Problem setting client to site vpn

Unanswered Question

After configuring a cisco 1841 for Vpn, when I try to connect I get this error in the client Vpn logs:

316    21:37:50.175  02/17/10  Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified

317    21:37:50.175  02/17/10  Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.

318    21:37:50.175  02/17/10  Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:915)

319    21:37:50.175  02/17/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 74.212.154.221

320    21:37:50.175  02/17/10  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 74.212.154.221

321    21:37:50.175  02/17/10  Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)

322    21:37:50.175  02/17/10  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=6301C8952895ECBA R_Cookie=76BD01EFD0640879) reason = DEL_REASON_IKE_NEG_FAILED

323    21:37:51.016  02/17/10  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=6301C8952895ECBA R_Cookie=76BD01EFD0640879) reason = DEL_REASON_IKE_NEG_FAILED

Before you state the obvious, Yes I tried re-entering the password multiple times with no luck.

Here is the router config:

Building configuration...

Current configuration : 17427 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname com-mpls-gw
!
boot-start-marker
boot system flash:c1841-advipservicesk9-mz.124-15.T6.bin
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$lRex$mOk8WI8l6HItCzcAmHAM01
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 192.168.26.140 auth-port 1645 acct-port 1646
!
aaa group server radius sdm-vpn-server-group-2
server 192.168.26.140 auth-port 1645 acct-port 1646
!
aaa group server radius sdm-vpn-server-group-3
server 192.168.26.140 auth-port 1645 acct-port 1646
!
aaa authentication login local_auth local
aaa authentication login RadiusACL group radius local
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-2 local
aaa authentication login sdm_vpn_xauth_ml_1 group sdm-vpn-server-group-3 local
aaa authorization exec default local
aaa authorization exec RadiusACL group radius local
aaa authorization network RadiusACL if-authenticated
aaa authorization network ciscocp_vpn_group_ml_1 group sdm-vpn-server-group-1 local
aaa authorization network ciscocp_vpn_group_ml_2 group sdm-vpn-server-group-2 local
aaa authorization network sdm_vpn_group_ml_1 group sdm-vpn-server-group-3 local
!
!
aaa session-id common
!
crypto pki trustpoint com-mpls-gw_Certificate
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair com-mpls-gw_Certificate_RSAKey 2048
!
!
crypto pki certificate chain com-mpls-gw_Certificate
certificate self-signed 01
  30820336 3082021E A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  24312230 2006092A 864886F7 0D010902 1613636F 6D2D6D70 6C732D67 772E776F
  692E636F 6D301E17 0D313030 31313432 33343730 365A170D 32303031 30313030
  30303030 5A302431 22302006 092A8648 86F70D01 09021613 636F6D2D 6D706C73
  2D67772E 776F692E 636F6D30 82012230 0D06092A 864886F7 0D010101 05000382
  010F0030 82010A02 82010100 AE491210 49E49769 BE6AAAB6 50573A57 F7CC195A
  10BC6AFA D8B08188 316C9F22 44269382 EC1EC46C 1051558B DE7EC922 CD3BE118
  6B702494 FF4C7C44 C04C846F D8594D8F FE889BDF 424F9474 0924B3D3 4F13F525
  1C96B278 80B68964 1E89FF60 466F7CD6 74AA64F0 62A1D895 8D487DC6 CA0FA736
  B6A7B4D7 36E23255 24F495FC 92C5059F 9737E9D1 AF61FDCA A6CAAA63 4DD13FF9
  CEFF02A5 15DA8528 32364B29 F956FA01 5F1CC75A 9F41C4F1 9392392B 436BF83D
  F98CB39A CF601D98 B6CDC312 F97C5498 21ECC77F 14523F11 90C9767E D6726231
  F51AAD89 4F43CB6F C5145740 18AE3708 06AA3B59 5C9CB1FB 1672A60B EC222EAD
  9C3DC58E DB150956 D60CBFBD 02030100 01A37330 71300F06 03551D13 0101FF04
  05300301 01FF301E 0603551D 11041730 15821363 6F6D2D6D 706C732D 67772E77
  6F692E63 6F6D301F 0603551D 23041830 168014FB AC1C405D 25B5F712 E8B43FE8
  166EA302 87F13230 1D060355 1D0E0416 0414FBAC 1C405D25 B5F712E8 B43FE816
  6EA30287 F132300D 06092A86 4886F70D 01010405 00038201 010006FA 1810A6C1
  D6842521 0A72491F 4B3A48A7 09A88209 D3D771E8 822317B2 795A71AF 35FE1A8C
  8D1F1B9F 0F973AFE 23A0401F 6319E60D 73B11D2A 33EF07C2 8554387D F446EDFC
  28230D02 FFC46284 28BC1AFB B371BED6 BDD48E5B A1641CF4 4FCC4D80 AC5E9C6D
  48FAE272 364429BB 5386D537 7CDD1B81 6D11F443 8416A9AD 834C3489 E4ABCCED
