cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1192
Views
0
Helpful
3
Replies

IOS VPN Server and Cisco VPN client connection problem

talmadari
Level 1
Level 1

Hi,

I have tried to configure a 1811 router to work as a VPN server with local user authentication with the following config:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ExtR
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization exec default local
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
!
ip dhcp pool LAN
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 192.168.0.1
!
username ron privilege 15 secret 5 $1$veUs$nq0cBO7oxWbWMfPbPqznJ1
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp xauth timeout 90
         
!
crypto isakmp client configuration group vpnclientgroup
key cisco123
dns 192.168.0.1
wins 192.168.0.1
domain cisco.local
pool mypool
acl 108
max-users 10
netmask 255.255.255.0
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set security-association lifetime seconds 86400
set transform-set myset
reverse-route
!
crypto map mymap client authentication list userauth
crypto map mymap isakmp authorization list groupauth
crypto map mymap client configuration address respond
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
!
interface Loopback0
no ip address
!
interface FastEthernet0
description External interface
ip address xxx.xxx.xxx.xxx
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description "LAN Connection"
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool mypool 11.1.1.100 11.1.1.200
ip route 0.0.0.0 0.0.0.0 <ext interface>
!
ip dns server
!
no ip http server
ip http secure-server
ip nat inside source list 10 interface FastEthernet1 overload
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 108 remark ****** Split Tunnel Encrypted Traffic ******
access-list 108 permit ip 192.168.0.0 0.0.0.255 11.1.1.0 0.0.0.255

and when i'm trying to connect with Cisco VPN client 5.x i'm getting the following output:

*Jul 16 22:21:23.289: ISAKMP (0:0): received packet from xxx.xxx.xxx.xxx dport 500 sport 1052 Global (N) NEW SA
*Jul 16 22:21:23.289: ISAKMP: Created a peer struct for xxx.xxx.xxx.xxx, peer port 1052
*Jul 16 22:21:23.289: ISAKMP: New peer created peer = 0x8302A258 peer_handle = 0x8000000A
*Jul 16 22:21:23.289: ISAKMP: Locking peer struct 0x8302A258, refcount 1 for crypto_isakmp_process_block
*Jul 16 22:21:23.289: ISAKMP:(0):Setting client config settings 8472E87C
*Jul 16 22:21:23.289: ISAKMP:(0):(Re)Setting client xauth list  and state
*Jul 16 22:21:23.289: ISAKMP/xauth: initializing AAA request
*Jul 16 22:21:23.289: ISAKMP: local port 500, remote port 1052
*Jul 16 22:21:23.289: insert sa successfully sa = 8466B738
*Jul 16 22:21:23.289: ISAKMP:(0): processing SA payload. message ID = 0
*Jul 16 22:21:23.289: ISAKMP:(0): processing ID payload. message ID = 0
*Jul 16 22:21:23.289: ISAKMP (0:0): ID payload
        next-payload : 13
        type         : 11
        group id     : vpnclientgroup
        protocol     : 17
        port         : 500
        length       : 22
*Jul 16 22:21:23.289: ISAKMP:(0):: peer matches *none* of the profiles
*Jul 16 22:21:23.289: ISAKMP:(0): processing vendor id payload
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID is XAUTH
*Jul 16 22:21:23.289: ISAKMP:(0): processing vendor id payload
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID is DPD
*Jul 16 22:21:23.289: ISAKMP:(0): processing vendor id payload
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Jul 16 22:21:23.289: ISAKMP:(0): processing vendor id payload
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 16 22:21:23.289: ISAKMP:(0): processing vendor id payload
*Jul 16 22:21:23.289: ISAKMP:(0): vendor ID is Unity
*Jul 16 22:21:23.289: ISAKMP:(0): Authentication by xauth preshared
*Jul 16 22:21:23.289: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Jul 16 22:21:23.289: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.289: ISAKMP:      hash SHA
*Jul 16 22:21:23.289: ISAKMP:      default group 2
*Jul 16 22:21:23.289: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.289: ISAKMP:      life type in seconds
*Jul 16 22:21:23.289: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.289: ISAKMP:      keylength of 256
*Jul 16 22:21:23.289: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.289: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.289: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Jul 16 22:21:23.289: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.289: ISAKMP:      hash MD5
*Jul 16 22:21:23.289: ISAKMP:      default group 2
*Jul 16 22:21:23.289: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.289: ISAKMP:      life type in seconds
*Jul 16 22:21:23.289: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.289: ISAKMP:      keylength of 256
*Jul 16 22:21:23.289: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.289: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash SHA
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth pre-share
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 256
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash MD5
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth pre-share
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 256
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash SHA
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 128
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash MD5
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 128
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash SHA
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth pre-share
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 128
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 8 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption AES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash MD5
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth pre-share
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:      keylength of 128
*Jul 16 22:21:23.293: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.293: ISAKMP:(0):Checking ISAKMP transform 9 against priority 10 policy
*Jul 16 22:21:23.293: ISAKMP:      encryption 3DES-CBC
*Jul 16 22:21:23.293: ISAKMP:      hash SHA
*Jul 16 22:21:23.293: ISAKMP:      default group 2
*Jul 16 22:21:23.293: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.293: ISAKMP:      life type in seconds
*Jul 16 22:21:23.293: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.293: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jul 16 22:21:23.293: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jul 16 22:21:23.297: ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy
*Jul 16 22:21:23.297: ISAKMP:      encryption 3DES-CBC
*Jul 16 22:21:23.297: ISAKMP:      hash MD5
*Jul 16 22:21:23.297: ISAKMP:      default group 2
*Jul 16 22:21:23.297: ISAKMP:      auth XAUTHInitPreShared
*Jul 16 22:21:23.297: ISAKMP:      life type in seconds
*Jul 16 22:21:23.297: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jul 16 22:21:23.297: ISAKMP:(0):atts are acceptable. Next payload is 3
*Jul 16 22:21:23.297: ISAKMP:(0): processing KE payload. message ID = 0
*Jul 16 22:21:23.325: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jul 16 22:21:23.325: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 16 22:21:23.325: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jul 16 22:21:23.325: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

