Solved

no connection VPN

Posted on 2013-01-13
4
357 Views
Last Modified: 2014-10-21
hello,

i'm having issues with my VPN setup   I´m using a CIsco 1721 (C1700-ADVIPSERVICESK9-M), Version 12.4(3), Release FC2 .

1 FastEthernet interface (local network)
1 ATM interface (WIC-ADSL connection to internet)
1 Virtual Private Network (VPN) Module

I´m using a windows Cisco VPN client 5.0.07.04 in another site with subnet 172.16.1.0

 this is my config


Current configuration : 2017 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$8m04$j2hrF5s52IdlWsvRU68Sv1
!
aaa new-model
!
!
aaa authentication login VPN-USERS local
aaa authorization network VPN-GROUP local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
vpdn enable

username xxxx password 0 yyyyy

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN-GROUP
 key VPN
 pool VPNPOOL

!
crypto map VPN-STATIC client authentication list VPN-USERS
crypto map VPN-STATIC isakmp authorization list VPN-GROUP
crypto map VPN-STATIC client configuration address respond
crypto map VPN-STATIC 10 ipsec-isakmp dynamic VPN-DYNAMIC
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 8/81
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 ip address 192.168.1.241 255.255.255.0
 speed auto
!
interface Dialer1
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username 12345 password 0 abcde
 crypto map VPN-STATIC


!
ip local pool VPNPOOL 192.168.1.229 192.168.1.239
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1

!
no ip http server
no ip http secure-server
!
!
!
control-plane
!

