What's wrong with my VPN config?
I'm trying to setup a VPN to connect to my office LAN when I'm away, but I can't get it to work. Do you see any problems with my config?
c1841#sh ver
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
c1841 uptime is 4 days, 22 hours, 44 minutes
System returned to ROM by power-on
System image file is "flash:c1841-adventerprisek9-mz.124-24.T.bin"
Current configuration : 7042 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c1841
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network vpn-clientgroup local
!
!
aaa session-id common
!
ip source-route
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.126 192.168.0.254
!
ip dhcp pool Public
network 192.168.0.0 255.255.255.0
dns-server x.x.x.x
default-router 192.168.0.254
!
!
ip cef
ip domain name domain.local
ip name-server 192.168.100.1
ip name-server 192.168.100.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1328172832
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1328172832
revocation-check none
rsakeypair TP-self-signed-1328172832
!
!
crypto pki certificate chain TP-self-signed-1328172832
certificate self-signed 01
!
username admin privilege 15 password 7 XXXXXXX
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group vpn-clientgroup
key MYKEY
dns 192.168.100.1 192.168.100.2
domain domain.local
pool dynpool
!
!
crypto ipsec transform-set esp-aes-sha esp-aes 256 esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set esp-aes-sha
!
!
crypto map dynmap isakmp authorization list vpn-clientgroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map dynmap
!
interface FastEthernet0/1
ip address 192.168.100.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
interface FastEthernet0/0/0
shutdown
!
interface FastEthernet0/0/1
shutdown
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
shutdown
!
interface Dot11Radio0/1/0
ip address 192.168.0.254 255.255.255.0
ip access-group 120 in
ip nat inside
ip virtual-reassembly
!
ssid MYSSID
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
!
interface Vlan1
no ip address
shutdown
!
ip local pool dynpool 192.168.110.100 192.168.110.150
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source list 20 interface FastEthernet0/0 overload
!
access-list 10 permit 192.168.100.0 0.0.0.255
access-list 20 permit 192.168.0.0 0.0.0.255
access-list 120 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 120 permit ip any any
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 20000 1000
endASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yeah, but here's the problem. When you try to communicate between the VPN and LAN subnet, the router is NAT'ng the traffic and therefore communication fails. You need to exclude LAN to VPN communication from NAT to enable communication.
ASKER
Okay, still isn't working. Here's a copy of my Cisco VPN Client log...
Cisco Systems VPN Client Version 5.0.05.0290
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6001 Service Pack 1
33 08:18:12.834 04/14/09 Sev=Info/4 CM/0x63100002
Begin connection process
34 08:18:12.865 04/14/09 Sev=Info/4 CM/0x63100004
Establish secure connection
35 08:18:12.865 04/14/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "24.x.x.x"
36 08:18:12.874 04/14/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 24.x.x.x.
37 08:18:12.880 04/14/09 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
38 08:18:12.888 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 24.x.x.x
39 08:18:12.901 04/14/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
40 08:18:12.901 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
41 08:18:12.902 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 24.x.x.x
42 08:18:12.902 04/14/09 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
43 08:18:12.902 04/14/09 Sev=Info/4 IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
44 08:18:12.902 04/14/09 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
45 08:18:18.000 04/14/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
46 08:18:18.000 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
47 08:18:23.071 04/14/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
48 08:18:23.071 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
49 08:18:28.140 04/14/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
50 08:18:28.140 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
51 08:18:33.211 04/14/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=530F89A533C56B7E R_Cookie=B993A5B326B0C113) reason = DEL_REASON_PEER_NOT_RESPONDING
52 08:18:33.711 04/14/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=530F89A533C56B7E R_Cookie=B993A5B326B0C113) reason = DEL_REASON_PEER_NOT_RESPONDING
53 08:18:33.711 04/14/09 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "24.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"
54 08:18:33.711 04/14/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
55 08:18:33.735 04/14/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
56 08:18:33.735 04/14/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
57 08:18:33.743 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
58 08:18:33.743 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
59 08:18:33.743 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
60 08:18:33.743 04/14/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Do you get a login authentication box? Do you connect but can't access anything (doesn't look like it based on the logs). Can you change the client logging to high and post the log again.
ASKER
No I never get a login box. That log is set to high.
Are you sure you have typed the group name correctly and preshared key? Both are case sensitive:
group = vpn-clientgroup
group password = MYKEY
group = vpn-clientgroup
group password = MYKEY
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm positive I typed them correctly. With those changes, still isn't working. Here's a new log:
Cisco Systems VPN Client Version 5.0.05.0290
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6001 Service Pack 1
61 09:17:30.704 04/14/09 Sev=Info/4 CM/0x63100002
Begin connection process
62 09:17:30.738 04/14/09 Sev=Info/4 CM/0x63100004
Establish secure connection
63 09:17:30.739 04/14/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "24.x.x.x"
64 09:17:30.747 04/14/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 24.x.x.x.
65 09:17:30.752 04/14/09 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
66 09:17:30.761 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 24.x.x.x
67 09:17:30.775 04/14/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
68 09:17:30.775 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
69 09:17:30.775 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 24.x.x.x
70 09:17:30.775 04/14/09 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
71 09:17:30.775 04/14/09 Sev=Info/4 IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
72 09:17:30.775 04/14/09 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
73 09:17:36.146 04/14/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
74 09:17:36.146 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
75 09:17:41.217 04/14/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
76 09:17:41.217 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
77 09:17:46.287 04/14/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
78 09:17:46.287 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 24.x.x.x
79 09:17:51.357 04/14/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=302D007DBC9747AE R_Cookie=B993A5B3B6EA2685) reason = DEL_REASON_PEER_NOT_RESPONDING
80 09:17:51.857 04/14/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=302D007DBC9747AE R_Cookie=B993A5B3B6EA2685) reason = DEL_REASON_PEER_NOT_RESPONDING
81 09:17:51.858 04/14/09 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "24.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"
82 09:17:51.858 04/14/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
83 09:17:51.881 04/14/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
84 09:17:51.881 04/14/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
85 09:17:52.889 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
86 09:17:52.889 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
87 09:17:52.889 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
88 09:17:52.890 04/14/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Okay, so I just pasted your config on one of my test routers and am able to connect fine.
Do you have connectivity to the router? Firewall in front?
Do you have connectivity to the router? Firewall in front?
ASKER
No, nothing in front except a bridged DSL modem.
You're right, I'm connected now. I connected via my iPhone, my laptop was on my internal WLAN, not my neighbors...
Thanks.
You're right, I'm connected now. I connected via my iPhone, my laptop was on my internal WLAN, not my neighbors...
Thanks.
No prob. That would do it.
ASKER