*Jul 16 22:21:23.329: ISAKMP:(2009): constructed NAT-T vendor-02 ID
*Jul 16 22:21:23.329: ISAKMP:(2009):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Jul 16 22:21:23.329: ISAKMP (0:2009): ID payload
        next-payload : 10
        type         : 1
        address      : xxx.xxx.xxx.xxx
        protocol     : 17
        port         : 0
        length       : 12
*Jul 16 22:21:23.329: ISAKMP:(2009):Total payload length: 12
*Jul 16 22:21:23.329: ISAKMP:(2009): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 1052 (R) AG_INIT_EXCH
*Jul 16 22:21:23.329: ISAKMP:(2009):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*Jul 16 22:21:23.329: ISAKMP:(2009):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

*Jul 16 22:21:23.349: ISAKMP (0:2009): received packet from xxx.xxx.xxx.xxx dport 4500 sport 1053 Global (R) AG_INIT_EXCH
*Jul 16 22:21:23.349: ISAKMP:(2009): processing HASH payload. message ID = 0
*Jul 16 22:21:23.349: ISAKMP:(2009): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 8466B738
*Jul 16 22:21:23.349: ISAKMP:received payload type 20
*Jul 16 22:21:23.349: ISAKMP:received payload type 20
*Jul 16 22:21:23.349: ISAKMP (0:2009): NAT found, the node outside NAT
*Jul 16 22:21:23.349: ISAKMP:(2009):SA authentication status:
        authenticated
*Jul 16 22:21:23.349: ISAKMP:(2009):SA has been authenticated with xxx.xxx.xxx.xxx
*Jul 16 22:21:23.349: ISAKMP:(2009):Detected port,floating to port = 1053
*Jul 16 22:21:23.349: ISAKMP: Trying to find existing peer xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx/1053/
*Jul 16 22:21:23.349: ISAKMP:(2009):SA authentication status:
        authenticated
*Jul 16 22:21:23.349: ISAKMP:(2009): Process initial contact,
bring down existing phase 1 and 2 SA's with local xxx.xxx.xxx.xxx remote xxx.xxx.xxx.xxx remote port 1053
*Jul 16 22:21:23.349: ISAKMP:(2009):returning IP addr to the address pool
*Jul 16 22:21:23.349: ISAKMP: Trying to insert a peer xxx.xxx.xxx.xxx/xxx.xxx.xxx.xxx/1053/,  and inserted successfully 8302A258.
*Jul 16 22:21:23.349: ISAKMP: set new node 1031696747 to CONF_XAUTH  
*Jul 16 22:21:23.349: ISAKMP:(2009):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 2212198408, message ID = 1031696747
*Jul 16 22:21:23.349: ISAKMP:(2009): sending packet to xxx.xxx.xxx.xxx my_port 4500 peer_port 1053 (R) QM_IDLE     
*Jul 16 22:21:23.349: ISAKMP:(2009):purging node 1031696747
*Jul 16 22:21:23.353: ISAKMP: Sending phase 1 responder lifetime 86400

