cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4594
Views
0
Helpful
3
Replies

Remote Access VPN Problem on 1812

android555
Level 1
Level 1

Hi,

I'm having trouble trying to establish a Remote Access VPN connection to a Cisco 1812 router set up as a vpn server using EzVPN

The router acting as a gateway to the internet using a dialer to create a pppoe connection over an adsl line . The internal network (192.168.100.0/24)  is NATed to a public static address 202.xxx.xxx.xxx. The internet connection is working fine.

When I try to connect using the VPN client from my laptop, it fails with "Reason 412: The remote peer is no longer responding"

The config and output from debug crypto isakmp is given below. Please could you help.

Thanks,

Simon

router#sh run
Building configuration...

Current configuration : 2972 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
!
!
aaa session-id common
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 480
!
crypto isakmp client configuration group rtr-remote
key spcjapan
dns 192.168.100.10
domain xxxxxx.com
pool dynpool
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-aes 256 esp-sha-hmac
!
crypto ipsec client ezvpn ezvpnclient
connect auto
group 2 key xxxxxx
mode client
peer 202.xxx.xxx.xxx
xauth userid mode interactive
!
!
crypto dynamic-map dynmap 1
set transform-set vpn1
reverse-route
!
!
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!

!
multilink bundle-name authenticated
!
!
username xxxxxx password 0 xxxxxx
archive
log config
  hidekeys
!
!
interface FastEthernet0
description Interlink-WAN
no ip address
no ip mroute-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
crypto map static-map
crypto ipsec client ezvpn ezvpnclient
!
interface FastEthernet1
description SPCJapan-LAN
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn ezvpnclient inside
!
interface Vlan1
no ip address
!
interface Dialer1
description logical WAN interface
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxx
ppp chap password 0 xxxxxxxxx
ppp pap sent-username xxxxxxxxx password 0 xxxxxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 192.168.100.10 80 interface Dialer1 80
ip nat inside source static tcp 192.168.100.10 25 interface Dialer1 25
ip nat inside source static tcp 192.168.100.10 443 interface Dialer1 443
!
access-list 10 permit 192.168.100.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!

end

*Dec 10 03:14:40.319: ISAKMP (0:0): received packet from xxx.48.232.95 dport 500 sport 1270 Global (N) NEW SA
*Dec 10 03:14:40.319: ISAKMP: Created a peer struct for xxx.xxx.xxx.95, peer port 1270
*Dec 10 03:14:40.319: ISAKMP: New peer created peer = 0x836DF878 peer_handle = 0x80000F6F
*Dec 10 03:14:40.319: ISAKMP: Locking peer struct 0x836DF878, refcount 1 for crypto_isakmp_process_block
*Dec 10 03:14:40.319: ISAKMP: local port 500, remote port 1270
*Dec 10 03:14:40.319: insert sa successfully sa = 83F78DF4
*Dec 10 03:14:40.319: ISAKMP:(0): processing SA payload. message ID = 0
*Dec 10 03:14:40.319: ISAKMP:(0): processing ID payload. message ID = 0
*Dec 10 03:14:40.319: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : rtr-remote
        protocol     : 17
        port         : 500
        length       : 18
*Dec 10 03:14:40.319: ISAKMP:(0):: peer matches *none* of the profiles
*Dec 10 03:14:40.319: ISAKMP:(0): processing vendor id payload
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID is XAUTH
*Dec 10 03:14:40.319: ISAKMP:(0): processing vendor id payload
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID is DPD
*Dec 10 03:14:40.319: ISAKMP:(0): processing vendor id payload
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Dec 10 03:14:40.319: ISAKMP:(0): processing vendor id payload
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID is NAT-T v2
*Dec 10 03:14:40.319: ISAKMP:(0): processing vendor id payload
*Dec 10 03:14:40.319: ISAKMP:(0): vendor ID is Unity
*Dec 10 03:14:40.319: ISAKMP : Scanning profiles for xauth ...
*Dec 10 03:14:40.319: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Dec 10 03:14:40.319: ISAKMP:      encryption AES-CBC
*Dec 10 03:14:40.319: ISAKMP:      hash SHA
*Dec 10 03:14:40.319: ISAKMP:      default group 2
*Dec 10 03:14:40.319: ISAKMP:      auth XAUTHInitPreShared
*Dec 10 03:14:40.319: ISAKMP:      life type in seconds
*Dec 10 03:14:40.319: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Dec 10 03:14:40.319: ISAKMP:      keylength of 256
*Dec 10 03:14:40.319: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
*Dec 10 03:14:40.319: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Dec 10 03:14:40.319: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Dec 10 03:14:40.319: ISAKMP:      encryption AES-CBC
*Dec 10 03:14:40.319: ISAKMP:      hash MD5
*Dec 10 03:14:40.319: ISAKMP:      default group 2
*Dec 10 03:14:40.319: ISAKMP:      auth XAUTHInitPreShared
*Dec 10 03:14:40.319: ISAKMP:      life type in seconds
*Dec 10 03:14:40.319: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Dec 10 03:14:40.319: ISAKMP:      keylength of 256
*Dec 10 03:14:40.319: ISAKMP:(0):Hash algorithm offered does not match policy!
*Dec 10 03:14:40.319: ISAKMP:(0):atts are not acceptable. Next payload is 3
-
-
-
*Dec 10 03:14:40.327: ISAKMP:(0):Checking ISAKMP transform 14 against priority 65535 policy
*Dec 10 03:14:40.327: ISAKMP:      encryption DES-CBC
*Dec 10 03:14:40.327: ISAKMP:      hash MD5
*Dec 10 03:14:40.327: ISAKMP:      default group 2
*Dec 10 03:14:40.327: ISAKMP:      auth pre-share
*Dec 10 03:14:40.327: ISAKMP:      life type in seconds
*Dec 10 03:14:40.327: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Dec 10 03:14:40.327: ISAKMP:(0):Hash algorithm offered does not match policy!
*Dec 10 03:14:40.327: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Dec 10 03:14:40.327: ISAKMP:(0):no offers accepted!
*Dec 10 03:14:40.327: ISAKMP:(0): phase 1 SA policy not acceptable! (local xxx.xxx.xxx.xxx remote xxx.xxx.xxx.95)
*Dec 10 03:14:40.327: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Dec 10 03:14:40.327: ISAKMP:(0): sending packet to xxx.xxx.xxx.95 my_port 500 peer_port 1270 (R) AG_NO_STATE
*Dec 10 03:14:40.327: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Dec 10 03:14:40.327: ISAKMP:(0):peer does not do paranoid keepalives.
*Dec 10 03:14:40.327: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer xxx.xxx.xxx.95)
*Dec 10 03:14:40.327: ISAKMP:(0): processing KE payload. message ID = 0
*Dec 10 03:14:40.327: ISAKMP:(0): group size changed! Should be 0, is 128
*Dec 10 03:14:40.327: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: reset_retransmission
*Dec 10 03:14:40.327: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
*Dec 10 03:14:40.327: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Dec 10 03:14:40.327: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY
*Dec 10 03:14:40.327: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at xxx.xxx.xxx.95
*Dec 10 03:14:40.327: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer xxx.xxx.xxx.95)
*Dec 10 03:14:40.327: ISAKMP: Unlocking peer struct 0x836DF878 for isadb_mark_sa_deleted(), count 0
*Dec 10 03:14:40.331: ISAKMP: Deleting peer node by peer_reap for xxx.xxx.xxx.95: 836DF878
*Dec 10 03:14:40.331: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Dec 10 03:14:40.331: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA
*Dec 10 03:14:45.667: ISAKMP (0:0): received packet from xxx.xxx.xxx.95 dport 500 sport 1270 Global (R) MM_NO_STATE
*Dec 10 03:14:50.987: ISAKMP (0:0): received packet from xxx.xxx.xxx.95 dport 500 sport 1270 Global (R) MM_NO_STATE
*Dec 10 03:14:55.991: ISAKMP (0:0): received packet from xxx.xxx.xxx.95 dport 500 sport 1270 Global (R) MM_NO_STATE

3 Replies 3

I think that you're missing this line:

crypto map dynmap client authentication list rtr-remote

You are defining authorization but not authentication on the dynamic crypto map, and authorization can never happen without authentication first.

Anyway, the problem seems to be phase1 according to the debugs... what is the output of the ''show crypto isakmp sa'' on the Eazy VPN Server?

Also, if you're just trying to connect a VPN client software from a laptop to the router, you can use a standard VPN Remote Access configuration on the router. See this link: 

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml

Only, change the Xauth to be local instead than using a Radius Server.

Regards,

Federico.

Hi Federico,

Thank you for your help. I'd actually noticed that missing line and added it to the router but got the same error.

I agree it seems to be a Phase I problem from the debug "Xauth authentication by pre-shared key offered but does not match policy!"

The output of show crypto isakmp sa is as follows:


IPv4 Crypto ISAKMP SA
dst                       src                    state                         conn-id slot status
202.xxx.xxx.xxx   202.xxx.xxx.xxx MM_NO_STATE          0    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

There is a command in the config "xauth userid mode interactive" which I want to set as "xauth userid mode local" but my router doesn't seem to have that command. Do you think this is the problem?

Best regards,

Simon

I finally got time to read the manual and figure out

what was wrong. It's working fine now.

Basically the config I was using was for a vpn client not a vpn server which I needed.

Thanks and regards,

Simon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: