Solved

What's wrong with my VPN config?

Posted on 2009-04-13
12
3,450 Views
Last Modified: 2012-05-06
I'm trying to setup a VPN to connect to my office LAN when I'm away, but I can't get it to work. Do you see any problems with my config?
c1841#sh ver

Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

c1841 uptime is 4 days, 22 hours, 44 minutes

System returned to ROM by power-on

System image file is "flash:c1841-adventerprisek9-mz.124-24.T.bin"

 

 

Current configuration : 7042 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname c1841

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network vpn-clientgroup local

!

!

aaa session-id common

!

ip source-route

!

!

ip dhcp excluded-address 192.168.0.1 192.168.0.99

ip dhcp excluded-address 192.168.0.126 192.168.0.254

!

ip dhcp pool Public

   network 192.168.0.0 255.255.255.0

   dns-server x.x.x.x

   default-router 192.168.0.254

!

!

ip cef

ip domain name domain.local

ip name-server 192.168.100.1

ip name-server 192.168.100.2

no ipv6 cef

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-1328172832

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1328172832

 revocation-check none

 rsakeypair TP-self-signed-1328172832

!

!

crypto pki certificate chain TP-self-signed-1328172832

 certificate self-signed 01

!

username admin privilege 15 password 7 XXXXXXX

archive

 log config

  hidekeys

!

!

crypto isakmp policy 1

 encr aes 256

 authentication pre-share

 group 2

crypto isakmp client configuration address-pool local dynpool

!

crypto isakmp client configuration group vpn-clientgroup

 key MYKEY

 dns 192.168.100.1 192.168.100.2

 domain domain.local

 pool dynpool

!

!

crypto ipsec transform-set esp-aes-sha esp-aes 256 esp-sha-hmac

!

crypto dynamic-map dynmap 1

 set transform-set esp-aes-sha

!

!

crypto map dynmap isakmp authorization list vpn-clientgroup

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

!

!

interface Loopback0

 no ip address

!

interface FastEthernet0/0

 ip address x.x.x.x 255.255.255.248

 ip nat outside

 ip virtual-reassembly

 speed 100

 full-duplex

 crypto map dynmap

!

interface FastEthernet0/1

 ip address 192.168.100.254 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 speed 100

 full-duplex

 no mop enabled

!

interface FastEthernet0/0/0

 shutdown

!

interface FastEthernet0/0/1

 shutdown

!

interface FastEthernet0/0/2

 shutdown

!

interface FastEthernet0/0/3

 shutdown

!

interface Dot11Radio0/1/0

 ip address 192.168.0.254 255.255.255.0

 ip access-group 120 in

 ip nat inside

 ip virtual-reassembly

 !

 ssid MYSSID

 !

 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

 station-role root

!

interface Vlan1

 no ip address

 shutdown

!

ip local pool dynpool 192.168.110.100 192.168.110.150

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip http server

ip http access-class 10

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 10 interface FastEthernet0/0 overload

ip nat inside source list 20 interface FastEthernet0/0 overload

!

access-list 10 permit 192.168.100.0 0.0.0.255

access-list 20 permit 192.168.0.0 0.0.0.255

access-list 120 deny   ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 120 permit ip any any

!

line con 0

line aux 0

line vty 0 4

 transport input telnet ssh

line vty 5 15

 transport input telnet ssh

!

scheduler allocate 20000 1000

end

Open in new window

0
Comment
Question by:Uber_ms
  • 7
  • 5
12 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24137382
Try these changes:

conf t
access-list 150 deny ip 192.168.100.0 0.0.0.255 192.168.110.0 0.0.0.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip 192.168.100.0 0.0.0.255 any

no ip nat inside source list 10 interface FastEthernet0/0 overload
no ip nat inside source list 20 interface FastEthernet0/0 overload
ip nat inside source list 150 interface FastEthernet0/0 overload
0
 