*Jul 16 22:21:23.353: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jul 16 22:21:23.353: ISAKMP:(2009):Old State = IKE_R_AM2  New State = IKE_P1_COMPLETE

*Jul 16 22:21:23.353: ISAKMP:(2009):Need XAUTH
*Jul 16 22:21:23.353: ISAKMP: set new node 1346095415 to CONF_XAUTH  
*Jul 16 22:21:23.353: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Jul 16 22:21:23.353: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Jul 16 22:21:23.353: ISAKMP:(2009): initiating peer config to xxx.xxx.xxx.xxx. ID = 1346095415
ExtR#
*Jul 16 22:21:23.353: ISAKMP:(2009): sending packet to xxx.xxx.xxx.xxx my_port 4500 peer_port 1053 (R) CONF_XAUTH  
*Jul 16 22:21:23.353: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jul 16 22:21:23.353: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT
*Jul 16 22:22:38.289: ISAKMP: quick mode timer expired.
*Jul 16 22:22:38.289: ISAKMP:(2009):src xxx.xxx.xxx.xxx dst xxx.xxx.xxx.xxx, SA is authenticated
*Jul 16 22:22:38.289: ISAKMP:(2009): src xxx.xxx.xxx.xxx dst xxx.xxx.xxx.xxx
*Jul 16 22:22:38.289: ISAKMP:(2009):oakley_begin_qm: should be doing XAUTH, not QM! -Traceback= 0x819D2054 0x819C50A0 0x819C5F34 0x800C8384 0x800CBAD8
ExtR#
*Jul 16 22:22:53.353: ISAKMP:(2009): retransmitting phase 2 CONF_XAUTH    1346095415 ...
*Jul 16 22:22:53.353: ISAKMP (0:2009): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Jul 16 22:22:53.353: ISAKMP (0:2009): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Jul 16 22:22:53.353: ISAKMP:(2009): retransmitting phase 2 1346095415 CONF_XAUTH  
*Jul 16 22:22:53.353: ISAKMP:(2009): sending packet to xxx.xxx.xxx.xxx my_port 4500 peer_port 1053 (R) CONF_XAUTH 

the client can't connect and nothing happend,

where did i go wrong?

3 Replies 3

Jitendriya Athavale
Cisco Employee
Cisco Employee

Firstly, do you get username password authentication


Secondly, i do not see local username password defined on the router, can you please check that

i see in the debugs that it is doing waiting for xauth to be entered by user, now the question is whether you are prompted for one when you connect

i would suggest you disable xauth and try it once

I do have user name and password locally configured but i don't get a user name and password authentication.

how can i disable xauth?

oh yes i see u have it, dunno how i missed it the first time. my bad

anyways, to proceed further i think we will need to put captures on the outside of firewall and run wireshark on the PC between the 2 public ip's just to make sure that the isp has not blocked any ports,

also please attach logs on client at level 3

secondly,

to disable xauth, remove the client authentication command

no crypto map mymap client authentication list userauth

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: