cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1875
Views
0
Helpful
16
Replies

VPN Help

Adrian Jones
Level 1
Level 1

Hi All,

Can anyone check out my config and advise where my VPN Config is going wrong. There are two configs required. A Site to Site and a PC to Site.

I am testing the PC to site using VPN Client. If I have no username and password configured in the client I get the challenge for username and password but using my local log-in or the specified username and password does not work.

Essentially, as well as the site to site VPN I need two seperate logins under different username/passwords - listed here as Norsonic and Campbell Associates.

Config attached.

Thanks

Adrian

2 Accepted Solutions

Accepted Solutions

didyap
Level 6
Level 6

Here is the URL for the site-to-site VPN configuration guide follow the guide it may help you in troubleshooting

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/sitvpn.html

View solution in original post

*Mar 23 23:09:17.231: ISAKMP:(2005):No IP address pool defined for ISAKMP!

I think this is your problem. :-)

Try this:

ip pool VPN 192.168.1.100 192.168.1.200

crypto isakmp client configuration group Norsonic

pool VPN

See if that helps :-)

John

HTH, John *** Please rate all useful posts ***

View solution in original post

16 Replies 16

didyap
Level 6
Level 6

Here is the URL for the site-to-site VPN configuration guide follow the guide it may help you in troubleshooting

http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/sitvpn.html

John Blakley
VIP Alumni
VIP Alumni

According to your config, you should be putting a group name and password in. (I may not be understanding the issue.) :-)

The group name would be:

user: Campbell_Associates

pass: qq-campbell

Your normal username prompt should be your local account on the router.

HTH,

John

HTH, John *** Please rate all useful posts ***

Hi John,

Okay I do have 2 groups in (I think) as:

crypto isakmp client configuration group Norsonic

key qq-norsonic

max-users 3

!

crypto isakmp client configuration group Campbell_Associates

key qq-campbell

If I try to connect with the campbell Associates I get the following in the log:

*Mar 23 19:30:00.286: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 85.159.168.249 was not encrypted and it should've been.

*Mar 23 19:30:38.754: ISAKMP:(0): Support for IKE Fragmentation not enabled

If I try fron Norsonic (same system just different credentials).

*Mar 23 18:49:24.167: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 85.159.168.249

*Mar 23 19:25:45.950: ISAKMP:(0): Support for IKE Fragmentation not enabled

So with two similar configs two different results. I used the SDM to configure for both L2L and Client 2 Lan VPN so unsure where this has gone wrong.

Well, you could try to enable fragmentation support:

crypto isakmp fragmentation

We really need to try to figure this out one connection at a time though (L2L vs Software-based). In your software, do you have your group information configured? Do you have logging on in the software client? I would enable it to high for ike and see what happens. After doing that, can you post the results here?

Click Log/Log Settings and pull the IKE drop down to HIGH. Then click Log/Enable. Make your connection attempt. You can also click Log/Log Window and it will show you the connection errors/successes as they happen.

HTH,

John

HTH, John *** Please rate all useful posts ***

I am now remote from the unit and have ssh login. Is there a command line for this logging that wouldn't shut me out - No real traffic going thru at moment and I can issue a reload in 30 mins command beforehand if need be. These units are remote sites that are unmanned.

To give an idea of what is needed in the config is attached on a drawing:

2 Remote VPN Clients to connect to 6 remote sites and a VPN Terminator.

Six Remote Clients to connect to VPN Terminator.

Client to terminator works. Site to site works in test rig but after I have a successful client to remote site I can test the site to site.

"Client to terminator works. Site to site works in test rig but after I have a successful client to remote site I can test the site to site."

So is the original problem fixed? The one where you were not able to log in with the software client?

HTH, John *** Please rate all useful posts ***

Sorry probably confused you there.

No.

The VPN client to Cisco 857 does not work and is the one I am having issues with (Cisco 857 config posted earlier).

The VPN Cient to VPN Terminator (An ASA 5505) does work.

The client needs option to connect to two paths as shown in JPG.

Ah, okay. The logging is done in the software and not on the router. You CAN log in the router with:

debug crypto isakmp

debug crypto ipsec

term mon

That will show you the logs as you're trying to connect.

John

HTH, John *** Please rate all useful posts ***

Attached are the logs as I have captured, initial lines are missing as the number of buffered capture lines have been exceeded.

regards

Adrian

In your config on the router try putting:

crypto isakmp policy 1

hash md5

See if that helps. The connection is failing because it can't find the correct encryption policy that matches to what it's connecting to.

HTH,

John

HTH, John *** Please rate all useful posts ***

Hi John,

Okay that seems to get further. The Norsonic account remains the same, tries logging in and times out. The Campbell account initiates a Username and Password request. When I had this on the ASA I had to assign the group policy for attributes of VPN-Group-Policy and Group-Lock value. Setting group lock value removes the password initiation. Where do I set the group and password as they are set in. The only thing I can see that may be pointing this request to somewhere is the lines:

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

in the Crypto Ipsec Profile.

Latest log attached.

I guess I'm lost. How are you trying to connect to this device: software or another router/asa?

In your software client, you'll change the group name and password for the group. (It's the Norsonic / qq-norsonic user and pass from "crypto isakmp client configuration group Norsonic key qq-norsonic".)

That sets the group that you want to be in. Then you should be asked for the username and pass, which your aaa authentication login sdm_vpn_xauth_ml_1 local is asking for. (It's set under your isakmp profile.) I would remove all authorization commands to see if you can even log in.

If you're doing this with hardware, I need to see what the logs are doing from the other end. You haven't given me logs from the software client yet, which is why I think we're working with a L2L tunnel. If that's the case, can you post the configuration for the other end that's connecting?

John

HTH, John *** Please rate all useful posts ***

Hi John,

I think I may be confusing things.

This is a Client VPN Software attempting to connect to a hardware Cisco 857 ADSL Router.

Latest status: When I attempt a connection from the client software, configured with the Campbell_Associates group and Key, I get a pop-up asking for username and password. I can see from the Crypto Isakmp Profile that it refers to the aaa authentication login sdm_vpn_xauth_ml_2 local which I understand is the username and password I have entered in the main config. I enter this and the attached output of the logs is the result.

I have the client log and the router log attached.

Regards

Adrian

*Mar 23 23:09:17.231: ISAKMP:(2005):No IP address pool defined for ISAKMP!

I think this is your problem. :-)

Try this:

ip pool VPN 192.168.1.100 192.168.1.200

crypto isakmp client configuration group Norsonic

pool VPN

See if that helps :-)

John

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco