Link to home
Start Free TrialLog in
Avatar of ixarissysadmin
ixarissysadminFlag for Malta

asked on

can't connect cisco vpn client

i'm using cisco vpn client v5.0.00.0340
i set the group user/pass but can't get the vpn up.

VPN client reports this error:
Invalid SPI size (PayloadNotify:116)

13:44:27.328  07/19/08  Sev=Info/4      IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)


sh ver snippet:
Cisco 1841 (revision 7.0) with 116736K/14336K bytes of memory.
Processor board ID FHK114529MR
2 FastEthernet interfaces
1 ATM interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)
Current configuration : 8097 bytes
!
! Last configuration change at 13:53:41 Summer Sat Jul 19 2008 by justin
! NVRAM config last updated at 02:56:25 Summer Sat Jul 19 2008 by justin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$cbC/$1H57GReYyRb97.CBGCjYM/
!
aaa new-model
!
!
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone GMT 0
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.5
!
ip dhcp pool XXXXXX
   import all
   network 192.168.1.0 255.255.255.240
   default-router 192.168.1.14
   dns-server 217.15.97.20
   lease 8
!
!
ip domain name XXXXX.com
!
!
!
username XXXXXX privilege 0 secret 5 XXXXXXXx
!
!
ip ssh time-out 60
ip ssh version 2
!
!
crypto isakmp policy 3
 encr aes
 authentication pre-share
 group 5
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group 3000client
 key XXXXXXXX
 dns 10.0.0.2
 wins 10.0.0.2
 domain XXX.local
 pool vpn_pool
 acl 108
 save-password
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface Loopback0
 ip address 10.254.254.254 255.255.255.255
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 ip address 10.0.0.254 255.255.255.0
 ip access-group 110 out
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.1.14 255.255.255.240
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt
!
interface ATM0/0/0.1 point-to-point
 no snmp trap link-status
 pvc 8/48
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/0/0.2 point-to-point
 no snmp trap link-status
 bridge-group 1
 pvc 8/35
  protocol bridge
  encapsulation aal5snap
 !
!
interface ATM0/0/0.3 point-to-point
 no snmp trap link-status
 bridge-group 1
 pvc 8/36
  protocol bridge
  encapsulation aal5snap
 !
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username XXXX password 7 XXXXX
 ppp ipcp header-compression ack
 ppp ipcp dns request accept
 ppp ipcp predictive
 crypto map clientmap
!
interface BVI1
 mac-address 0025.0c7a.047c
 ip address 172.21.2.175 255.255.240.0
 ip nat outside
 ip virtual-reassembly
!
ip local pool vpn_pool 10.0.253.1 10.0.253.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip route 10.10.0.0 255.255.0.0 172.21.0.254
ip route 192.168.106.0 255.255.255.0 172.21.0.254
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface BVI1 overload
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source static udp 10.0.0.19 12345 interface Dialer1 12345
!
ip access-list standard VTY-LOGIN
 permit 10.0.0.0 0.0.0.255
!
access-list 1 permit 10.0.0.10
access-list 1 permit 10.0.0.11
access-list 1 permit 10.0.0.14
access-list 1 permit 10.0.0.12
access-list 1 permit 10.0.0.13
access-list 1 deny   10.0.0.0 0.0.0.255
access-list 2 deny   10.0.0.10
access-list 2 deny   10.0.0.11
access-list 2 deny   10.0.0.14
access-list 2 deny   10.0.0.12
access-list 2 deny   10.0.0.13
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 108 permit ip 10.0.0.0 0.0.0.255 10.0.253.0 0.0.0.255
access-list 108 permit ip 192.168.1.0 0.0.0.15 10.0.253.0 0.0.0.255
access-list 110 permit ip any 10.0.0.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 111 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
banner exec ^C Disconnect IMMEDIATELY if you are not an authorized user!!!!^C
!
line con 0
line aux 0
line vty 0 4
 access-class VTY-LOGIN in
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178519
ntp server 64.113.32.5
ntp server 69.25.96.13
end

Open in new window

Avatar of ck459
ck459
Flag of Belgium image

I think you are missing this line :
aaa authentication login userauthen local

Test with a locally configured username/password combination
Kurt
 
Avatar of ixarissysadmin

ASKER

true that was missing and i added it.

however error is still exactly the same. the problem seems to be with ISAKMP
on the router, iget the following error (just this)

 %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at IPIPIPIP
Can you include the output of debug crypto isakmp ?
Could you also do another attemp with the DH group set to 2 instead of 5 ?
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
 
Kurt
using grp 2 got me a couple of steps forward. i was prompted for uder, then got connected to the vpn.

any idea how i can get the client to use grp5?

ping to internal hosts works, but replies come from the external ip of the router not the internal ip i ping!. likwise, ping to internal ips which are vacant do not reply, so that's working ok. however, tcp traffic is not passing through. so telnet to any internal service times-out
fyi, here's a snippetfrom my ipconfig

Ethernet adapter Local Area Connection 4:

        Connection-specific DNS Suffix  . : XXXXXX.local
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 10.0.253.1
        Subnet Mask . . . . . . . . . . . : 255.0.0.0
        Default Gateway . . . . . . . . . :
        DNS Servers . . . . . . . . . . . : 10.0.0.2
        Primary WINS Server . . . . . . . : 10.0.0.2
DH group 5 will work if you use digital certificates to authenticate the IKE phase. For preshared keys it is not supported.
Regarding your last problem. I do see that there is an overlap in ip range on the VPN user range (10.0.253.0 /8) and the LAN range. Can you try to assign another range and see what this gives? Nornally the subnet mask that gets assigned by the VPN pool should have a mask of 255.255.255.255, but in your case I see a 255.0.0.0...
Kurt
I would go for a 192.168.x.0 address. Also modify  ACL 108 to reflect this change
Kurt
ok i see that a subnet of 255.0.0.0 is no good.

switching to the 192.168 will fix the ip, but not the subnet right? if i change the subnet the client is being assigned to 255.255.255.255 that should fix the problem.

I only have the 10.0.0.X class C set up on that router, so using the 10.0.253 should not interfere.
You cannot change the mask in the ippool I think. That's why I wanted to try with a 192.168 address, as I think you will get assigned a /24 at that point. Just a test, as the rest is looking quite ok to me. Still looking to see what the issue can be...
Kurt
Should've noticed this right away, but your returning traffic is being natted, while it should not be. What you need to do is create anat statement that excludes traffic for the tunnel, and includes all the rest..
See attached config guidelines

access-list 102 deny ip any 10.0.253.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any 
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
 
 
route-map ROUTE_MAP permit 1 
match ip address 102 
 
ip nat inside source route-map ROUTE_MAP interface Dialer0 overload 

Open in new window

dialer0 should be dialer1 of course
same problem.

my subnet is still a /8, and as you rightly pointed out earlier it should be a /32.

i am attaching the routes which are added to the client when the vpn is connected
Network Destination        Netmask          Gateway       Interface  Metric    
         10.0.0.0        255.0.0.0       10.0.253.4      10.0.253.4       25    
         10.0.0.0    255.255.255.0         10.0.0.1      10.0.253.4       1     
       10.0.253.4  255.255.255.255        127.0.0.1       127.0.0.1       25    
   10.255.255.255  255.255.255.255       10.0.253.4      10.0.253.4       25    
     192.168.0.10  255.255.255.255    192.168.0.111   192.168.0.111       1     
      192.168.1.0  255.255.255.240         10.0.0.1      10.0.253.4       1
  195.158.111.122  255.255.255.255      192.168.0.1   192.168.0.111       1
        224.0.0.0        240.0.0.0       10.0.253.4      10.0.253.4       25
Default Gateway:       192.168.0.1

