RAVPN is not working!!

Answered Question
Apr 4th, 2008
User Badges:

Hi,


I have PIX with OS ver 7.2 and I am trying to setup RAVPN, however it keeps failing and I get the following error on the PIX when enabling the crypto debug commands:


Apr 05 01:47:15 [IKEv1]: Group = ccie, IP = 192.1.24.114, Error: Unable to remov

e PeerTblEntry

Apr 05 01:47:20 [IKEv1]: Group = ccie, IP = 192.1.24.114, Removing peer from pee

r table failed, no match!


And the following error is from my VPN client ver 4.8.01:


The remote peer is no longer responding

01:53:32.493 04/05/08 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)


Here is my PIX VPN config:


crypto ipsec transform-set ccie esp-des esp-md5-hmac

crypto dynamic-map ccie 1 set transform-set ccie

crypto dynamic-map ccie 1 set reverse-route

crypto map cciemap 1 ipsec-isakmp dynamic ccie

crypto map cciemap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group ccie type ipsec-ra

tunnel-group ccie general-attributes

address-pool ccie

tunnel-group ccie ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication (outside) none


Any idea of why the VPN is failing?


R/ Haitham

Correct Answer by husycisco about 9 years 3 weeks ago

Haitham,

I have seen times that NAT statements cause that "no match" trouble. But after a deep look, it is about your transform set hash and isakmp policy hash mismatch. Issue the following


crypto isakmp policy 1

hash md5


Do not forget to apply your NAT statements. After ACL change, following is also missing.


nat (inside) 0 access-list inside_nat0_outbound


Please attach the latest config.


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
husycisco Fri, 04/04/2008 - 16:28
User Badges:
  • Gold, 750 points or more

Hi Haitham,

First of all, Your VPN IP pool does not meet RFC 1918. Please create a new pool according to section "3. Private Address Space" in following link

http://www.faqs.org/rfcs/rfc1918.html

If too lazy to read, just choose a pool in 192.168.x.x not 192.x.x.x

Second and most probably, check your Exempt NAT statement for VPN pool. Or post the related config for me to check

Also try restarting the PIX after your config is done

Regards

ray_stone Fri, 04/04/2008 - 16:38
User Badges:

Hi Husycisco, Well I understand of your above answers but is it required NAT exemption rule as what I understand can we use NAT/PAT to allow VPN network traffic for Inside/DMZ Zone whatever you want to allow. Thanks

husycisco Sat, 04/05/2008 - 00:40
User Badges:
  • Gold, 750 points or more

Hi Richard,

Exempt NAT is not a must, but is the widely used NAT type for simple RA VPN. But in scenarios where required, like in spoke to spoke topology, NAT/PAT can be implemented instead exempt NAT.


Regards

haithamnofal Sat, 04/05/2008 - 01:49
User Badges:

Hi husycisco,


I agree on the private addressing and on the NAT points, however would creating a non-private IP pool and not configuring NAT, really prevent the RAVPN from coming up?


R/Haitham

husycisco Sat, 04/05/2008 - 06:54
User Badges:
  • Gold, 750 points or more

Haitham,

Your IP addressing does not actually end up with the error you are encountering right now, but missing/wrong NAT statements may cause this. Please attach your sanitized config.


haithamnofal Sat, 04/05/2008 - 14:20
User Badges:

Husycisco,


I added the NAT config as you suggested and also changed the NAT as you advised but this also didnt bring this into working environment! Please note that this configuration is in the lab, so don't beat me on using some public addresses:)


Attached please find the full PIX config file.


Appreciate your feedback on how to make the RAVPN work!


R/ Haitham



husycisco Sat, 04/05/2008 - 14:58
User Badges:
  • Gold, 750 points or more

Haitham,

There are some simple configuration steps missing in your config.

First of all, you do not have a default route. X is your default gateway for PIX

route outside 0.0.0.0 0.0.0.0 192.1.24.x


Second, basic NAT and global statements. If you want to proceed without them, which is not the best practice in fact, you should disable nat-control. Following would be the best practice for NAT statements. Btw there are two configs in txt you attach, in one the VPN pool is 1.1.1.0 and in other 192.168.1.0. I am assuming 1.1.1.0 is active in following config suggestion. Also keep in mind that 192.168.1.0 is the default IP config of the most off the shelve internet modem/routers, so that would make a conflict with VPN user's local network. Stick with RFC 1918, but do not use widely used ranges like this.


no static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

nat (inside) 0 inside_nat0_outbound

nat (inside) 1 0 0

global (outside) 1 interface

access-list inside_nat0_outbound permit ip 10.10.10.0 255.255.255.0 1.1.1.0 255.255.255.224

Third, for the sake of simplicty, apply the following

no crypto dynamic-map ccie 1 set reverse-route

tunnel-group ccie ipsec-attributes

no isakmp ikev1-user-authentication (outside) none


And last, use the latest version of Cisco VPN client, or at least version 5.x


Regards

ray_stone Sat, 04/05/2008 - 16:31
User Badges:

Hi Husycisco, May i know whats a meaning of this coomand no static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 in above configuration.


husycisco Sun, 04/06/2008 - 19:15
User Badges:
  • Gold, 750 points or more

Haitham,

I assumed you were using 1.1.1.0 as the VPN pool in my previous suggestion but I see that you use 192.168.1.0. Then you should make the following modification


no access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0


haithamnofal Sun, 04/06/2008 - 22:31
User Badges:

huskcisco,


I changed it but still giving the same error!


I am not sure whether the NAT has anything to do with failing the tunnel to get established, it should has more to do with the communications after the establishement! Should we look somewhere else!


R/ Haitham

Correct Answer
husycisco Mon, 04/07/2008 - 09:47
User Badges:
  • Gold, 750 points or more

Haitham,

I have seen times that NAT statements cause that "no match" trouble. But after a deep look, it is about your transform set hash and isakmp policy hash mismatch. Issue the following


crypto isakmp policy 1

hash md5


Do not forget to apply your NAT statements. After ACL change, following is also missing.


nat (inside) 0 access-list inside_nat0_outbound


Please attach the latest config.


Regards

haithamnofal Mon, 04/07/2008 - 11:42
User Badges:

Thanks husycisco, and now it finally worked!


So it was due to the hash mismatch between Phase I and Phase II!!


Thanks for your support and patience.


R/ Haitham

husycisco Mon, 04/07/2008 - 11:53
User Badges:
  • Gold, 750 points or more

Haitham,

You are welcome. Nice to hear that issue is resolved.


Regards

Actions

This Discussion