  A4E27BEA 93518ECD C0357835 259979BC CEC31AFE 539DC021 004C4584 1CF8BF75
  23BE57C4 CCC9AC14 D516047B 7DA94798 9356E9B6 E481C738 11D7061B C67B6C89
  ECE63958 D1769000 C2112A61 A2DB1F19 3B661C0B 5250364E CEEEFA68 C3C8E995
  EAEC8AE1 3B75C6B4 E41F8035 94DC78C7 D88616D8 D8D2BD73 C597
   quit
dot11 syslog
no ip gratuitous-arps
ip cef
!
!
!
!
no ip bootp server
ip domain name woi.com
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW pptp
ip inspect name SDM_LOW l2tp
ip inspect name SDM_LOW gtpv0
ip inspect name SDM_LOW gtpv1
ip inspect name SDM_LOW ddns-v3
ip inspect name SDM_LOW dnsix
ip inspect name SDM_LOW ldap-admin
ip inspect name SDM_LOW ldap
ip inspect name SDM_LOW ldaps
ip inspect name SDM_LOW netbios-ns
ip inspect name SDM_LOW wins
ip inspect name SDM_LOW daytime
ip inspect name SDM_LOW ntp
ip inspect name SDM_LOW time
ip inspect name SDM_LOW timed
ip inspect name SDM_LOW bgp
ip inspect name SDM_LOW hsrp
ip inspect name SDM_LOW router
ip inspect name SDM_LOW fragment maximum 256 timeout 1
ip inspect name SDM_LOW snmp
ip inspect name SDM_LOW snmptrap
ip inspect name SDM_LOW syslog
ip inspect name SDM_LOW syslog-conn
ip inspect name SDM_LOW tacacs
ip inspect name SDM_LOW kerberos
ip inspect name SDM_LOW radius
ip inspect name SDM_LOW tacacs-ds
ip inspect name SDM_LOW ident
ip inspect name SDM_LOW ace-svr
ip inspect name SDM_LOW bootpc
ip inspect name SDM_LOW bootps
ip inspect name SDM_LOW dhcp-failover
ip inspect name SDM_LOW discard
ip inspect name SDM_LOW echo
ip inspect name SDM_LOW finger
ip inspect name SDM_LOW gopher
ip inspect name SDM_LOW igmpv3lite
ip inspect name SDM_LOW ipx
ip inspect name SDM_LOW pwdgen
ip inspect name SDM_LOW rsvp-encap
ip inspect name SDM_LOW rsvp_tunnel
ip inspect name SDM_LOW socks
ip inspect name SDM_LOW vqp
ip inspect name SDM_LOW isakmp
ip inspect name SDM_LOW ipsec-msft
ip inspect name SDM_LOW ssp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
login block-for 5 attempts 3 within 5
!
multilink bundle-name endpoint
password encryption aes
!
!
username Gopher privilege 15 password 7 134102021B5C167D1C
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
!
crypto isakmp policy 11
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 12
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 15
encr aes 256
hash md5
authentication pre-share
!
crypto isakmp policy 16
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 17
encr aes 256
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 20
encr 3des
authentication pre-share
!
crypto isakmp policy 21
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 22
encr 3des
authentication pre-share
group 5
!
crypto isakmp policy 25
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 26
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 27
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 30
authentication pre-share
!
crypto isakmp policy 31
authentication pre-share
group 2
!
crypto isakmp policy 32
authentication pre-share
group 5
!
crypto isakmp policy 35
hash md5
authentication pre-share
!
crypto isakmp policy 36
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 37
hash md5
authentication pre-share
group 5
crypto isakmp key 6 UR^FeBUC]QATadeGRcd`UH`YVN^NiRAAB address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
crypto isakmp client configuration address-pool local SDM_POOL_1
!
crypto isakmp client configuration group WOI-VPN
key 6 CDCH[VQTdCLUe]MNYS^e^ABEJWVKDhAAB
dns 192.168.26.137 192.168.26.251
wins 192.168.26.137 192.168.26.251
domain woi.com
pool SDM_POOL_1
acl 103
save-password
include-local-lan
split-dns woi.com
split-dns woism.com
split-dns wois.com
split-dns woilv.com
max-users 30
max-logins 1
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group CiscoVPNAccess
   match identity group WOI-VPN
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 4
!
!
crypto ipsec transform-set ESP-AES-SHA ah-sha-hmac esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 ah-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 ah-sha-hmac esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-MD5 ah-md5-hmac esp-aes 256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA ah-sha-hmac esp-des esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_2 ah-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map DYNMAP 65535
set transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-AES-SHA ESP-AES-MD5
match address 103
reverse-route
!
!
!
crypto map WOI-VPN client authentication list ciscocp_vpn_xauth_ml_1
crypto map WOI-VPN isakmp authorization list sdm-vpn-server-group-1
crypto map WOI-VPN client configuration address respond
crypto map WOI-VPN 65535 ipsec-isakmp dynamic DYNMAP
!
crypto ctcp port 10000
archive
log config
  logging enable
  hidekeys
!
!
ip ssh source-interface Loopback0
ip scp server enable
!
class-map match-any EF_CLASS
description EF Classified traffice
match  dscp ef
match access-group 113
match access-group 114
!
!
policy-map QOS
class EF_CLASS
  set dscp ef
  priority percent 30
class class-default
  set dscp default
  fair-queue
  random-detect
!
!
!
!
interface Loopback0
ip address 172.31.1.1 255.255.255.0
!
interface Loopback1
ip address 192.168.140.1 255.255.255.0
!
interface Multilink1
description MPLS WAN: ser0/0/0+ser0/1/0 bonded
bandwidth 3088
ip address 198.18.16.202 255.255.255.252
ip broadcast-address 198.18.16.203
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ppp multilink
service-policy output QOS
!
interface FastEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$
bandwidth 4552
bandwidth receive 512
ip address 74.212.154.221 255.255.255.248
ip broadcast-address 74.212.154.223
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting access-violations
ip flow ingress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
no ip split-horizon
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description $FW_INSIDE$$ETH-LAN$
bandwidth 100000
ip address 192.168.26.1 255.255.255.0
ip access-group 101 in
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Serial0/0/0
description 52/HCFS/102439/TWCS
no ip address
no ip proxy-arp
encapsulation ppp
no fair-queue
ppp multilink
!
interface Serial0/1/0
description 52/HCFS/102440/TWCS
no ip address
no ip proxy-arp
encapsulation ppp
no fair-queue
ppp multilink
!
interface Virtual-Template4 type tunnel
description Client To Site Commerce
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
router rip
redistribute connected
redistribute bgp 65422
network 192.168.26.0
network 192.168.27.0
network 192.168.237.0
!
router bgp 65422
bgp log-neighbor-changes
neighbor twtc-ebgp peer-group
neighbor 198.18.16.201 remote-as 4323
neighbor 198.18.16.201 peer-group twtc-ebgp
!
address-family ipv4
  redistribute connected
  redistribute static
  neighbor 198.18.16.201 activate
  no auto-summary
  no synchronization
exit-address-family
!
ip local pool SDM_POOL_1 192.168.140.10 192.168.140.254
ip local pool SDM_POOL_2 192.168.141.10 192.168.141.50
ip default-gateway 74.212.154.217
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 74.212.154.217 name default-gateway
ip route 10.0.0.0 255.255.255.252 192.168.26.128
ip route 192.168.27.0 255.255.255.0 192.168.26.128 permanent
ip route 192.168.237.0 255.255.255.0 192.168.26.254 permanent
!
ip bgp-community new-format
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-ciphersuite 3des-ede-cbc-sha
ip http secure-trustpoint com-mpls-gw_Certificate
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
!
!
ip prefix-list EBGP_ADVERTISE seq 10 permit 198.18.16.200/30
!
ip prefix-list IBGP_ADVERTISE seq 26 permit 192.168.26.0/24
ip prefix-list IBGP_ADVERTISE seq 27 permit 192.168.27.0/24
ip prefix-list IBGP_ADVERTISE seq 28 permit 192.168.28.0/24
ip prefix-list IBGP_ADVERTISE seq 29 permit 192.168.29.0/24
ip prefix-list IBGP_ADVERTISE seq 237 permit 192.168.237.0/24
logging trap debugging
logging facility local2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 198.18.16.200 0.0.0.3
access-list 1 permit 192.168.26.0 0.0.0.255
access-list 101 remark CCP_ACL Category=17
access-list 101 permit udp any host 192.168.26.1 eq non500-isakmp
access-list 101 permit udp any host 192.168.26.1 eq isakmp
access-list 101 permit esp any host 192.168.26.1
access-list 101 permit ahp any host 192.168.26.1
access-list 101 permit udp any host 74.212.154.221 eq non500-isakmp
access-list 101 permit udp any host 74.212.154.221 eq isakmp
access-list 101 permit esp any host 74.212.154.221