Open in new window

Did you try my last nat example? The returning traffic from your internal network to the VPN client is natted (that's why you get a reply from the public ip address instead of the real internal address, and that is also why tcp connections don't work)
you need to remove the current natting over dialer 1, and replace it by the route-map nat config I included in my last comment.
As you can see from the route map, traffic from internally to the VPN ip range will not be natted, and send over the VPN tunnel to the VPN client.
Kurt
yes i did all you suggested. i am attaching the updated config
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096 informational
no logging console
no logging monitor
enable secret 5 XXXXX
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone GMT 0
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.5
!
ip dhcp pool XXXXX
   import all
   network 192.168.1.0 255.255.255.240
   default-router 192.168.1.14
   dns-server 217.15.97.20
   lease 8
!
!
ip domain name XXXXX.com
!
!
!
username XXX privilege 0 secret 5 XXXXXXX
!
!
ip ssh time-out 60
ip ssh version 2
!
!
crypto isakmp policy 3
 encr aes
 authentication pre-share
 group 2
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group 3000client
 key XXXXX
 dns 10.0.0.2
 wins 10.0.0.2
 domain XXXXX.local
 pool vpn_pool
 acl 108
 save-password
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface Loopback0
 ip address 10.254.254.254 255.255.255.255
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 ip address 10.0.0.254 255.255.255.0
 ip access-group 110 out
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 192.168.1.14 255.255.255.240
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode itu-dmt
!
interface ATM0/0/0.1 point-to-point
 no snmp trap link-status
 pvc 8/48
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/0/0.2 point-to-point
 no snmp trap link-status
 bridge-group 1
 pvc 8/35
  protocol bridge
  encapsulation aal5snap
 !
!
interface ATM0/0/0.3 point-to-point
 no snmp trap link-status
 bridge-group 1
 pvc 8/36
  protocol bridge
  encapsulation aal5snap
 !
!
interface Dialer0
 no ip address
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username XXXXXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXX
 ppp ipcp header-compression ack
 ppp ipcp dns request accept
 ppp ipcp predictive
 crypto map clientmap
!
interface BVI1
 mac-address 0025.0c7a.047c
 ip address 172.21.2.175 255.255.240.0
 ip nat outside
 ip virtual-reassembly
!
ip local pool vpn_pool 10.0.253.1 10.0.253.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip route 10.10.0.0 255.255.0.0 172.21.0.254
ip route 192.168.106.0 255.255.255.0 172.21.0.254
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface BVI1 overload
ip nat inside source list 2 interface Dialer1 overload
ip nat inside source route-map ROUTE_MAP interface Dialer1 overload
ip nat inside source static tcp 10.0.0.1 25 interface Dialer1 25
!
ip access-list standard VTY-LOGIN
 permit 10.0.0.0 0.0.0.255
!
access-list 1 permit 10.0.0.10
access-list 1 permit 10.0.0.11
access-list 1 permit 10.0.0.14
access-list 1 permit 10.0.0.12
access-list 1 permit 10.0.0.13
access-list 1 deny   10.0.0.0 0.0.0.255
access-list 2 deny   10.0.0.10
access-list 2 deny   10.0.0.11
access-list 2 deny   10.0.0.14
access-list 2 deny   10.0.0.12
access-list 2 deny   10.0.0.13
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 102 deny   ip any 10.0.253.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 108 permit ip 10.0.0.0 0.0.0.255 10.0.253.0 0.0.0.255
access-list 108 permit ip 192.168.1.0 0.0.0.15 10.0.253.0 0.0.0.255
access-list 110 permit ip any host 10.0.0.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 111 permit ip any any
dialer-list 1 protocol ip permit
!
route-map ROUTE_MAP permit 1
 match ip address 102
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
banner exec ^C Disconnect IMMEDIATELY if you are not an authorized user^C
!
line con 0
line aux 0
line vty 0 4
 access-class VTY-LOGIN in
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178527
ntp server 64.113.32.5
ntp server 69.25.96.13
end

Open in new window

OK,
now remove this line :
ip nat inside source list 2 interface Dialer1 overload

And do a clear ip nat trans *
Try to login again, and do a ping. Send me the results of that ping. Normally the reply should now come from the real internal ip address. (if not, include the output of the "show ip nat trans" command)
If the reply comes from the real internal ip address, you should be able to make TCP connections as well.
Kurt
 
 
when i did that i got a warning.

1) are you sure this will not break my other config?
2) shouldn't i add the rules which are currently in acl 2 to acl 102?


(config)#no ip nat inside source list 2 interface Dialer1 overload
Dynamic mapping in use, do you want to delete all entries? [no]

Open in new window

Yes, you can add the lines to ACL 102. make sure that the deny statements are in the beginning of the ACL, otherwhise they don't make sence.
also, ACL 102 is an extended ACL, so you need a source and destination :
access-list 2 deny 10.0.0.10 ==> access-list 102 deny ip 10.0.0.10 any
access-list 2 deny 10.0.0.11 ==> access-list 102 deny ip 10.0.0.11 any
etc.. for the other sources. (see code snippet below)
Once you have done this, remove the NAT
no ip nat inside source list 2 interface Dialer1 overload
and the route map nat statement should take over and allow traffic to and from your VPN clients (check with ping if the response comes from the real IP, and not from the public IP address)

 

no access-list 102
access-list 102 deny ip  10.0.0.10 any
access-list 102 deny ip  10.0.0.11 any 
access-list 102 deny ip  10.0.0.14 any
access-list 102 deny ip  10.0.0.12 any
access-list 102 deny ip  10.0.0.13 any
access-list 102 deny ip any 10.0.253.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

Open in new window

ping now gives me a reply from the correct internal ip.

telnet to a service, say smtp, times out! is there any debug you need?
Can you let me know which ip address you are trying to connect to ? If it is 10.0.0.1, that will not work, as this ip address has a static nat statement on dialer 1, so that one will always be natted, no matter what you do.
Can you try a telnet to for example a remote desktop (TCP 3389) of an internal server  (10.0.0.0 or 192.168.1.0 ip range) ?
 
ok tried that and it works fine!

indeed i was trying to connect to the externally natted service.

does this mean that, while connected to the vpn, i cannot access my mail server?

i also tried connecting to it on the external ip, and it won't work. maybe i can have a nonat exception for traffic coming from the VPN?
ASKER CERTIFIED SOLUTION
Avatar of ck459
ck459
Flag of Belgium image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ok the scope of this case is reached so i'll close it and open a new one immediately to resolve this nonat issue.. hopefully you'll pick it up from there so we can finish this job neatly :)

thanks
Will be off for a few hours (have to go entertain the kids...or the other way around...). Will check back on this case later