04-16-2007 02:26 AM - edited 02-21-2020 02:58 PM
i was trying to setup remote access vpn between ios router 12.3 and vpn client 4.x, using microsoft ca.. but i was unable to connect with vpn client .. i dnt knw where i m going wrong .. my rtr cfg is as follows
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Central_site
!
aaa new-model
!
!
aaa authentication login vpn_auth group tacacs+
aaa authentication login LOCAL local
aaa authorization network LOCAL local
aaa authorization network vpn_auth group tacacs+
aaa session-id common
ip subnet-zero
ip tcp synwait-time 5
!
!
no ip domain lookup
ip domain name cisco.com
!
ip audit notify log
ip audit po max-events 100
!
crypto ca trustpoint ca_serv
enrollment mode ra
enrollment url http://10.1.1.3:80/certsrv/mscep/mscep.dll
usage ike
serial-number
fqdn none
subject-name cn=vpnclient,OU=guest_group
rsakeypair rsakey
!
crypto ca certificate chain ca_serv
certificate 6146C131000000000008
30820320 308202CA A0030201 02020A61 46C13100 00000000 08300D06 092A8648
92
{cut for space}
quit
certificate ca 72E76FC6C80A07BE4E6B545DE8376B3F
{cut for space}
quit
!
!
crypto isakmp policy 10
encr 3des
group 5
crypto isakmp identity dn
!
crypto isakmp client configuration group guest_group
dns 10.1.1.3
pool vpnpool
acl 100
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set ESP-3DES-MD5
!
!
crypto map vpn_map client authentication list LOCAL
crypto map vpn_map isakmp authorization list LOCAL
crypto map vpn_map client configuration address initiate
crypto map vpn_map client configuration address respond
crypto map vpn_map 10 ipsec-isakmp dynamic dynmap
!
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay
!
interface Serial0/0.1 point-to-point
ip address 172.31.235.21 255.255.255.252
frame-relay interface-dlci 100
crypto map vpn_map
!
ip local pool vpnpool 192.168.1.100 192.168.1.200
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
dial-peer cor custom
!
end
i generated a certificate for vpnclient having OU=guest_group.. below is the debug message for crypto isakmp sa
01:25:44: ISAKMP (0:1): UNITY's identity FQDN but no group info
01:25:44: ISAKMP (0:1): peer matches *none* of the profiles
01:25:44: ISAKMP (0:1): processing CERT payload. message ID = 0
01:25:44: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert
01:25:44: ISAKMP (0:1): peer's pubkey isn't cached
01:25:44: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
01:25:44: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_R_MM5
01:25:44: ISAKMP (0:1): sending packet to 10.2.1.3 my_port 500 peer_port 500 (R)
MM_KEY_EXCH
01:25:44: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
01:25:44: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_R_MM4
01:25:44: ISAKMP (0:1): received packet from 10.2.1.3 dport 500 sport 500 Global
(R) MM_KEY_EXCH
01:25:44: ISAKMP: set new node 1338741477 to CONF_XAUTH
01:25:44: ISAKMP (0:1): processing HASH payload. message ID = 1338741477
01:25:44: ISAKMP (0:1): processing NOTIFY INVALID_PAYLOAD protocol 1
spi 0, message ID = 1338741477, sa = 82F624C8
01:25:44: ISAKMP (0:1): peer does not do paranoid keepalives.
01:25:44: ISAKMP (0:1): deleting SA reason "recevied fatal informational" state
(R) MM_KEY_EXCH (peer 10.2.1.3) input queue 0
01:25:44: ISAKMP (0:1): deleting node 1338741477 error FALSE reason "information
al (in) state 1"
04-20-2007 09:38 AM
It could be bug, check bug-id: CSCea77449
Try this link
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
04-21-2007 11:32 PM
HI , i resolved it actually i was trying at ios 12.3 , but the feature is supported from 12.4..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: