Error when VPN Client Tries To Connect To IOS Router VPN server

Unanswered Question
Feb 22nd, 2010

I have three routers configured as HQ and two branches using DMVPN. Im routing between the sites usning eigrp all working fine.

I have configured Easy VPN also for VPN clients. When the client connects using the VPN client on an XP lapatop I recieve the error

"Secure VPN Connection Terminaed by Peer Reason 433"

I have run a number of debugs and Im able to authenticate via AAA using a local defined username and password. However after logging in I recieve the message on the client laptop. "Secure VPN Connection Terminaed by Peer Reason 433"

*************************When I connect from the client I recieve the following debug it looks like phase one passes

I recieve the following HQ router debug out put with Crypto ISAKMP debugging is on

*Feb 22 22:40:27.719: ISAKMP:(0):atts are acceptable. Next payload is 3
*Feb 22 22:40:27.719: ISAKMP:(0): processing KE payload. message ID = 0
*Feb 22 22:40:27.767: ISAKMP:(0): processing NONCE payload. message ID = 0
*Feb 22 22:40:27.771: ISAKMP:(0): vendor ID is NAT-T v2
*Feb 22 22:40:27.771: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Feb 22 22:40:27.771: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

*Feb 22 22:40:27.771: ISAKMP:(1021): constructed NAT-T vendor-02 ID
*Feb 22 22:40:27.771: ISAKMP:(1021):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Feb 22 22:40:27.775: ISAKMP (0:1021): ID payload
        next-payload : 10
        type         : 1
        address      : 50.50.50.3
        protocol     : 17
        port         : 0
        length       : 12
*Feb 22 22:40:27.775: ISAKMP:(1021):Total payload length: 12
*Feb 22 22:40:27.775: ISAKMP:(1021): sending packet to 10.10.20.103 my_port 500 peer_port 49827 (R) AG_INIT_EXCH
*Feb 22 22:40:27.775: ISAKMP:(1021):Sending an IKE IPv4 Packet.
*Feb 22 22:40:27.775: ISAKMP:(1021):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*Feb 22 22:40:27.775: ISAKMP:(1021):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

*Feb 22 22:40:27.791: ISAKMP (0:1021): received packet from 10.10.20.103 dport 500 sport 49827 Global (R) AG_INIT_EXCH
*Feb 22 22:40:27.791: ISAKMP:(1021): processing HASH payload. message ID = 0
*Feb 22 22:40:27.791: ISAKMP:(1021): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 46F1D818
*Feb 22 22:40:27.791: ISAKMP:received payload type 20
*Feb 22 22:40:27.791: ISAKMP:received payload type 20
*Feb 22 22:40:27.795: ISAKMP:(1021):SA authentication status:
        authenticated
*Feb 22 22:40:27.795: ISAKMP:(1021):SA has been authenticated with 10.10.20.103
*Feb 22 22:40:27.795: ISAKMP:(1021):SA authentication status:
        authenticated
*Feb 22 22:40:27.795: ISAKMP:(1021): Process initial contact,
bring down existing phase 1 and 2 SA's with local 50.50.50.3 remote 10.10.20.103 remote port 49827
*Feb 22 22:40:27.795: ISAKMP:(1021):returning IP addr to the address pool
*Feb 22 22:40:27.795: ISAKMP: Trying to insert a peer 50.50.50.3/10.10.20.103/49827/,  and inserted successfully 46F1DF6C.
*Feb 22 22:40:27.795: ISAKMP: set new node 1434433346 to CONF_XAUTH
*Feb 22 22:40:27.795: ISAKMP:(1021):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 1208117752, message ID = 1434433346
*Feb 22 22:40:27.795: ISAKMP:(1021): sending packet to 10.10.20.103 my_port 500 peer_port 49827 (R) QM_IDLE
*Feb 22 22:40:27.795: ISAKMP:(1021):Sending an IKE IPv4 Packet.
*Feb 22 22:40:27.795: ISAKMP:(1021):purging node 1434433346
*Feb 22 22:40:27.799: ISAKMP: Sending phase 1 responder lifetime 86400

*Feb 22 22:40:27.799: ISAKMP:(1021):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Feb 22 22:40:27.799: ISAKMP:(1021):Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE

*Feb 22 22:40:27.799: ISAKMP:(1021):Need XAUTH
*Feb 22 22:40:27.799: ISAKMP: set new node -40414287 to CONF_XAUTH
*Feb 22 22:40:27.799: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Feb 22 22:40:27.799: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Feb 22 22:40:27.799: ISAKMP:(1021): initiating peer config to 10.10.20.103. ID = -40414287
*Feb 22 22:40:27.799: ISAKMP:(1021): sending packet to 10.10.20.103 my_port 500 peer_port 49827 (R) CONF_XAUTH
*Feb 22 22:40:27.799: ISAKMP:(1021):Sending an IKE IPv4 Packet.
*Feb 22 22:40:27.803: ISAKMP:(1021):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb 22 22:40:27.803: ISAKMP:(1021):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT

*******************************************At this point I have not input my username or password on the VPN client.

*******************************************Below I enter my username and password andrewb and password.****************************************

lab-HQ-rtr#
*Feb 22 22:41:56.983: ISAKMP (0:1021): received packet from 10.10.20.103 dport 500 sport 49827 Global (R) CONF_XAUTH
*Feb 22 22:41:56.983: ISAKMP:(1021):processing transaction payload from 10.10.20.103. message ID = -40414287
*Feb 22 22:41:56.983: ISAKMP: Config payload REPLY
*Feb 22 22:41:56.983: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Feb 22 22:41:56.983: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Feb 22 22:41:56.983: ISAKMP:(1021):deleting node -40414287 error FALSE reason "Done with xauth request/reply exchange"
*Feb 22 22:41:56.983: ISAKMP:(1021):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Feb 22 22:41:56.983: ISAKMP:(1021):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

