35 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
36 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = nyko.com
37 14:08:25.458 02/04/08 Sev=Info/5 IKE/0xA3000015
MODE_CFG_REPLY: Received MODECFG_UNITY_SPLITDNS_NAM
38 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(6)T6, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 08-Dec-06 13:36 by kellythw
39 14:08:25.458 02/04/08 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
40 14:08:25.458 02/04/08 Sev=Warning/2 IKE/0xE3000023
No private IP address was assigned by the peer
41 14:08:25.458 02/04/08 Sev=Warning/2 IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)
42 14:08:25.468 02/04/08 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=46F085CE878BCB3D
43 14:08:25.468 02/04/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 63.117.127.65
44 14:08:25.468 02/04/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 63.117.127.65
45 14:08:25.468 02/04/08 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=46F085CE878BCB3D R_Cookie=B401A837E9423FDF
46 14:08:25.468 02/04/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 63.117.127.65
47 14:08:28.493 02/04/08 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=46F085CE878BCB3D
48 14:08:28.523 02/04/08 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
49 14:08:29.004 02/04/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
50 14:08:29.004 02/04/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
51 14:08:29.004 02/04/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
52 14:08:29.004 02/04/08 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
ryansoto
Where is your vpn group config? I didnt see that.
ASKER
crypto isakmp client configuration group NYKOEZVPN
key nYko_Connect
dns 198.6.100.25 198.6.1.146
domain nyko.com
pool nyko_pool
This in in the router config
key nYko_Connect
dns 198.6.100.25 198.6.1.146
domain nyko.com
pool nyko_pool
This in in the router config
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We had to rebuild the vpn config on the router. SDM was messing up the config. I'm not sure how the config worked in before.
You mean the web interface right? If so yes this happened on my 501 unit so we used nothing but command line since