line con 0
line aux 0
line vty 0 4
 password XXXXX
!
end


 when i connect, i get the error

Router#
*Mar  1 22:17:11.006: ISAKMP (0:0): received packet from 189.133.25.117 dport 50
0 sport 54553 Global (N) NEW SA
*Mar  1 22:17:11.010: ISAKMP: Created a peer struct for 189.133.25.117, peer por
t 54553
*Mar  1 22:17:11.010: ISAKMP: New peer created peer = 0x84B2C3AC peer_handle = 0
x80000023
*Mar  1 22:17:11.010: ISAKMP: Locking peer struct 0x84B2C3AC, IKE refcount 1 for
 crypto_isakmp_process_block
*Mar  1 22:17:11.010: ISAKMP:(0:0:N/A:0):Setting client config settings 849876DC
*Mar  1 22:17:11.010: ISAKMP:(0:0:N/A:0):(Re)Setting client xauth list  and stat
e
*Mar  1 22:17:11.010: ISAKMP/xauth: initializing AAA request
*Mar  1 22:17:11.014: ISAKMP: local port 500, remote port 54553
*Mar  1 22:17:11.014: insert sa successfully sa = 84D71C90
*Mar  1 22:17:11.014: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar  1 22:17:11.018: ISAKMP:(0:0:N/A:0): processing ID payload. message ID = 0
*Mar  1 22:17:11.018: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : vpnuser
        protocol     : 17
        port         : 500
        length       : 15
*Mar  1 22:17:11.018: ISAKMP:(0:0:N/A:0):: peer matches *none* of the profiles
*Mar  1 22:17:11.018: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 22:17:11.018: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 21
5 mismatch
*Mar  1 22:17:11.018: ISAKMP:(0:0:N/A:0): vendor ID is XAUTH
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): vendor ID is DPD
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 19
4 mismatch
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 12
3 mismatch
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar  1 22:17:11.026: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 22:17:11.026: ISAKMP:(0:0:N/A:0): vendor ID is Unity
*Mar  1 22:17:11.026: ISAKMP:(0:0:N/A:0): Authentication by xauth preshared
*Mar  1 22:17:11.026: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pri
ority 10 policy
*Mar  1 22:17:11.026: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.026: ISAKMP:      hash SHA
*Mar  1 22:17:11.026: ISAKMP:      default group 2
*Mar  1 22:17:11.026: ISAKMP:      auth XAUTHInitPreShared
*Mar  1 22:17:11.026: ISAKMP:      life type in seconds
*Mar  1 22:17:11.030: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.030: ISAKMP:      keylength of 256
*Mar  1 22:17:11.030: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.030: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.030: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against pri
ority 10 policy
*Mar  1 22:17:11.030: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.030: ISAKMP:      hash MD5
*Mar  1 22:17:11.034: ISAKMP:      default group 2
*Mar  1 22:17:11.034: ISAKMP:      auth XAUTHInitPreShared
*Mar  1 22:17:11.034: ISAKMP:      life type in seconds
*Mar  1 22:17:11.034: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.034: ISAKMP:      keylength of 256
*Mar  1 22:17:11.034: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.034: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.034: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against pri
ority 10 policy
*Mar  1 22:17:11.038: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.038: ISAKMP:      hash SHA
*Mar  1 22:17:11.038: ISAKMP:      default group 2
*Mar  1 22:17:11.038: ISAKMP:      auth pre-share
*Mar  1 22:17:11.038: ISAKMP:      life type in seconds
*Mar  1 22:17:11.038: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.038: ISAKMP:      keylength of 256
*Mar  1 22:17:11.038: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.042: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.042: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against pri
ority 10 policy
*Mar  1 22:17:11.042: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.042: ISAKMP:      hash MD5
*Mar  1 22:17:11.042: ISAKMP:      default group 2
*Mar  1 22:17:11.042: ISAKMP:      auth pre-share
*Mar  1 22:17:11.042: ISAKMP:      life type in seconds
*Mar  1 22:17:11.042: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.042: ISAKMP:      keylength of 256
*Mar  1 22:17:11.046: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.046: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.046: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 against pri
ority 10 policy
*Mar  1 22:17:11.046: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.046: ISAKMP:      hash SHA
*Mar  1 22:17:11.046: ISAKMP:      default group 2
*Mar  1 22:17:11.046: ISAKMP:      auth XAUTHInitPreShared
*Mar  1 22:17:11.046: ISAKMP:      life type in seconds
*Mar  1 22:17:11.046: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.050: ISAKMP:      keylength of 128
*Mar  1 22:17:11.050: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.050: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.050: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 6 against pri
ority 10 policy
*Mar  1 22:17:11.050: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.050: ISAKMP:      hash MD5
*Mar  1 22:17:11.050: ISAKMP:      default group 2
*Mar  1 22:17:11.050: ISAKMP:      auth XAUTHInitPreShared
*Mar  1 22:17:11.054: ISAKMP:      life type in seconds
*Mar  1 22:17:11.054: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.054: ISAKMP:      keylength of 128
*Mar  1 22:17:11.054: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.054: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.054: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 7 against pri
ority 10 policy
*Mar  1 22:17:11.054: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.058: ISAKMP:      hash SHA
*Mar  1 22:17:11.058: ISAKMP:      default group 2
*Mar  1 22:17:11.058: ISAKMP:      auth pre-share
*Mar  1 22:17:11.058: ISAKMP:      life type in seconds
*Mar  1 22:17:11.058: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.058: ISAKMP:      keylength of 128
*Mar  1 22:17:11.058: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.058: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.062: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 8 against pri
ority 10 policy
*Mar  1 22:17:11.062: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.062: ISAKMP:      hash MD5
*Mar  1 22:17:11.062: ISAKMP:      default group 2
*Mar  1 22:17:11.062: ISAKMP:      auth pre-share
*Mar  1 22:17:11.062: ISAKMP:      life type in seconds
*Mar  1 22:17:11.062: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.066: ISAKMP:      keylength of 128
*Mar  1 22:17:11.066: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.066: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.066: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 9 against pri
ority 10 policy
*Mar  1 22:17:11.066: ISAKMP:      encryption 3DES-CBC
*Mar  1 22:17:11.070: ISAKMP:      hash SHA
*Mar  1 22:17:11.070: ISAKMP:      default group 2
*Mar  1 22:17:11.070: ISAKMP:      auth XAUTHInitPreShared
*Mar  1 22:17:11.070: ISAKMP:      life type in seconds
*Mar  1 22:17:11.070: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.074: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
*Mar  1 22:17:11.326: ISAKMP:(0:1:HW:2): processing KE payload. message ID = 0
*Mar  1 22:17:11.574: ISAKMP:(0:1:HW:2): processing NONCE payload. message ID =
0
*Mar  1 22:17:11.574: ISAKMP:(0:1:HW:2): vendor ID is NAT-T v2
*Mar  1 22:17:11.578: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar  1 22:17:11.578: ISAKMP:(0:1:HW:2):Old State = IKE_READY  New State = IKE_R
_AM_AAA_AWAIT

*Mar  1 22:17:11.578: AAA/AUTHOR/IKMP/LOCAL: group vpnuser does not exist
*Mar  1 22:17:11.578: ISAKMP (0:268435457): incrementing error counter on sa, at
tempt 1 of 5: construct_fail_ag_init
*Mar  1 22:17:16.062: ISAKMP (0:268435457): received packet from 189.133.25.117
dport 500 sport 54553 Global (R) AG_NO_STATE
*Mar  1 22:17:16.062: ISAKMP:(0:1:HW:2): phase 1 packet is a duplicate of a prev
ious packet.
*Mar  1 22:17:16.066: ISAKMP:(0:1:HW:2): retransmitting due to retransmit phase
1
*Mar  1 22:17:16.066: ISAKMP:(0:1:HW:2): retransmitting phase 1 AG_NO_STATE...
*Mar  1 22:17:16.566: ISAKMP:(0:1:HW:2): retransmitting phase 1 AG_NO_STATE...
*Mar  1 22:17:16.566: ISAKMP (0:268435457): incrementing error counter on sa, at
tempt 2 of 5: retransmit phase 1
*Mar  1 22:17:16.566: ISAKMP:(0:1:HW:2): retransmitting phase 1 AG_NO_STATE
*Mar  1 22:17:16.566: ISAKMP:(0:1:HW:2): sending packet to 189.133.25.117 my_por
t 500 peer_port 54553 (R) AG_NO_STATE
*Mar  1 22:17:21.066: ISAKMP (0:268435457): received packet from 189.133.25.117
dport 500 sport 54553 Global (R) AG_NO_STATE
*Mar  1 22:17:21.066: ISAKMP:(0:1:HW:2): phase 1 packet is a duplicate of a prev
ious packet.
*Mar  1 22:17:21.066: ISAKMP:(0:1:HW:2): retransmitting due to retransmit phase
1
*Mar  1 22:17:21.066: ISAKMP:(0:1:HW:2): retransmitting phase 1 AG_NO_STATE...
*Mar  1 22:17:21.566: ISAKMP:(0:1:HW:2): retransmitting phase 1 AG_NO_STATE...
*Mar  1 22:17:21.566: ISAKMP (0:268435457): incrementing error counter on sa, at
tempt 3 of 5: retransmit phase 1
*Mar  1 22:17:21.566: ISAKMP:(0:1:HW:2): no outgoing phase 1 packet to retransmi
t. AG_NO_STATE
*Mar  1 22:17:21.566: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.

*Mar  1 22:17:21.566: ISAKMP:(0:1:HW:2):deleting SA reason "Death by retransmiss
ion P1" state (R) AG_NO_STATE (peer 189.133.25.117)
*Mar  1 22:17:21.570: ISAKMP:(0:1:HW:2):deleting SA reason "Death by retransmiss
ion P1" state (R) AG_NO_STATE (peer 189.133.25.117)
*Mar  1 22:17:21.570: ISAKMP: Unlocking IKE struct 0x84B2C3AC for isadb_mark_sa_
deleted(), count 0
*Mar  1 22:17:21.570: ISAKMP: Deleting peer node by peer_reap for 189.133.25.117
: 84B2C3AC
*Mar  1 22:17:21.574: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DE
L
*Mar  1 22:17:21.574: ISAKMP:(0:1:HW:2):Old State = IKE_R_AM_AAA_AWAIT  New Stat
e = IKE_DEST_SA

*Mar  1 22:17:21.574: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 22:17:26.066: ISAKMP (0:268435457): received packet from 189.133.25.117
dport 500 sport 54553 Global (R) MM_NO_STATE
*Mar  1 22:18:21.574: ISAKMP:(0:1:HW:2):purging SA., sa=84D71C90, delme=84D71C90


Could you help me please¡¡¡¡
0
Comment
Question by:gveraa
4 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38772841
Although you do eventually get a policy accept, you should always specify the hash in the isakmp policy. Also, I do my best to stay away from using a vpn pool that is in the same range as an existing subnet so I would suggest changing the vpn pool and configuring the nat exemption to allow traffic to continue flowing correctly.

You also do not appear to have a transform set applied to your dynamic map so you can currently pass phase 1 but have no way to continue with phase 2.

VPN-DYNAMIC is referenced in your crypto command, but you never defined the dynamic map of VPN-DYNAMIC. In this map you will apply the transform set mentioned above.

This is a good example of an RA-VPN config.
http://tunnelsup.com/tup/2010/05/02/remote-access-vpn-connection-using-a-cisco-router/
0
 

Author Comment

by:gveraa
ID: 38789027
thank you for your answer, a lot apreciate. i try it¡¡¡
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now