Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

What's wrong with my VPN config?

Posted on 2009-04-13
12
Medium Priority
?
3,642 Views
Last Modified: 2012-05-06
I'm trying to setup a VPN to connect to my office LAN when I'm away, but I can't get it to work. Do you see any problems with my config?
c1841#sh ver
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
c1841 uptime is 4 days, 22 hours, 44 minutes
System returned to ROM by power-on
System image file is "flash:c1841-adventerprisek9-mz.124-24.T.bin"
 
 
Current configuration : 7042 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c1841
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network vpn-clientgroup local
!
!
aaa session-id common
!
ip source-route
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.126 192.168.0.254
!
ip dhcp pool Public
   network 192.168.0.0 255.255.255.0
   dns-server x.x.x.x
   default-router 192.168.0.254
!
!
ip cef
ip domain name domain.local
ip name-server 192.168.100.1
ip name-server 192.168.100.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1328172832
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1328172832
 revocation-check none
 rsakeypair TP-self-signed-1328172832
!
!
crypto pki certificate chain TP-self-signed-1328172832
 certificate self-signed 01
!
username admin privilege 15 password 7 XXXXXXX
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group vpn-clientgroup
 key MYKEY
 dns 192.168.100.1 192.168.100.2
 domain domain.local
 pool dynpool
!
!
crypto ipsec transform-set esp-aes-sha esp-aes 256 esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set esp-aes-sha
!
!
crypto map dynmap isakmp authorization list vpn-clientgroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
interface Loopback0
 no ip address
!
interface FastEthernet0/0
 ip address x.x.x.x 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 speed 100
 full-duplex
 crypto map dynmap
!
interface FastEthernet0/1
 ip address 192.168.100.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
 no mop enabled
!
interface FastEthernet0/0/0
 shutdown
!
interface FastEthernet0/0/1
 shutdown
!
interface FastEthernet0/0/2
 shutdown
!
interface FastEthernet0/0/3
 shutdown
!
interface Dot11Radio0/1/0
 ip address 192.168.0.254 255.255.255.0
 ip access-group 120 in
 ip nat inside
 ip virtual-reassembly
 !
 ssid MYSSID
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
!
interface Vlan1
 no ip address
 shutdown
!
ip local pool dynpool 192.168.110.100 192.168.110.150
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source list 20 interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.100.0 0.0.0.255
access-list 20 permit 192.168.0.0 0.0.0.255
access-list 120 deny   ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 120 permit ip any any
!
line con 0
line aux 0
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

Open in new window

0
Comment
Question by:Uber_ms
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24137382
Try these changes:

conf t
access-list 150 deny ip 192.168.100.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip 192.168.100.0 0.0.0.255 any

no ip nat inside source list 10 interface FastEthernet0/0 overload
no ip nat inside source list 20 interface FastEthernet0/0 overload
ip nat inside source list 150 interface FastEthernet0/0 overload
0
 
LVL 1

Author Comment

by:Uber_ms
ID: 24137712
This is a VPN problem. I'm able to get out to the Internet from those two subnets.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24137728
Yeah, but here's the problem.  When you try to communicate between the VPN and LAN subnet, the router is NAT'ng the traffic and therefore communication fails.  You need to exclude LAN to VPN communication from NAT to enable communication.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 1

Author Comment

by:Uber_ms
ID: 24137814
Okay, still isn't working. Here's a copy of my Cisco VPN Client log...
Cisco Systems VPN Client Version 5.0.05.0290
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6001 Service Pack 1
 
33     08:18:12.834  04/14/09  Sev=Info/4	CM/0x63100002
Begin connection process
 
34     08:18:12.865  04/14/09  Sev=Info/4	CM/0x63100004
Establish secure connection
 
35     08:18:12.865  04/14/09  Sev=Info/4	CM/0x63100024
Attempt connection with server "24.x.x.x"
 
36     08:18:12.874  04/14/09  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with 24.x.x.x.
 
37     08:18:12.880  04/14/09  Sev=Info/4	IKE/0x63000001
Starting IKE Phase 1 Negotiation
 
38     08:18:12.888  04/14/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 24.x.x.x
 
39     08:18:12.901  04/14/09  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started
 
40     08:18:12.901  04/14/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
41     08:18:12.902  04/14/09  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 24.x.x.x
 
42     08:18:12.902  04/14/09  Sev=Warning/2	IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
 
43     08:18:12.902  04/14/09  Sev=Info/4	IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
 
44     08:18:12.902  04/14/09  Sev=Warning/3	IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
 
45     08:18:18.000  04/14/09  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!
 
46     08:18:18.000  04/14/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 
47     08:18:23.071  04/14/09  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!
 
48     08:18:23.071  04/14/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 
49     08:18:28.140  04/14/09  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!
 
