Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1197
Views
0
Helpful
3
Replies

IOS VPN Server and Cisco VPN client connection problem

talmadari
Level 1
Level 1

‎07-16-2010 03:18 PM

Hi,

I have tried to configure a 1811 router to work as a VPN server with local user authentication with the following config:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ExtR
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization exec default local
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
!
ip dhcp pool LAN
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 192.168.0.1
!
username ron privilege 15 secret 5 $1$veUs$nq0cBO7oxWbWMfPbPqznJ1
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp xauth timeout 90
         
!
crypto isakmp client configuration group vpnclientgroup
key cisco123
dns 192.168.0.1
wins 192.168.0.1
domain cisco.local
pool mypool
acl 108
max-users 10
netmask 255.255.255.0
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set security-association lifetime seconds 86400
set transform-set myset
reverse-route
!
crypto map mymap client authentication list userauth
crypto map mymap isakmp authorization list groupauth
crypto map mymap client configuration address respond
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
!
interface Loopback0
no ip address
!
interface FastEthernet0
description External interface
ip address xxx.xxx.xxx.xxx
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description "LAN Connection"
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool mypool 11.1.1.100 11.1.1.200
ip route 0.0.0.0 0.0.0.0 <ext interface>
!
ip dns server
!
no ip http server
ip http secure-server
ip nat inside source list 10 interface FastEthernet1 overload
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 108 remark ****** Split Tunnel Encrypted Traffic ******
access-list 108 permit ip 192.168.0.0 0.0.0.255 11.1.1.0 0.0.0.255

and when i'm trying to connect with Cisco VPN client 5.x i'm getting the following output:

*Jul 16 22:21:23.289: ISAKMP (0:0): received packet from xxx.xxx.xxx.xxx dport 500 sport 1052 Global (N) NEW SA
*Jul 16 22:21:23.289: ISAKMP: Created a peer struct for xxx.xxx.xxx.xxx, peer port 1052
*Jul 16 22:21:23.289: ISAKMP: New peer created peer = 0x8302A258 peer_handle = 0x8000000A
*Jul 16 22:21:23.289: ISAKMP: Locking peer struct 0x8302A258, refcount 1 for crypto_isakmp_process_block
*Jul 16 22:21:23.289: ISAKMP:(0):Setting client config settings 8472E87C
*Jul 16 22:21:23.289: ISAKMP:(0):(Re)Setting client xauth list  and state
*Jul 16 22:21:23.289: ISAKMP/xauth: initializing AAA request
*Jul 16 22:21:23.289: ISAKMP: local port 500, remote port 1052
*Jul 16 22:21:23.289: insert sa successfully sa = 8466B738
*Jul 16 22:21:23.289: ISAKMP:(0): processing SA payload. message ID = 0
*Jul 16 22:21:23.289: ISAKMP:(0): processing ID payload. message ID = 0
*Jul 16 22:21:23.289: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : vpnclientgroup
        protocol     : 17
        port         : 500
        length       : 22
*Jul 16 22:21:23.289: ISAKMP:(0):: peer matches *none* of the profiles
*Jul 16 22:21:23.289: ISAKMP:(0): processing vendor id payload
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID is XAUTH
*Jul 16 22:21:23.289: ISAKMP:(0): processing vendor id payload
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID is DPD
*Jul 16 22:21:23.289: ISAKMP:(0): processing vendor id payload
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Jul 16 22:21:23.289: ISAKMP:(0): processing vendor id payload
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 16 22:21:23.289: ISAKMP:(0): processing vendor id payload
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID is Unity
*Jul 16 22:21:23.289: ISAKMP:(0): Authentication by xauth preshared
*Jul 16 22:21:23.289: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jul 16 22:21:23.289: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.289: ISAKMP:      hash SHA
*Jul 16 22:21:23.289: ISAKMP:      default group 2
*Jul 16 22:21:23.289: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.289: ISAKMP:      life type in seconds
*Jul 16 22:21:23.289: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.289: ISAKMP:      keylength of 256
*Jul 16 22:21:23.289: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.289: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.289: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Jul 16 22:21:23.289: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.289: ISAKMP:      hash MD5
*Jul 16 22:21:23.289: ISAKMP:      default group 2
*Jul 16 22:21:23.289: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.289: ISAKMP:      life type in seconds
*Jul 16 22:21:23.289: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.289: ISAKMP:      keylength of 256
*Jul 16 22:21:23.289: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.289: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash SHA
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth pre-share
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 256
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash MD5
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth pre-share
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 256
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash SHA
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 128
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash MD5
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 128
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash SHA
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth pre-share
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 128
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash MD5
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth pre-share
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 128
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption 3DES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash SHA
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.297: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
*Jul 16 22:21:23.297: ISAKMP:      encryption 3DES-CBC
*Jul 16 22:21:23.297: ISAKMP:      hash MD5
*Jul 16 22:21:23.297: ISAKMP:      default group 2
*Jul 16 22:21:23.297: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.297: ISAKMP:      life type in seconds
*Jul 16 22:21:23.297: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.297: ISAKMP:(0):atts are acceptable. Next payload is 3
*Jul 16 22:21:23.297: ISAKMP:(0): processing KE payload. message ID = 0
*Jul 16 22:21:23.325: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jul 16 22:21:23.325: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 16 22:21:23.325: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jul 16 22:21:23.325: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

*Jul 16 22:21:23.329: ISAKMP:(2009): constructed NAT-T vendor-02 ID
*Jul 16 22:21:23.329: ISAKMP:(2009):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Jul 16 22:21:23.329: ISAKMP (0:2009): ID payload
        next-payload : 10
        type         : 1
        address      : xxx.xxx.xxx.xxx
        protocol     : 17
        port         : 0
        length       : 12
*Jul 16 22:21:23.329: ISAKMP:(2009):Total payload length: 12
*Jul 16 22:21:23.329: ISAKMP:(2009): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 1052 (R) AG_INIT_EXCH
*Jul 16 22:21:23.329: ISAKMP:(2009):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*Jul 16 22:21:23.329: ISAKMP:(2009):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

*Jul 16 22:21:23.349: ISAKMP (0:2009): received packet from xxx.xxx.xxx.xxx dport 4500 sport 1053 Global (R) AG_INIT_EXCH
*Jul 16 22:21:23.349: ISAKMP:(2009): processing HASH payload. message ID = 0
*Jul 16 22:21:23.349: ISAKMP:(2009): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 8466B738
*Jul 16 22:21:23.349: ISAKMP:received payload type 20
*Jul 16 22:21:23.349: ISAKMP:received payload type 20
*Jul 16 22:21:23.349: ISAKMP (0:2009): NAT found, the node outside NAT
*Jul 16 22:21:23.349: ISAKMP:(2009):SA authentication status:
        authenticated
*Jul 16 22:21:23.349: ISAKMP:(2009):SA has been authenticated with xxx.xxx.xxx.xxx
*Jul 16 22:21:23.349: ISAKMP:(2009):Detected port,floating to port = 1053
*Jul 16 22:21:23.349: ISAKMP: Trying to find existing peer xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx/1053/
*Jul 16 22:21:23.349: ISAKMP:(2009):SA authentication status:
        authenticated
*Jul 16 22:21:23.349: ISAKMP:(2009): Process initial contact,
bring down existing phase 1 and 2 SA's with local xxx.xxx.xxx.xxx remote xxx.xxx.xxx.xxx remote port 1053
*Jul 16 22:21:23.349: ISAKMP:(2009):returning IP addr to the address pool
*Jul 16 22:21:23.349: ISAKMP: Trying to insert a peer xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx/1053/,  and inserted successfully 8302A258.
*Jul 16 22:21:23.349: ISAKMP: set new node 1031696747 to CONF_XAUTH  
*Jul 16 22:21:23.349: ISAKMP:(2009):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 2212198408, message ID = 1031696747
*Jul 16 22:21:23.349: ISAKMP:(2009): sending packet to xxx.xxx.xxx.xxx my_port 4500 peer_port 1053 (R) QM_IDLE     
*Jul 16 22:21:23.349: ISAKMP:(2009):purging node 1031696747
*Jul 16 22:21:23.353: ISAKMP: Sending phase 1 responder lifetime 86400

*Jul 16 22:21:23.353: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jul 16 22:21:23.353: ISAKMP:(2009):Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE

*Jul 16 22:21:23.353: ISAKMP:(2009):Need XAUTH
*Jul 16 22:21:23.353: ISAKMP: set new node 1346095415 to CONF_XAUTH  
*Jul 16 22:21:23.353: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Jul 16 22:21:23.353: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Jul 16 22:21:23.353: ISAKMP:(2009): initiating peer config to xxx.xxx.xxx.xxx. ID = 1346095415
ExtR#
*Jul 16 22:21:23.353: ISAKMP:(2009): sending packet to xxx.xxx.xxx.xxx my_port 4500 peer_port 1053 (R) CONF_XAUTH  
*Jul 16 22:21:23.353: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 16 22:21:23.353: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT
*Jul 16 22:22:38.289: ISAKMP: quick mode timer expired.
*Jul 16 22:22:38.289: ISAKMP:(2009):src xxx.xxx.xxx.xxx dst xxx.xxx.xxx.xxx, SA is authenticated
*Jul 16 22:22:38.289: ISAKMP:(2009): src xxx.xxx.xxx.xxx dst xxx.xxx.xxx.xxx
*Jul 16 22:22:38.289: ISAKMP:(2009):oakley_begin_qm: should be doing XAUTH, not QM! -Traceback= 0x819D2054 0x819C50A0 0x819C5F34 0x800C8384 0x800CBAD8
ExtR#
*Jul 16 22:22:53.353: ISAKMP:(2009): retransmitting phase 2 CONF_XAUTH    1346095415 ...
*Jul 16 22:22:53.353: ISAKMP (0:2009): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Jul 16 22:22:53.353: ISAKMP (0:2009): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Jul 16 22:22:53.353: ISAKMP:(2009): retransmitting phase 2 1346095415 CONF_XAUTH  
*Jul 16 22:22:53.353: ISAKMP:(2009): sending packet to xxx.xxx.xxx.xxx my_port 4500 peer_port 1053 (R) CONF_XAUTH 

the client can't connect and nothing happend,

where did i go wrong?

Labels:
0 Helpful
3 Replies 3

Jitendriya Athavale
Cisco Employee
Cisco Employee

‎07-17-2010 06:42 AM

Firstly, do you get username password authentication


Secondly, i do not see local username password defined on the router, can you please check that

i see in the debugs that it is doing waiting for xauth to be entered by user, now the question is whether you are prompted for one when you connect

i would suggest you disable xauth and try it once

0 Helpful

talmadari
Level 1
Level 1
In response to Jitendriya Athavale

‎07-17-2010 11:46 AM

I do have user name and password locally configured but i don't get a user name and password authentication.

how can i disable xauth?

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to talmadari

‎07-17-2010 11:31 PM

oh yes i see u have it, dunno how i missed it the first time. my bad

anyways, to proceed further i think we will need to put captures on the outside of firewall and run wireshark on the PC between the 2 public ip's just to make sure that the isp has not blocked any ports,

also please attach logs on client at level 3

secondly,

to disable xauth, remove the client authentication command

no crypto map mymap client authentication list userauth

0 Helpful
Customers Also Viewed These Support Documents