LVL 1

Author Comment

by:Uber_ms
ID: 24137712
This is a VPN problem. I'm able to get out to the Internet from those two subnets.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24137728
Yeah, but here's the problem.  When you try to communicate between the VPN and LAN subnet, the router is NAT'ng the traffic and therefore communication fails.  You need to exclude LAN to VPN communication from NAT to enable communication.
0
 
LVL 1

Author Comment

by:Uber_ms
ID: 24137814
Okay, still isn't working. Here's a copy of my Cisco VPN Client log...
Cisco Systems VPN Client Version 5.0.05.0290

Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.0.6001 Service Pack 1
 

33     08:18:12.834  04/14/09  Sev=Info/4	CM/0x63100002

Begin connection process
 

34     08:18:12.865  04/14/09  Sev=Info/4	CM/0x63100004

Establish secure connection
 

35     08:18:12.865  04/14/09  Sev=Info/4	CM/0x63100024

Attempt connection with server "24.x.x.x"
 

36     08:18:12.874  04/14/09  Sev=Info/6	IKE/0x6300003B

Attempting to establish a connection with 24.x.x.x.
 

37     08:18:12.880  04/14/09  Sev=Info/4	IKE/0x63000001

Starting IKE Phase 1 Negotiation
 

38     08:18:12.888  04/14/09  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 24.x.x.x
 

39     08:18:12.901  04/14/09  Sev=Info/4	IPSEC/0x63700008

IPSec driver successfully started
 

40     08:18:12.901  04/14/09  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

41     08:18:12.902  04/14/09  Sev=Info/5	IKE/0x6300002F

Received ISAKMP packet: peer = 24.x.x.x
 

42     08:18:12.902  04/14/09  Sev=Warning/2	IKE/0xE300009B

Invalid SPI size (PayloadNotify:116)
 

43     08:18:12.902  04/14/09  Sev=Info/4	IKE/0xE30000A6

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
 

44     08:18:12.902  04/14/09  Sev=Warning/3	IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)
 

45     08:18:18.000  04/14/09  Sev=Info/4	IKE/0x63000021

Retransmitting last packet!
 

46     08:18:18.000  04/14/09  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 

47     08:18:23.071  04/14/09  Sev=Info/4	IKE/0x63000021

Retransmitting last packet!
 

48     08:18:23.071  04/14/09  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 

49     08:18:28.140  04/14/09  Sev=Info/4	IKE/0x63000021

Retransmitting last packet!
 

50     08:18:28.140  04/14/09  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 

51     08:18:33.211  04/14/09  Sev=Info/4	IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=530F89A533C56B7E R_Cookie=B993A5B326B0C113) reason = DEL_REASON_PEER_NOT_RESPONDING
 

52     08:18:33.711  04/14/09  Sev=Info/4	IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=530F89A533C56B7E R_Cookie=B993A5B326B0C113) reason = DEL_REASON_PEER_NOT_RESPONDING
 

53     08:18:33.711  04/14/09  Sev=Info/4	CM/0x63100014

Unable to establish Phase 1 SA with server "24.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"
 

54     08:18:33.711  04/14/09  Sev=Info/5	CM/0x63100025

Initializing CVPNDrv
 

55     08:18:33.735  04/14/09  Sev=Info/6	CM/0x63100046

Set tunnel established flag in registry to 0.
 

56     08:18:33.735  04/14/09  Sev=Info/4	IKE/0x63000001

IKE received signal to terminate VPN connection
 

57     08:18:33.743  04/14/09  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

58     08:18:33.743  04/14/09  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

59     08:18:33.743  04/14/09  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

60     08:18:33.743  04/14/09  Sev=Info/4	IPSEC/0x6370000A

IPSec driver successfully stopped

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24138176
Do you get a login authentication box? Do you connect but can't access anything (doesn't look like it based on the logs).  Can you change the client logging to high and post the log again.
0
 
LVL 1

Author Comment

by:Uber_ms
ID: 24138305
No I never get a login box. That log is set to high.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24138352
Are you sure you have typed the group name correctly and preshared key?  Both are case sensitive:

group = vpn-clientgroup
group password = MYKEY
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24138419
Add this as well:

aaa authentication login userauthen local
crypto map dynmap client authentication list userauthen