access-list 101 permit ahp any host 74.212.154.221
access-list 101 deny   ip 74.212.154.216 0.0.0.7 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=17
access-list 102 permit udp any host 74.212.154.221 eq non500-isakmp
access-list 102 permit udp any host 74.212.154.221 eq isakmp
access-list 102 permit esp any host 74.212.154.221
access-list 102 permit ahp any host 74.212.154.221
access-list 102 permit udp any host 192.168.26.1 eq non500-isakmp
access-list 102 permit udp any host 192.168.26.1 eq isakmp
access-list 102 permit esp any host 192.168.26.1
access-list 102 permit ahp any host 192.168.26.1
access-list 102 deny   ip 192.168.26.0 0.0.0.255 any
access-list 102 permit icmp any host 74.212.154.221 echo-reply
access-list 102 permit icmp any host 74.212.154.221 time-exceeded
access-list 102 permit icmp any host 74.212.154.221 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 permit ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.26.0 0.0.0.255 any
access-list 103 permit ip 192.168.237.0 0.0.0.255 any
access-list 103 permit ip 192.168.28.0 0.0.0.255 any
access-list 103 permit ip 192.168.29.0 0.0.0.255 any
access-list 113 permit tcp any any eq 22
access-list 113 permit tcp any any eq telnet
access-list 113 permit tcp any any eq smtp
access-list 113 permit tcp any any eq pop3
access-list 113 permit tcp any any eq 143
access-list 113 permit tcp any any eq 3389
access-list 113 permit udp any any eq 2427
access-list 113 permit udp any any eq 2727
access-list 113 permit udp any any range 5440 5446
access-list 114 permit udp host 192.168.28.20 gt 1024 any gt 1024
access-list 114 permit udp host 192.168.237.1 gt 1024 any gt 1024
access-list 114 permit tcp any host 192.168.237.1 eq www
access-list 114 permit tcp host 192.168.237.1 eq www any
access-list 114 permit tcp any gt 1024 host 192.168.26.138 eq 8300
access-list 114 permit tcp any gt 1024 host 192.168.26.139 eq 8300
access-list 114 permit tcp host 192.168.26.138 eq 8300 any gt 1024
access-list 114 permit tcp host 192.168.26.139 eq 8300 any gt 1024
access-list 114 permit tcp any gt 1024 host 192.168.28.19 eq 8300
access-list 114 permit tcp host 192.168.28.19 eq 8300 any gt 1024
!
!
!
route-map EBGP_OUT permit 10
match ip address prefix-list EBGP_ADVERTISE IBGP_ADVERTISE
set weight 100
!
route-map IBGP_OUT permit 10
match ip address prefix-list IBGP_ADVERTISE
!
route-map IBGP_IN permit 10
match ip address prefix-list IBGP_ADVERTISE
!
!
!
radius-server host 192.168.26.140 auth-port 1645 acct-port 1646 key 7 00400616140B195138
control-plane host
!
!
control-plane
!
!
banner motd
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device are
monitored. Any violations of access policy will result
in disciplinary action.
^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
exec-timeout 0 0
login authentication local_auth
transport input ssh
line vty 5 807
exec-timeout 0 0
!
scheduler allocate 20000 1000
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn install csd flash:/webvpn/sdesktop.pkg
end

Any help would be great help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Thu, 02/18/2010 - 09:48

As the client log says the problem is with either group name or password, make sure this value "CDCH[VQTdCLUe]MNYS^e^ABEJWVKDhAAB" is NOT the one you are using since this is the encrypted representation of the actual key. Since you have password encryption I would suggest you to reenter the key under the group and make sure that is the one you are putting on the vpn client.

Peter Koltl Thu, 05/06/2010 - 01:53

The commands

aaa authorization network sdm_vpn_group_ml_1 group sdm-vpn-server-group-3 local

  isakmp authorization list sdm_vpn_group_ml_1


result in the VPN group name (probably WOI-VPN) authenticated against the RADIUS server. You can check that in RADIUS logs and with 'debug radius'. (It's interesting that in this case you must set up a user WOI-VPN with a password of 'cisco' in ACS. VPN group password is actually matched to cisco-avpair = "ipsec:tunnel-password=abc123".)

Anyway, I guess this is not what you wish. If you'd like to use the group defined on the router, change the isakmp authorization to local:

aaa authorization network sdm_vpn_group_ml_1  local

Actions

This Discussion

Related Content