Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cannot connect 1811 to 3000 VPN Concetrator

Posted on 2011-04-19
7
Medium Priority
?
855 Views
Last Modified: 2012-05-11
I am attempting to connect a Cisco 1811 to an existing VPN 3000 concentrator.  I have set up the user and group on the concentrator to use the following:

IPSEC: ESP-3DES-MD5

with Local authentication

Now this concentrator is in production, and I have merely duplicated the settings from a group and user that are fully functional, and I have taken the example of a config that was in production at one time (although the router has been "played with" in the meantime so I don't know how much has changed.

I have applied the following config to the router in the hopes to connect.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map dynmap 1

set transform-set ESP-3DES-SHA

crypto map static-map 1 ipsec-isakmp dynamic dynmap

interface fastethernet 0

crypto map static-map

crypto ipsec client ezvpn XXXXXX
 connect auto
 group XXXX key XXXXX
 mode client
 peer XX.XX.XX.XX
 username XXXXXX password XXXXXX
 xauth userid mode local

interface fastethernet 0

crypto ipsec client ezvpn XXXXXX outside

When I run:

show crypto ipsec client ezvpn

I get the following:

Tunnel name : XXXXX
Inside interface list:
Outside interface: FastEthernet0
Current State: IDLE
Last Event: CRYPTO_SS_UNUSED
Save Password: Allowed
Current EzVPN Peer: XX.XX.XX.XX

My Config looks like this:

-----------------------------------------------------------------------

Using 3299 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname twcanada
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
no aaa new-model
!
resource policy
!
!
!
ip cef
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.0.11.1
!
!
ip name-server 205.171.3.65
ip name-server 205.171.2.65
!
!
crypto pki trustpoint TP-self-signed-679469994
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-679469994
 revocation-check none
 rsakeypair TP-self-signed-679469994
!
!
crypto pki certificate chain TP-self-signed-679469994
 certificate self-signed 01 nvram:IOS-Self-Sig#3405.cer

!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec client ezvpn XXXXX
 connect auto
 group XXX  key XXXXX
 mode client
 peer XX.XX.XX.XX
 username XXXXX password XXXXX
 xauth userid mode local
!
!
crypto dynamic-map dynmap 1
 set transform-set ESP-3DES-SHA
!
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
 ip address 10.0.200.1 255.255.255.255
!
interface Loopback1
 no ip address
!
interface Loopback2
 no ip address
!
interface Loopback3
 no ip address
!
interface FastEthernet0
 description $ES_WAN$
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
 crypto ipsec client ezvpn XXXXX
!
interface FastEthernet1
 ip address 10.0.65.1 255.255.255.0
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$
 ip address 10.0.11.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 10.0.7.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 4 interface FastEthernet0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 4 remark SDM_ACL Category=2
access-list 4 permit 10.0.11.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
!
!
control-plane
!
banner login ^CC
-----------------------------------------------------------------------
This Router is the property of XXXXXX. If you do not have permission
to be here and you are reading this message. Then disconect now.

You have been Logged.

-----------------------------------------------------------------------
^C
!
line con 0
 login local
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

-----------------------------------------------------------------------------------------------------

Would someone please tell me what I am missing here?

Thank you!!!

0
Comment
Question by:electrodomestico
  • 5
  • 2
7 Comments
 
LVL 5

Expert Comment

by:ein_mann_betrieb
ID: 35426872
Hi electrodomestico,

First off, you don't need the "crypto dynamic-map dynmap 1" line as you are doing everything though EzVPN client.

Second, you have not declared an inside interface for the EzVPN.

Lastly, you have FastEthernet1 setup with an overlapping IP range, and even though it is shutdown I recommend removing it.

Below, replace XXXXX with your EzVPN profile name.

So enter in config mode:
------
 no crypto dynamic-map dynmap 1
interface FastEthernet1
 no ip address
interface Vlan1
crypto ipsec client ezvpn XXXXX inside
0
 
LVL 5

Expert Comment

by:ein_mann_betrieb
ID: 35426942
FYI... if your connected over SSH or Telnet, you will need to issue "term mon" in exec mode (not config mode) and you can issue "debug cry ipsec" and see if its even attempting to connect.

Good luck.  -Cheers, Peter.
0
 

Author Comment

by:electrodomestico
ID: 35427664
I got it to begin the negotiations with the concentrator; however, I am getting the following errors on the Concentrator which don't make sense due to the fact that I have the sending ISAKMP settings set up identical to the settings for the user and group on the concentrator.  Also, why is the concentrator saying that it is receiving a request for SHA when I have the config set for MD5 on the router?