0
 
LVL 1

Author Comment

by:Uber_ms
ID: 24138462
I'm positive I typed them correctly. With those changes, still isn't working. Here's a new log:
Cisco Systems VPN Client Version 5.0.05.0290

Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.0.6001 Service Pack 1
 

61     09:17:30.704  04/14/09  Sev=Info/4	CM/0x63100002

Begin connection process
 

62     09:17:30.738  04/14/09  Sev=Info/4	CM/0x63100004

Establish secure connection
 

63     09:17:30.739  04/14/09  Sev=Info/4	CM/0x63100024

Attempt connection with server "24.x.x.x"
 

64     09:17:30.747  04/14/09  Sev=Info/6	IKE/0x6300003B

Attempting to establish a connection with 24.x.x.x.
 

65     09:17:30.752  04/14/09  Sev=Info/4	IKE/0x63000001

Starting IKE Phase 1 Negotiation
 

66     09:17:30.761  04/14/09  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 24.x.x.x
 

67     09:17:30.775  04/14/09  Sev=Info/4	IPSEC/0x63700008

IPSec driver successfully started
 

68     09:17:30.775  04/14/09  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

69     09:17:30.775  04/14/09  Sev=Info/5	IKE/0x6300002F

Received ISAKMP packet: peer = 24.x.x.x
 

70     09:17:30.775  04/14/09  Sev=Warning/2	IKE/0xE300009B

Invalid SPI size (PayloadNotify:116)
 

71     09:17:30.775  04/14/09  Sev=Info/4	IKE/0xE30000A6

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
 

72     09:17:30.775  04/14/09  Sev=Warning/3	IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)
 

73     09:17:36.146  04/14/09  Sev=Info/4	IKE/0x63000021

Retransmitting last packet!
 

74     09:17:36.146  04/14/09  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 

75     09:17:41.217  04/14/09  Sev=Info/4	IKE/0x63000021

Retransmitting last packet!
 

76     09:17:41.217  04/14/09  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 

77     09:17:46.287  04/14/09  Sev=Info/4	IKE/0x63000021

Retransmitting last packet!
 

78     09:17:46.287  04/14/09  Sev=Info/4	IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
 

79     09:17:51.357  04/14/09  Sev=Info/4	IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=302D007DBC9747AE R_Cookie=B993A5B3B6EA2685) reason = DEL_REASON_PEER_NOT_RESPONDING
 

80     09:17:51.857  04/14/09  Sev=Info/4	IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=302D007DBC9747AE R_Cookie=B993A5B3B6EA2685) reason = DEL_REASON_PEER_NOT_RESPONDING
 

81     09:17:51.858  04/14/09  Sev=Info/4	CM/0x63100014

Unable to establish Phase 1 SA with server "24.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"
 

82     09:17:51.858  04/14/09  Sev=Info/5	CM/0x63100025

Initializing CVPNDrv
 

83     09:17:51.881  04/14/09  Sev=Info/6	CM/0x63100046

Set tunnel established flag in registry to 0.
 

84     09:17:51.881  04/14/09  Sev=Info/4	IKE/0x63000001

IKE received signal to terminate VPN connection
 

85     09:17:52.889  04/14/09  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

86     09:17:52.889  04/14/09  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

87     09:17:52.889  04/14/09  Sev=Info/4	IPSEC/0x63700014

Deleted all keys
 

88     09:17:52.890  04/14/09  Sev=Info/4	IPSEC/0x6370000A

IPSec driver successfully stopped

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24138913
Okay, so I just pasted your config on one of my test routers and am able to connect fine.

Do you have connectivity to the router?  Firewall in front?
0
 
LVL 1

Author Comment

by:Uber_ms
ID: 24139008
No, nothing in front except a bridged DSL modem.
You're right, I'm connected now. I connected via my iPhone, my laptop was on my internal WLAN, not my neighbors...


Thanks.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24139027
No prob.  That would do it.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now