Having trouble making a VPN connection w/UC520

Unanswered Question
Feb 25th, 2009

I am attempting to setup my uc520 to accept a VPN connection so I can use CCA remotely.

Attached is my screen shot of the configuration I made with CCA.

I am attempting to connect withVPN client 5.0.03.0560

The connection fails, terminating locally with "Reason 414: Failed to estatblish a TCP connection"

the connection entry on the client has user and password set as the user I added in CCA, group authentification, transport set a IPSec of TCP port 1000, transparent tunnelling enabled.

Any help as to what I am missing is appreciated.

Thanks

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcos Hernandez Wed, 02/25/2009 - 18:56

Try this:

1) Paste the text below into Notepad.

2) Replace the highlighted parameters with your Site Description, FE0/0 IP address or name (If using DDNS) and the Group password.

3) Save to a file using a .pcf (dot pcf) extension.

4) Import from your Cisco VPN CLient.

5) Try to connect from the WAN side.

Let me know,

Marcos

[main]
UserPassword=
enc_UserPassword=
Description=My Site
Host=A.B.C.D
AuthType=1
GroupName=EZVPN_GROUP_1
GroupPwd=XXXXXX
enc_GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPPhonebook=
ISPCommand=
Username=
SaveUserPassword=0
NTDomain=
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=0

mcastrigno Wed, 02/25/2009 - 21:59

Marcos,

It did not work but I don't know what the group password is. See log below from client

Where in CCA do I set the group password?

I see the group you mention in CCA but nowhere to set the password.

Thanks

1      23:01:01.953  02/25/09  Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified

2      23:01:01.953  02/25/09  Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.

3      23:01:01.953  02/25/09  Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:904)

4      23:01:01.953  02/25/09  Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)

mcastrigno Thu, 02/26/2009 - 06:52

Marcos,

I am no longer on site and cannot access the router via CCA but I can telnet to it.

How do I set this password via the CLI?

Thanks

Marcos Hernandez Thu, 02/26/2009 - 06:55

Replace where indicated:

!
crypto isakmp client configuration group EZVPN_GROUP_1
key REPLACE
pool EZVPN_POOL_1
max-users 10
!

Marcos

mcastrigno Thu, 02/26/2009 - 13:55

almost there.

I was presented with dialog box for username and password by the client but failed to make connection.

Here is what the log had after that point:

Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

11     14:54:03.843  02/26/09  Sev=Warning/2 IKE/0xE3000023
No private IP address was assigned by the peer

12     14:54:03.843  02/26/09  Sev=Warning/2 IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)

Thanks for your help.

Marcos Hernandez Thu, 02/26/2009 - 13:57

At this point you enter one of the usernames and password that you configured under the VPN screen in CCA.

Let me know,

Marcos

mcastrigno Thu, 02/26/2009 - 14:01

Marcos,

Sorry that was not clear in my message, but I did put in the username and password that I configured with CCA

Matthew

mcastrigno Thu, 02/26/2009 - 14:34

Thanks Steve, Looks like page 12 may be relevant.

How do I do this from the CLI since I don't have  CCA access yet until I get this to work?

What do you think Marcos?

Thanks.

Steven DiStefano Thu, 02/26/2009 - 14:53

Well, page 12 is for the PC Client on the Remote Teleworker.  So maybe not so relevant.

The thing is, you need to create the VPN Server on the Main UC500 before you connect the PC with Cisco VPN CLient.  For that, look at page 11, about half way down.   Make sure you set a DHCP Pool on the Host for remote connecting clients.

Using CCA on the main site (prerequisite), go to Configure SecurityVPN Server and provision:

user ID :  xxxxx 

password: xxxxxx 

Secret Key: xxxxxxx

local IP Address pool: 192.168.10.101 …110

The VPN Client must match this information like this...

vpnClient.bmp

mcastrigno Thu, 02/26/2009 - 15:15

Steve,

Your screen shot is not readable - can you post it as file?

Also there is a missing image in your post  - this is a cut and paste - can you repost whatever this is?

I cannot access CCA for the "main" (and only site) I am 90 miles away. That is why I am trying to set this up.

How can I do what you suggest with the CLI?

Thanks.

mcastrigno Thu, 02/26/2009 - 16:45

This problem was fixed by doing an OOB configuration change for the access lists.

The access lists were prevoiusly deleted by CCA after it encountered an aparently non-compatible configuration

So this problem was basiclly a hangover from the problem of CCA deleting access lists.

Moderator Fri, 02/27/2009 - 07:08

Here's a neat trick: If you click on the screenshot, it will expand out larger and will be easier to read. Most images in discussions and documents should do this.

Glad to hear the problem was solved.

Cisco Moderation Team

Actions

This Discussion

Related Content