Solved

no connection VPN

Posted on 2013-01-13
4
393 Views
Last Modified: 2014-10-21
hello,

i'm having issues with my VPN setup   I´m using a CIsco 1721 (C1700-ADVIPSERVICESK9-M), Version 12.4(3), Release FC2 .

1 FastEthernet interface (local network)
1 ATM interface (WIC-ADSL connection to internet)
1 Virtual Private Network (VPN) Module

I´m using a windows Cisco VPN client 5.0.07.04 in another site with subnet 172.16.1.0

 this is my config


Current configuration : 2017 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$8m04$j2hrF5s52IdlWsvRU68Sv1
!
aaa new-model
!
!
aaa authentication login VPN-USERS local
aaa authorization network VPN-GROUP local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
vpdn enable

username xxxx password 0 yyyyy

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN-GROUP
 key VPN
 pool VPNPOOL

!
crypto map VPN-STATIC client authentication list VPN-USERS
crypto map VPN-STATIC isakmp authorization list VPN-GROUP
crypto map VPN-STATIC client configuration address respond
crypto map VPN-STATIC 10 ipsec-isakmp dynamic VPN-DYNAMIC
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 8/81
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 ip address 192.168.1.241 255.255.255.0
 speed auto
!
interface Dialer1
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 ppp authentication pap callin
 ppp pap sent-username 12345 password 0 abcde
 crypto map VPN-STATIC


!
ip local pool VPNPOOL 192.168.1.229 192.168.1.239
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1

!
no ip http server
no ip http secure-server
!
!
!
control-plane
!

line con 0
line aux 0
line vty 0 4
 password XXXXX
!
end


 when i connect, i get the error

Router#
*Mar  1 22:17:11.006: ISAKMP (0:0): received packet from 189.133.25.117 dport 50
0 sport 54553 Global (N) NEW SA
*Mar  1 22:17:11.010: ISAKMP: Created a peer struct for 189.133.25.117, peer por
t 54553
*Mar  1 22:17:11.010: ISAKMP: New peer created peer = 0x84B2C3AC peer_handle = 0
x80000023
*Mar  1 22:17:11.010: ISAKMP: Locking peer struct 0x84B2C3AC, IKE refcount 1 for
 crypto_isakmp_process_block
*Mar  1 22:17:11.010: ISAKMP:(0:0:N/A:0):Setting client config settings 849876DC
*Mar  1 22:17:11.010: ISAKMP:(0:0:N/A:0):(Re)Setting client xauth list  and stat
e
*Mar  1 22:17:11.010: ISAKMP/xauth: initializing AAA request
*Mar  1 22:17:11.014: ISAKMP: local port 500, remote port 54553
*Mar  1 22:17:11.014: insert sa successfully sa = 84D71C90
*Mar  1 22:17:11.014: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar  1 22:17:11.018: ISAKMP:(0:0:N/A:0): processing ID payload. message ID = 0
*Mar  1 22:17:11.018: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : vpnuser
        protocol     : 17
        port         : 500
        length       : 15
*Mar  1 22:17:11.018: ISAKMP:(0:0:N/A:0):: peer matches *none* of the profiles
*Mar  1 22:17:11.018: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 22:17:11.018: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 21
5 mismatch
*Mar  1 22:17:11.018: ISAKMP:(0:0:N/A:0): vendor ID is XAUTH
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): vendor ID is DPD
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 19
4 mismatch
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 12
3 mismatch
*Mar  1 22:17:11.022: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar  1 22:17:11.026: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 22:17:11.026: ISAKMP:(0:0:N/A:0): vendor ID is Unity
*Mar  1 22:17:11.026: ISAKMP:(0:0:N/A:0): Authentication by xauth preshared
*Mar  1 22:17:11.026: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against pri
ority 10 policy
*Mar  1 22:17:11.026: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.026: ISAKMP:      hash SHA
*Mar  1 22:17:11.026: ISAKMP:      default group 2
*Mar  1 22:17:11.026: ISAKMP:      auth XAUTHInitPreShared
*Mar  1 22:17:11.026: ISAKMP:      life type in seconds
*Mar  1 22:17:11.030: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.030: ISAKMP:      keylength of 256
*Mar  1 22:17:11.030: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.030: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.030: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 2 against pri
ority 10 policy
*Mar  1 22:17:11.030: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.030: ISAKMP:      hash MD5
*Mar  1 22:17:11.034: ISAKMP:      default group 2
*Mar  1 22:17:11.034: ISAKMP:      auth XAUTHInitPreShared
*Mar  1 22:17:11.034: ISAKMP:      life type in seconds
*Mar  1 22:17:11.034: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.034: ISAKMP:      keylength of 256
*Mar  1 22:17:11.034: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.034: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.034: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against pri
ority 10 policy
*Mar  1 22:17:11.038: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.038: ISAKMP:      hash SHA
*Mar  1 22:17:11.038: ISAKMP:      default group 2
*Mar  1 22:17:11.038: ISAKMP:      auth pre-share
*Mar  1 22:17:11.038: ISAKMP:      life type in seconds
*Mar  1 22:17:11.038: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.038: ISAKMP:      keylength of 256
*Mar  1 22:17:11.038: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.042: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.042: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 4 against pri
ority 10 policy
*Mar  1 22:17:11.042: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.042: ISAKMP:      hash MD5
*Mar  1 22:17:11.042: ISAKMP:      default group 2
*Mar  1 22:17:11.042: ISAKMP:      auth pre-share
*Mar  1 22:17:11.042: ISAKMP:      life type in seconds
*Mar  1 22:17:11.042: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.042: ISAKMP:      keylength of 256
*Mar  1 22:17:11.046: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.046: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.046: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 against pri
ority 10 policy
*Mar  1 22:17:11.046: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.046: ISAKMP:      hash SHA
*Mar  1 22:17:11.046: ISAKMP:      default group 2
*Mar  1 22:17:11.046: ISAKMP:      auth XAUTHInitPreShared
*Mar  1 22:17:11.046: ISAKMP:      life type in seconds
*Mar  1 22:17:11.046: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.050: ISAKMP:      keylength of 128
*Mar  1 22:17:11.050: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.050: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.050: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 6 against pri
ority 10 policy
*Mar  1 22:17:11.050: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.050: ISAKMP:      hash MD5
*Mar  1 22:17:11.050: ISAKMP:      default group 2
*Mar  1 22:17:11.050: ISAKMP:      auth XAUTHInitPreShared
*Mar  1 22:17:11.054: ISAKMP:      life type in seconds
*Mar  1 22:17:11.054: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.054: ISAKMP:      keylength of 128
*Mar  1 22:17:11.054: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.054: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.054: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 7 against pri
ority 10 policy
*Mar  1 22:17:11.054: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.058: ISAKMP:      hash SHA
*Mar  1 22:17:11.058: ISAKMP:      default group 2
*Mar  1 22:17:11.058: ISAKMP:      auth pre-share
*Mar  1 22:17:11.058: ISAKMP:      life type in seconds
*Mar  1 22:17:11.058: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.058: ISAKMP:      keylength of 128
*Mar  1 22:17:11.058: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.058: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.062: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 8 against pri
ority 10 policy
*Mar  1 22:17:11.062: ISAKMP:      encryption AES-CBC
*Mar  1 22:17:11.062: ISAKMP:      hash MD5
*Mar  1 22:17:11.062: ISAKMP:      default group 2
*Mar  1 22:17:11.062: ISAKMP:      auth pre-share
*Mar  1 22:17:11.062: ISAKMP:      life type in seconds
*Mar  1 22:17:11.062: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.066: ISAKMP:      keylength of 128
*Mar  1 22:17:11.066: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not m
atch policy!
*Mar  1 22:17:11.066: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload i
s 3
*Mar  1 22:17:11.066: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 9 against pri
ority 10 policy
*Mar  1 22:17:11.066: ISAKMP:      encryption 3DES-CBC
*Mar  1 22:17:11.070: ISAKMP:      hash SHA
*Mar  1 22:17:11.070: ISAKMP:      default group 2
*Mar  1 22:17:11.070: ISAKMP:      auth XAUTHInitPreShared
*Mar  1 22:17:11.070: ISAKMP:      life type in seconds
*Mar  1 22:17:11.070: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Mar  1 22:17:11.074: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
*Mar  1 22:17:11.326: ISAKMP:(0:1:HW:2): processing KE payload. message ID = 0
*Mar  1 22:17:11.574: ISAKMP:(0:1:HW:2): processing NONCE payload. message ID =
0
*Mar  1 22:17:11.574: ISAKMP:(0:1:HW:2): vendor ID is NAT-T v2
*Mar  1 22:17:11.578: ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar  1 22:17:11.578: ISAKMP:(0:1:HW:2):Old State = IKE_READY  New State = IKE_R
_AM_AAA_AWAIT

*Mar  1 22:17:11.578: AAA/AUTHOR/IKMP/LOCAL: group vpnuser does not exist
*Mar  1 22:17:11.578: ISAKMP (0:268435457): incrementing error counter on sa, at
tempt 1 of 5: construct_fail_ag_init
*Mar  1 22:17:16.062: ISAKMP (0:268435457): received packet from 189.133.25.117
dport 500 sport 54553 Global (R) AG_NO_STATE
*Mar  1 22:17:16.062: ISAKMP:(0:1:HW:2): phase 1 packet is a duplicate of a prev
ious packet.
*Mar  1 22:17:16.066: ISAKMP:(0:1:HW:2): retransmitting due to retransmit phase
1
*Mar  1 22:17:16.066: ISAKMP:(0:1:HW:2): retransmitting phase 1 AG_NO_STATE...
*Mar  1 22:17:16.566: ISAKMP:(0:1:HW:2): retransmitting phase 1 AG_NO_STATE...
*Mar  1 22:17:16.566: ISAKMP (0:268435457): incrementing error counter on sa, at
tempt 2 of 5: retransmit phase 1
*Mar  1 22:17:16.566: ISAKMP:(0:1:HW:2): retransmitting phase 1 AG_NO_STATE
*Mar  1 22:17:16.566: ISAKMP:(0:1:HW:2): sending packet to 189.133.25.117 my_por
t 500 peer_port 54553 (R) AG_NO_STATE
*Mar  1 22:17:21.066: ISAKMP (0:268435457): received packet from 189.133.25.117
dport 500 sport 54553 Global (R) AG_NO_STATE
*Mar  1 22:17:21.066: ISAKMP:(0:1:HW:2): phase 1 packet is a duplicate of a prev
ious packet.
*Mar  1 22:17:21.066: ISAKMP:(0:1:HW:2): retransmitting due to retransmit phase
1
*Mar  1 22:17:21.066: ISAKMP:(0:1:HW:2): retransmitting phase 1 AG_NO_STATE...
*Mar  1 22:17:21.566: ISAKMP:(0:1:HW:2): retransmitting phase 1 AG_NO_STATE...
*Mar  1 22:17:21.566: ISAKMP (0:268435457): incrementing error counter on sa, at
tempt 3 of 5: retransmit phase 1
*Mar  1 22:17:21.566: ISAKMP:(0:1:HW:2): no outgoing phase 1 packet to retransmi
t. AG_NO_STATE
*Mar  1 22:17:21.566: ISAKMP:(0:1:HW:2):peer does not do paranoid keepalives.

*Mar  1 22:17:21.566: ISAKMP:(0:1:HW:2):deleting SA reason "Death by retransmiss
ion P1" state (R) AG_NO_STATE (peer 189.133.25.117)
*Mar  1 22:17:21.570: ISAKMP:(0:1:HW:2):deleting SA reason "Death by retransmiss
ion P1" state (R) AG_NO_STATE (peer 189.133.25.117)
*Mar  1 22:17:21.570: ISAKMP: Unlocking IKE struct 0x84B2C3AC for isadb_mark_sa_
deleted(), count 0
*Mar  1 22:17:21.570: ISAKMP: Deleting peer node by peer_reap for 189.133.25.117
: 84B2C3AC
*Mar  1 22:17:21.574: ISAKMP:(0:1:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DE
L
*Mar  1 22:17:21.574: ISAKMP:(0:1:HW:2):Old State = IKE_R_AM_AAA_AWAIT  New Stat
e = IKE_DEST_SA

*Mar  1 22:17:21.574: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 22:17:26.066: ISAKMP (0:268435457): received packet from 189.133.25.117
dport 500 sport 54553 Global (R) MM_NO_STATE
*Mar  1 22:18:21.574: ISAKMP:(0:1:HW:2):purging SA., sa=84D71C90, delme=84D71C90


Could you help me please¡¡¡¡
0
Comment
Question by:gveraa
4 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38772841
Although you do eventually get a policy accept, you should always specify the hash in the isakmp policy. Also, I do my best to stay away from using a vpn pool that is in the same range as an existing subnet so I would suggest changing the vpn pool and configuring the nat exemption to allow traffic to continue flowing correctly.

You also do not appear to have a transform set applied to your dynamic map so you can currently pass phase 1 but have no way to continue with phase 2.

VPN-DYNAMIC is referenced in your crypto command, but you never defined the dynamic map of VPN-DYNAMIC. In this map you will apply the transform set mentioned above.

This is a good example of an RA-VPN config.
http://tunnelsup.com/tup/2010/05/02/remote-access-vpn-connection-using-a-cisco-router/
0
 

Author Comment

by:gveraa
ID: 38789027
thank you for your answer, a lot apreciate. i try it¡¡¡
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question