*Feb 22 22:41:56.987: %CRYPTO-6-VPN_TUNNEL_STATUS: (Server)  Authentication PASSED  User=andrewb  Group=tele-mobile  Client_p
ublic_addr=10.10.20.103  Server_public_addr=50.50.50.3
*Feb 22 22:41:56.987: ISAKMP: set new node 1065737635 to CONF_XAUTH
lab-HQ-rtr#
*Feb 22 22:41:56.987: ISAKMP:(1021): initiating peer config to 10.10.20.103. ID = 1065737635
*Feb 22 22:41:56.987: ISAKMP:(1021): sending packet to 10.10.20.103 my_port 500 peer_port 49827 (R) CONF_XAUTH
*Feb 22 22:41:56.987: ISAKMP:(1021):Sending an IKE IPv4 Packet.
*Feb 22 22:41:56.987: ISAKMP:(1021):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
*Feb 22 22:41:56.987: ISAKMP:(1021):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT

*Feb 22 22:41:56.995: ISAKMP (0:1021): received packet from 10.10.20.103 dport 500 sport 49827 Global (R) CONF_XAUTH
*Feb 22 22:41:56.995: ISAKMP:(1021):processing transaction payload from 10.10.20.103. message ID = 1065737635
*Feb 22 22:41:56.995: ISAKMP: Config payload ACK
*Feb 22 22:41:56.995: ISAKMP:(1021):       (blank) XAUTH ACK Processed
*Feb 22 22:41:56.995: ISAKMP:(1021):deleting node 1065737635 error FALSE reason "Transaction mode done"
*Feb 22 22:41:56.995: ISAKMP:(1021):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
*Feb 22 22:41:56.995: ISAKMP:(1021):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

*Feb 22 22:41:56.995: ISAKMP:(1021):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb 22 22:41:56.995: ISAKMP:(1021):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb 22 22:41:56.999: ISAKMP:(1021):peer does not do paranoid keepalives.

*Feb 22 22:41:56.999: ISAKMP:(1021):deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE       (peer 10.10.20.103)
*Feb 22 22:41:56.999: ISAKMP: set new node 1307928607 to QM_IDLE
*Feb 22 22:41:56.999: ISAKMP:(1021): sending packet to 10.10.20.103 my_port 500 peer_port 49827 (R) QM_IDLE
*Feb 22 22:41:56.999: ISAKMP:(1021):Sending an IKE IPv4 Packet.
*Feb 22 22:41:56.999: ISAKMP:(1021):purging node 1307928607
*Feb 22 22:41:57.003: ISAKMP:(1021):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb 22 22:41:57.003: ISAKMP:(1021):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Feb 22 22:41:57.003: ISAKMP:(1021):deleting SA reason "P1 delete notify (in)" state (R) QM_IDLE       (peer 10.10.20.103)
*Feb 22 22:41:57.003: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Feb 22 22:41:57.003: ISAKMP: Unlocking peer struct 0x46F1DF6C for isadb_mark_sa_deleted(), count 0
*Feb 22 22:41:57.003: ISAKMP: Deleting peer node by peer_reap for 10.10.20.103: 46F1DF6C
*Feb 22 22:41:57.003: ISAKMP:(1021):deleting node -40414287 error FALSE reason "IKE deleted"
*Feb 22 22:41:57.003: ISAKMP:(1021):deleting node 1065737635 error FALSE reason "IKE deleted"
*Feb 22 22:41:57.003: ISAKMP:(1021):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 22 22:41:57.007: ISAKMP:(1021):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Feb 22 22:41:57.007: ISAKMP (0:1021): received packet from 10.10.20.103 dport 500 sport 49827 Global (R) MM_NO_STATE
lab-HQ-rtr#
lab-HQ-rtr#

And thats as far as I get, this is a 2811 router that I have DMVPN configured on already. Im trying to ass VPN also for client access.

I have included my config as an attachment. I noticed that I could not add any tunnel config under the virtual template. However when I added the interface I was able to add it as a tunnel.

lab-HQ-rtr(config)#interface Virtual-Template2 type tunnel

!
interface Virtual-Template2
description Dynamic Virtual Tunnel For EZVPN Teleworkers
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly

cant add tunnel commands here not sure if thats a problem????

Any insight into this would appreciated.

Andy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
networkwise Tue, 02/23/2010 - 14:10

This problem is now resolved. It turned out to be a virtual template problem. I was unable to create a "interface Virtual-Template2 type tunnel"

I could create a interface Virtual-Template2 without the tunnel part.

When I tried to add the lines under the template config:

tunnel mode ipsec ipv4***********Could not add these
tunnel protection ipsec profile tele-mobile***********Could not add these

I could not add them, tunnel was not an option, thats why the VPN clinet was receiving the log in error. I was missing the

tunnel mode ipsec ipv4

tunnel protection ipsec profile tele-mobile

I had created an "interface Virtual-Template2" earlier with no type tunnel at the end of the line.

Even though I deleted the interface to try and add the interface "Virtual-Template2 type tunnel" the router still seemed to hod it in its config of the

interface Virtual-Template2 config it didnt show up in the running config. It looked like it had gone.

I had to reboot the router then add the interface Virtual-Template2 type tunnel the router took the command then I could add the

tunnel mode ipsec ipv4

tunnel protection ipsec profile tele-mobile

This fixed the problem I could then dial in using the VPN client and was assigned an IP address with no error message..

Andy

Actions

This Discussion