50     08:18:28.140  04/14/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 
51     08:18:33.211  04/14/09  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=530F89A533C56B7E R_Cookie=B993A5B326B0C113) reason = DEL_REASON_PEER_NOT_RESPONDING
 
52     08:18:33.711  04/14/09  Sev=Info/4	IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=530F89A533C56B7E R_Cookie=B993A5B326B0C113) reason = DEL_REASON_PEER_NOT_RESPONDING
 
53     08:18:33.711  04/14/09  Sev=Info/4	CM/0x63100014
Unable to establish Phase 1 SA with server "24.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"
 
54     08:18:33.711  04/14/09  Sev=Info/5	CM/0x63100025
Initializing CVPNDrv
 
55     08:18:33.735  04/14/09  Sev=Info/6	CM/0x63100046
Set tunnel established flag in registry to 0.
 
56     08:18:33.735  04/14/09  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection
 
57     08:18:33.743  04/14/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
58     08:18:33.743  04/14/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
59     08:18:33.743  04/14/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
60     08:18:33.743  04/14/09  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24138176
Do you get a login authentication box? Do you connect but can't access anything (doesn't look like it based on the logs).  Can you change the client logging to high and post the log again.
0
 
LVL 1

Author Comment

by:Uber_ms
ID: 24138305
No I never get a login box. That log is set to high.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24138352
Are you sure you have typed the group name correctly and preshared key?  Both are case sensitive:

group = vpn-clientgroup
group password = MYKEY
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 2000 total points
ID: 24138419
Add this as well:

aaa authentication login userauthen local
crypto map dynmap client authentication list userauthen

0
 
LVL 1

Author Comment

by:Uber_ms
ID: 24138462
I'm positive I typed them correctly. With those changes, still isn't working. Here's a new log:
Cisco Systems VPN Client Version 5.0.05.0290
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6001 Service Pack 1
 
61     09:17:30.704  04/14/09  Sev=Info/4	CM/0x63100002
Begin connection process
 
62     09:17:30.738  04/14/09  Sev=Info/4	CM/0x63100004
Establish secure connection
 
63     09:17:30.739  04/14/09  Sev=Info/4	CM/0x63100024
Attempt connection with server "24.x.x.x"
 
64     09:17:30.747  04/14/09  Sev=Info/6	IKE/0x6300003B
Attempting to establish a connection with 24.x.x.x.
 
65     09:17:30.752  04/14/09  Sev=Info/4	IKE/0x63000001
Starting IKE Phase 1 Negotiation
 
66     09:17:30.761  04/14/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 24.x.x.x
 
67     09:17:30.775  04/14/09  Sev=Info/4	IPSEC/0x63700008
IPSec driver successfully started
 
68     09:17:30.775  04/14/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
69     09:17:30.775  04/14/09  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 24.x.x.x
 
70     09:17:30.775  04/14/09  Sev=Warning/2	IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
 
71     09:17:30.775  04/14/09  Sev=Info/4	IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
 
72     09:17:30.775  04/14/09  Sev=Warning/3	IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
 
73     09:17:36.146  04/14/09  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!
 
74     09:17:36.146  04/14/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 
75     09:17:41.217  04/14/09  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!
 
76     09:17:41.217  04/14/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 
77     09:17:46.287  04/14/09  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!
 
78     09:17:46.287  04/14/09  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 
79     09:17:51.357  04/14/09  Sev=Info/4	IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=302D007DBC9747AE R_Cookie=B993A5B3B6EA2685) reason = DEL_REASON_PEER_NOT_RESPONDING
 
80     09:17:51.857  04/14/09  Sev=Info/4	IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=302D007DBC9747AE R_Cookie=B993A5B3B6EA2685) reason = DEL_REASON_PEER_NOT_RESPONDING
 
81     09:17:51.858  04/14/09  Sev=Info/4	CM/0x63100014
Unable to establish Phase 1 SA with server "24.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"
 
82     09:17:51.858  04/14/09  Sev=Info/5	CM/0x63100025
Initializing CVPNDrv
 
83     09:17:51.881  04/14/09  Sev=Info/6	CM/0x63100046
Set tunnel established flag in registry to 0.
 
84     09:17:51.881  04/14/09  Sev=Info/4	IKE/0x63000001
IKE received signal to terminate VPN connection
 
85     09:17:52.889  04/14/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
86     09:17:52.889  04/14/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
87     09:17:52.889  04/14/09  Sev=Info/4	IPSEC/0x63700014
Deleted all keys
 
88     09:17:52.890  04/14/09  Sev=Info/4	IPSEC/0x6370000A
IPSec driver successfully stopped

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24138913
Okay, so I just pasted your config on one of my test routers and am able to connect fine.

Do you have connectivity to the router?  Firewall in front?
0
 
LVL 1

Author Comment

by:Uber_ms
ID: 24139008
No, nothing in front except a bridged DSL modem.
You're right, I'm connected now. I connected via my iPhone, my laptop was on my internal WLAN, not my neighbors...


Thanks.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24139027
No prob.  That would do it.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question