Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Remote Access VPN Problem on Cisco 1812 using EzVPN

Posted on 2009-12-19
5
Medium Priority
?
1,430 Views
Last Modified: 2012-05-11
Hi,
 
I'm having trouble trying to establish a Remote Access VPN connection to a Cisco 1812 router set up as a vpn server using EzVPN.

The router acting as a gateway to the internet using a dialer to create a pppoe connection over an adsl line . The internal network (192.168.100.0/24)  is NATed to a public static address 202.xxx.xxx.xxx. The internet connection is working fine.
 
When I try to connect using the VPN client from my laptop, it fails with "Reason 412: The remote peer is no longer responding"
 
The config and output from debug crypto isakmp is given below. Please could you help.
 
Thanks,
Simon
 
 
router#sh run
Building configuration...

Current configuration : 2972 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
!
!
aaa session-id common
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 480
!
crypto isakmp client configuration group rtr-remote
key xxxxxx
dns 192.168.100.10
domain xxxxxx.com
pool dynpool
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-aes 256 esp-sha-hmac
!
crypto ipsec client ezvpn ezvpnclient
connect auto
group 2 key xxxxxx
mode client
peer 202.xxx.xxx.xxx
xauth userid mode interactive
!
!
crypto dynamic-map dynmap 1
set transform-set vpn1
reverse-route
!
!
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!

!
multilink bundle-name authenticated
!
!
username xxxxxx password 0 xxxxxx
archive
log config
  hidekeys
!
!
interface FastEthernet0
description Interlink-WAN
no ip address
no ip mroute-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
crypto map static-map
crypto ipsec client ezvpn ezvpnclient
!
interface FastEthernet1
description SPCJapan-LAN
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn ezvpnclient inside
!
interface Vlan1
no ip address
!
interface Dialer1
description logical WAN interface
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxx
ppp chap password 0 xxxxxxxxx
ppp pap sent-username xxxxxxxxx password 0 xxxxxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 192.168.100.10 80 interface Dialer1 80
ip nat inside source static tcp 192.168.100.10 25 interface Dialer1 25
ip nat inside source static tcp 192.168.100.10 443 interface Dialer1 443
!
access-list 10 permit 192.168.100.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!

end

 
*Dec 10 03:14:40.319: ISAKMP (0:0): received packet from xxx.48.232.95 dport 500 sport 1270 Global (N) NEW SA
*Dec 10 03:14:40.319: ISAKMP: Created a peer struct for xxx.xxx.xxx.95, peer port 1270
*Dec 10 03:14:40.319: ISAKMP: New peer created peer = 0x836DF878 peer_handle = 0x80000F6F
*Dec 10 03:14:40.319: ISAKMP: Locking peer struct 0x836DF878, refcount 1 for crypto_isakmp_process_block
*Dec 10 03:14:40.319: ISAKMP: local port 500, remote port 1270
*Dec 10 03:14:40.319: insert sa successfully sa = 83F78DF4
*Dec 10 03:14:40.319: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 10 03:14:40.319: ISAKMP:(0): processing ID payload. message ID = 0
*Dec 10 03:14:40.319: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : rtr-remote
        protocol     : 17
        port         : 500
        length       : 18
*Dec 10 03:14:40.319: ISAKMP:(0):: peer matches *none* of the profiles
*Dec 10 03:14:40.319: ISAKMP:(0): processing vendor id payload
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID is XAUTH
*Dec 10 03:14:40.319: ISAKMP:(0): processing vendor id payload
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID is DPD
*Dec 10 03:14:40.319: ISAKMP:(0): processing vendor id payload
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Dec 10 03:14:40.319: ISAKMP:(0): processing vendor id payload
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 10 03:14:40.319: ISAKMP:(0): processing vendor id payload
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID is Unity
*Dec 10 03:14:40.319: ISAKMP : Scanning profiles for xauth ...
*Dec 10 03:14:40.319: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Dec 10 03:14:40.319: ISAKMP:      encryption AES-CBC
*Dec 10 03:14:40.319: ISAKMP:      hash SHA
*Dec 10 03:14:40.319: ISAKMP:      default group 2
*Dec 10 03:14:40.319: ISAKMP:      auth XAUTHInitPreShared
*Dec 10 03:14:40.319: ISAKMP:      life type in seconds
*Dec 10 03:14:40.319: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Dec 10 03:14:40.319: ISAKMP:      keylength of 256
*Dec 10 03:14:40.319: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Dec 10 03:14:40.319: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Dec 10 03:14:40.319: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Dec 10 03:14:40.319: ISAKMP:      encryption AES-CBC
*Dec 10 03:14:40.319: ISAKMP:      hash MD5
*Dec 10 03:14:40.319: ISAKMP:      default group 2
*Dec 10 03:14:40.319: ISAKMP:      auth XAUTHInitPreShared
*Dec 10 03:14:40.319: ISAKMP:      life type in seconds
*Dec 10 03:14:40.319: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Dec 10 03:14:40.319: ISAKMP:      keylength of 256
*Dec 10 03:14:40.319: ISAKMP:(0):Hash algorithm offered does not match policy!
*Dec 10 03:14:40.319: ISAKMP:(0):atts are not acceptable. Next payload is 3
-
-
-
*Dec 10 03:14:40.327: ISAKMP:(0):Checking ISAKMP transform 14 against priority 65535 policy
*Dec 10 03:14:40.327: ISAKMP:      encryption DES-CBC
*Dec 10 03:14:40.327: ISAKMP:      hash MD5
*Dec 10 03:14:40.327: ISAKMP:      default group 2
*Dec 10 03:14:40.327: ISAKMP:      auth pre-share
*Dec 10 03:14:40.327: ISAKMP:      life type in seconds
*Dec 10 03:14:40.327: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Dec 10 03:14:40.327: ISAKMP:(0):Hash algorithm offered does not match policy!
*Dec 10 03:14:40.327: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Dec 10 03:14:40.327: ISAKMP:(0):no offers accepted!
*Dec 10 03:14:40.327: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxx.xxx.xxx.xxx remote xxx.xxx.xxx.95)
*Dec 10 03:14:40.327: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Dec 10 03:14:40.327: ISAKMP:(0): sending packet to xxx.xxx.xxx.95 my_port 500 peer_port 1270 (R) AG_NO_STATE
*Dec 10 03:14:40.327: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Dec 10 03:14:40.327: ISAKMP:(0):peer does not do paranoid keepalives.
*Dec 10 03:14:40.327: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer xxx.xxx.xxx.95)
*Dec 10 03:14:40.327: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 10 03:14:40.327: ISAKMP:(0): group size changed! Should be 0, is 128
*Dec 10 03:14:40.327: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Dec 10 03:14:40.327: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
*Dec 10 03:14:40.327: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Dec 10 03:14:40.327: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY
*Dec 10 03:14:40.327: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at xxx.xxx.xxx.95
*Dec 10 03:14:40.327: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer xxx.xxx.xxx.95)
*Dec 10 03:14:40.327: ISAKMP: Unlocking peer struct 0x836DF878 for isadb_mark_sa_deleted(), count 0
*Dec 10 03:14:40.331: ISAKMP: Deleting peer node by peer_reap for xxx.xxx.xxx.95: 836DF878
*Dec 10 03:14:40.331: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Dec 10 03:14:40.331: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA
*Dec 10 03:14:45.667: ISAKMP (0:0): received packet from xxx.xxx.xxx.95 dport 500 sport 1270 Global (R) MM_NO_STATE
*Dec 10 03:14:50.987: ISAKMP (0:0): received packet from xxx.xxx.xxx.95 dport 500 sport 1270 Global (R) MM_NO_STATE
*Dec 10 03:14:55.991: ISAKMP (0:0): received packet from xxx.xxx.xxx.95 dport 500 sport 1270 Global (R) MM_NO_STATE
0
Comment
Question by:androidz
  • 3
  • 2
5 Comments
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26087913
In your config, you refer to
pool dynpool

But I do not see it define anywhere?
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 26087940
You are applying the VPN map static-map as in
crypto map static-map 1 ipsec-isakmp dynamic dynmap

Yet you do not have much of static-map define. Instead you defined dynmap as in
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond

I will suggest you change to
crypto map static-map isakmp authorization list rtr-remote
crypto map static-map client configuration address respond

(I don't like the misleading name static-map, but this is how you call it)
0
 

Author Comment

by:androidz
ID: 26090924
Hi GuruChiu,

Thank you for your help. I added dynpool and made the name changes as suggested but still get the same error.  I also added the following command which was missing:
crypto map static-map client authentication list rtr-remote

I'm new to vpn so took the configuration from the Cisco manual, keeping the labels as they had used.  I think the problem lies with Phase I authentication since the debug output is showing:
"Xauth authentication by pre-shared key offered but does not match policy!"

There is also a command "xauth userid mode interactive" which I think should be set to xauth userid mode local" but I do not have that option on the router I am using.

What do you think?

Thanks and regards,
Simon

0
 
LVL 13

Assisted Solution

by:GuruChiu
GuruChiu earned 600 total points
ID: 26094648
Other things I see different than standard way of doing VPN are:

You define your transform-set as
crypto ipsec transform-set vpn1 esp-aes 256 esp-sha-hmac

yet you are using the default hash. I will suggest you change to
crypto isakmp policy 1
hash sha

You also did not define userauthen. I kind of remember without userauthen, VPN should still work, just won't ask for user login. However, you can give this a try:
aaa authentication login userauthen local
crypto map vpnmap client authentication list userauthen
0
 

Accepted Solution

by:
androidz earned 0 total points
ID: 26188171
Hi GuruChiu,

Thank you for your help and sorry for the delay replying, I became very busy at work.  The problem is now fixed. I started from scratch and read the manual. The config above was for a client not a server.
Now it's working fine.

Thanks once again,
Simon
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question