Remote access VPN

wasiimcisco · ‎12-09-2009

I have cisco 3845 with version 12.3(11r)T2. I am trying to configure it for remote access vpn Xauth.

Follwoing is my configuration

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login console none
aaa authentication enable default group tacacs+ enable
aaa authentication ppp default group tacacs+
aaa accounting network default start-stop group tacacs+

ip local pool aviation-pool 172.23.13.1 172.23.13.100

crypto isakmp policy 10
authentication pre-share
group 2
has md5

crypto isakmp client configuration address-pool local aviation-pool
crypto isakmp client configuration group NON-RETAIL-VPN
key xxxx
pool aviation-pool

crypto ipsec transform-set myset esp-3des esp-mds-hmac
crypto dynamic-map dynmap 1
set transform-set myset

crypto map aviation-map client authentication list default
crypto map aviation-map client configuration address-response

crypto map aviation-map 1 ipsec-isakmp dynamic dynmap

interface Serial2/3

crypto map aviation-map

I have created VPN GROUP NON-RETAIL-VPN in AAA. Router is configured for AAA server. I am logging to the Router

through the username configured in AAA.

But when i try to connect remote user they are getting error connection terminated locally by client reason 412.

Please help me out it is very urgent.

Alexandro Carrasquedo · ‎12-09-2009

on the router run debug cry isa & debug cry ips, on the vpn client enable logs and set them all on level 3 and post that output.

wasiimcisco · ‎12-09-2009

isco Systems VPN Client Version 5.0.04.0300
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

23 22:00:09.890 12/09/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 172.18.4.2.

24 22:00:09.890 12/09/09 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

25 22:00:09.906 12/09/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 172.18.4.2

26 22:00:10.156 12/09/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

27 22:00:10.156 12/09/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

28 22:00:12.453 12/09/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 172.18.4.2

29 22:00:12.453 12/09/09 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

30 22:00:12.453 12/09/09 Sev=Info/4 IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

31 22:00:12.453 12/09/09 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

32 22:00:15.156 12/09/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

33 22:00:15.156 12/09/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2

34 22:00:20.156 12/09/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

35 22:00:20.156 12/09/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2

36 22:00:25.156 12/09/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!

37 22:00:25.156 12/09/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2

38 22:00:30.156 12/09/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=ABC69FBBC7C5154C R_Cookie=E89398A0E94218C7) reason = DEL_REASON_PEER_NOT_RESPONDING

39 22:00:30.656 12/09/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=ABC69FBBC7C5154C R_Cookie=E89398A0E94218C7) reason = DEL_REASON_PEER_NOT_RESPONDING

40 22:00:30.703 12/09/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

41 22:00:30.703 12/09/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

42 22:00:30.703 12/09/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

43 22:00:30.703 12/09/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

44 22:00:30.703 12/09/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

Alexandro Carrasquedo · ‎12-09-2009

from those client logs looks like traffic from the server to the client is not getting there.

32 22:00:15.156 12/09/09 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!

33 22:00:15.156 12/09/09 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2

34 22:00:20.156 12/09/09 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!

35 22:00:20.156 12/09/09 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2

36 22:00:25.156 12/09/09 Sev=Info/4 IKE/0x63000021 Retransmitting last packet!

37 22:00:25.156 12/09/09 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK AG (Retransmission) to 172.18.4.2

38 22:00:30.156 12/09/09 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=ABC69FBBC7C5154C R_Cookie=E89398A0E94218C7) reason = DEL_REASON_PEER_NOT_RESPONDING

not sure if they are getting to the server?. can you get the logs from the vpn server when trying to initiate the connection from that same client?

wasiimcisco · ‎12-09-2009

I can ping the VPN Router, telnet and SSH. Traffic is hitting the VPN Router because I can see the Following debug when i am trying to connect Router.

ENOCDC_R03#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.18.4.2 172.18.3.200 MM_NO_STATE 0 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

ENOCDC_R03#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.18.4.2 172.18.3.200 MM_NO_STATE 0 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

I am supspecinting something is wrong with AAA configuration.

Alexandro Carrasquedo · ‎12-09-2009

you're right. traffic is hitting the router and we're missing one line in aaa setup.

we may need the following line

aaa authorization network ezvpnnetwork local

crypto map aviation-map isakmp authorization list ezvpnnetwork

give this a try, if that doesn't work, please enable debug cry isa & debug cry ips and post that output in case that doesn't work.

traffic is hitting the router but might not be hitting the client back. i think the issue was that authorization line we were missing. let me know.

wasiimcisco · ‎12-09-2009

ENOCDC_R03#sh run | in cry

ENOCDC_R03#sh run | in crypto

crypto isakmp policy 10

crypto isakmp client configuration group Aviation-VPN

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 1

crypto map aviation-map client authentication list Aviation-auth

crypto map aviation-map isakmp authorization list Aviation-authorization

crypto map aviation-map client configuration address respond

crypto map aviation-map 1 ipsec-isakmp dynamic dynmap

crypto map aviation-map

ENOCDC_R03#sh run | in aaa

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login console none

aaa authentication login Aviation-auth local

aaa authentication enable default group tacacs+ enable

aaa authentication ppp default group tacacs+

aaa authorization network Aviation-authorization local

aaa accounting network default start-stop group tacacs+

aaa session-id common

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group Aviation-VPN
key egntosc
pool aviation-pool
netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
!
!
crypto map aviation-map client authentication list Aviation-auth
crypto map aviation-map isakmp authorization list Aviation-authorization
crypto map aviation-map client configuration address respond
crypto map aviation-map 1 ipsec-isakmp dynamic dynmap
!

interface Serial0/2/0
crypto map aviation-map

wasiimcisco · ‎12-10-2009

thanks for being with me. it is working but with different configuration. I made a Isakmp profile and then it started working.