18373 04/19/2011 13:26:54.140 SEV=9 IKEDBG/0 RPT=37826 67.40.135.26
processing SA payload
 
18374 04/19/2011 13:26:54.140 SEV=8 IKEDBG/79 RPT=22429
Proposal # 1, Transform # 1, Type ISAKMP, Id IKE
Parsing received transform:
  Phase 1 failure against global IKE proposal # 1:
  Mismatched attr types for class Hash Alg:
    Rcv'd: SHA
    Cfg'd: MD5
 
18378 04/19/2011 13:26:54.140 SEV=8 IKEDBG/79 RPT=22430
  Phase 1 failure against global IKE proposal # 2:
  Mismatched attr types for class Hash Alg:
    Rcv'd: SHA
    Cfg'd: MD5
 
18380 04/19/2011 13:26:54.140 SEV=8 IKEDBG/79 RPT=22431
  Phase 1 failure against global IKE proposal # 3:
  Mismatched attr types for class DH Group:
    Rcv'd: Oakley Group 2
    Cfg'd: Oakley Group 1
 
18383 04/19/2011 13:26:54.140 SEV=8 IKEDBG/79 RPT=22432
  Phase 1 failure against global IKE proposal # 4:
  Mismatched attr types for class DH Group:
    Rcv'd: Oakley Group 2
    Cfg'd: Oakley Group 1
 
18386 04/19/2011 13:26:54.140 SEV=8 IKEDBG/79 RPT=22433
  Phase 1 failure against global IKE proposal # 5:
  Mismatched attr types for class DH Group:
    Rcv'd: Oakley Group 2
    Cfg'd: Oakley Group 7
 
18389 04/19/2011 13:26:54.140 SEV=8 IKEDBG/79 RPT=22434
  Phase 1 failure against global IKE proposal # 6:
  Mismatched attr types for class DH Group:
    Rcv'd: Oakley Group 2
    Cfg'd: Oakley Group 5
 
18392 04/19/2011 13:26:54.140 SEV=8 IKEDBG/79 RPT=22435
  Phase 1 failure against global IKE proposal # 7:
  Mismatched attr types for class Hash Alg:
    Rcv'd: SHA
    Cfg'd: MD5
 
18394 04/19/2011 13:26:54.140 SEV=8 IKEDBG/79 RPT=22436
  Phase 1 failure against global IKE proposal # 8:
  Mismatched attr types for class Encryption Alg:
    Rcv'd: Triple-DES
    Cfg'd: AES
 
18397 04/19/2011 13:26:54.140 SEV=8 IKEDBG/79 RPT=22437
  Phase 1 failure against global IKE proposal # 9:
  Mismatched attr types for class Encryption Alg:
    Rcv'd: Triple-DES
    Cfg'd: AES
 
18400 04/19/2011 13:26:54.140 SEV=8 IKEDBG/79 RPT=22438
  Phase 1 failure against global IKE proposal # 10:
  Mismatched attr types for class Auth Method:
    Rcv'd: Preshared Key
    Cfg'd: CRACK
 
18404 04/19/2011 13:26:54.140 SEV=8 IKEDBG/79 RPT=22439
  Phase 1 failure against global IKE proposal # 11:
  Mismatched attr types for class Encryption Alg:
    Rcv'd: Triple-DES
    Cfg'd: AES
 
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Accepted Solution

by:
ein_mann_betrieb earned 2000 total points
ID: 35427929
On the 3000 concentrator, does this user and the group it belongs to have 3DES, MD5 Hash, and DH group 2?

Typically EzVPN will auto-negotiate these and only fails when the hardware supported encryption is not permitted by the concentrator (i.e. the concentrator is set for AES and the hardware router does not support AES encryption) which can produce errors like you show.

Try debugging on the router versus the concentrator.

If your not on the serial console of the router, issue "term mon" in exec mode (not config mode) and then "debug cry isakmp" for phase1.  This may have more detail on the issue.

Let me know what it outputs.
Thanks.  -Cheers, Peter.
0
 

Author Comment

by:electrodomestico
ID: 35428766
Thanks Peter.

I will try that.

The concentrator is actually set up with the aforementioned encryption protocols, so I am a bit miffed as to why it isn't working.

I would like to connect to this device over telnet, but given my inexperience I don't know how to program the interfaces so that I can connect directly to it with the laptop over Ethernet.  Would you mind posting the script I would need to program one of the switch ports on the 1811 properly so I can assign a static to my laptop and hit it telnet?

Thanks again
Paul
0
 
LVL 5

Expert Comment

by:ein_mann_betrieb
ID: 35429695
FYI... if your working over the net I recommend staying away from telnet and using SSH.

Below is the basics for allowing telnet access.
Telnet to the IP of your public interface.  Use the line password, type "enable" and enter the enable password.
enable secret level 15 <Enable Pass>

access-list 2 permit <IP allowed to connect>
access-list 2 deny any

line vty 0 4
 exec-timeout 5 0
 password <Line Password>
 access-class 2
 transport input telnet
 transport output all

Open in new window

0
 
LVL 5

Expert Comment

by:ein_mann_betrieb
ID: 35429734
Here is what I recommend for SSH:
crypto key generate rsa

aaa new-model
aaa authentication login ConsoleUsers local
aaa authorization console
aaa authorization exec ConsoleUsers local 

username <Username> privilege 15 password <Password>


access-list 2 permit <IP allowed to connect>
access-list 2 deny any


line vty 0 4
 exec-timeout 5 0
 access-class 2
 authorization exec ConsoleUsers
 login authentication ConsoleUsers
 transport preferred ssh
 transport input ssh
 transport output all

Open in new window

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month10 days, 12 hours left to enroll

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question