09-27-2010 05:09 AM
HI
I am trying to configure the VPDN on 2811 Router but i am not able to connect to the VPN. frist when i start the VPDN dialer from my PC i am getting this message ,
*Sep 27 12:00:33.314: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at XX.XXX.XX.218
the configuration follows .. Please let me know where i am doing the mistake
Building configuration...
Current configuration : 2043 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN_R1
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password <removed>
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!
ip flow-cache timeout active 1
ip name-server xx.xx.xx.180
ip name-server 1.2.1.211
no ip ips deny-action ips-interface
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
username test1234 password 0 test1234
username ciscovpn password 0 ciscovpn
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key CisC01234 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map cc 10
set nat demux
set transform-set ccsp
!
!
crypto map cisco 10 ipsec-isakmp dynamic cc
!
!
!
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address xxx.xxx.xxx.94 xx.xx.xx.252
duplex full
speed 100
crypto map cisco
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 1xx.1x1.xx3.1x3 255.255.255.192
ip route-cache flow
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool l2tp-pool
ppp authentication chap
!
ip local pool pptp 1.100.0.1 1.100.0.10
ip classless
ip route 0.0.0.0 0.0.0.0 1xx.1xx.xx.93
!
ip flow-export source FastEthernet0/1
ip flow-export version 5
ip flow-export destination 1xx.1xx.xxx.250 9996
!
ip http server
no ip http secure-server
!
snmp-server ifindex persist
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password <removed>
login
!
scheduler allocate 20000 1000
!
end
Please let me know why i am not able to connect to the VPN
Solved! Go to Solution.
09-28-2010 04:29 AM
Diego,
this is not required.
Example configuration:
It's pretty common to use Loopback.
Marcin
09-27-2010 01:09 PM
Quick mode is phase 2 IPsec.
Most likely cause:
1. Phase 2 parameters mismatch(PFS, encryption settings)
2. Or maybe landing on wrong profile on other side.
3. Others - would need ipsec and isakmp debugs to confirm. Both sides.
M.
09-27-2010 01:23 PM
this migh help
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtvoltun.html#wp1067258
You do not necessary need a loopback in your vitual template. It is recommended but it will work only if loopback is handleing the public IPs
09-28-2010 01:30 AM
HI
I tried to change the Phase 1 & 2 Setting , But still i am not able to connect to the VPN . I am getting this errors .. and in this I find Group 14 , I am trying to connect from my Laptop (XP sP2) Loaded
*Sep 28 08:07:28.509: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (N) NEW SA
*Sep 28 08:07:28.509: ISAKMP: Created a peer struct for 11.19.75.34, peer port 500
*Sep 28 08:07:28.509: ISAKMP: New peer created peer = 0x461E5C28 peer_handle = 0x80000022
*Sep 28 08:07:28.509: ISAKMP: Locking peer struct 0x461E5C28, refcount 1 for crypto_isakmp_process_block
*Sep 28 08:07:28.513: ISAKMP: local port 500, remote port 500
*Sep 28 08:07:28.513: insert sa successfully sa = 46ED285C
*Sep 28 08:07:28.513: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 28 08:07:28.513: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Sep 28 08:07:28.513: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 28 08:07:28.513: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.513: ISAKMP:(0): vendor ID seems Unity/DPD but major 228 mismatch
*Sep 28 08:07:28.513: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.513: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Sep 28 08:07:28.513: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.513: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Sep 28 08:07:28.513: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 28 08:07:28.513: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.513: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Sep 28 08:07:28.517: ISAKMP:(0):Looking for a matching key for 11.19.75.34 in default
*Sep 28 08:07:28.517: ISAKMP:(0): : success
*Sep 28 08:07:28.517: ISAKMP:(0):found peer pre-shared key matching 11.19.75.34
*Sep 28 08:07:28.517: ISAKMP:(0): local preshared key found
*Sep 28 08:07:28.517: ISAKMP : Scanning profiles for xauth ...
*Sep 28 08:07:28.517: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Sep 28 08:07:28.517: ISAKMP: encryption 3DES-CBC
*Sep 28 08:07:28.517: ISAKMP: hash SHA
*Sep 28 08:07:28.517: ISAKMP: unknown DH group 14
*Sep 28 08:07:28.517: ISAKMP: auth pre-share
*Sep 28 08:07:28.517: ISAKMP: life type in seconds
*Sep 28 08:07:28.517: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.517: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.517: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.517: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Sep 28 08:07:28.517: ISAKMP: encryption 3DES-CBC
*Sep 28 08:07:28.517: ISAKMP: hash SHA
*Sep 28 08:07:28.517: ISAKMP: default group 2
*Sep 28 08:07:28.517: ISAKMP: auth pre-share
*Sep 28 08:07:28.517: ISAKMP: life type in seconds
*Sep 28 08:07:28.517: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.517: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.517: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.517: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Sep 28 08:07:28.517: ISAKMP: encryption 3DES-CBC
*Sep 28 08:07:28.517: ISAKMP: hash MD5
*Sep 28 08:07:28.517: ISAKMP: default group 2
*Sep 28 08:07:28.517: ISAKMP: auth pre-share
*Sep 28 08:07:28.517: ISAKMP: life type in seconds
*Sep 28 08:07:28.517: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.521: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.521: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.521: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Sep 28 08:07:28.521: ISAKMP: encryption DES-CBC
*Sep 28 08:07:28.521: ISAKMP: hash SHA
*Sep 28 08:07:28.521: ISAKMP: default group 1
*Sep 28 08:07:28.521: ISAKMP: auth pre-share
*Sep 28 08:07:28.521: ISAKMP: life type in seconds
*Sep 28 08:07:28.521: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.521: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*Sep 28 08:07:28.521: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.521: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Sep 28 08:07:28.521: ISAKMP: encryption DES-CBC
*Sep 28 08:07:28.521: ISAKMP: hash MD5
*Sep 28 08:07:28.521: ISAKMP: default group 1
*Sep 28 08:07:28.521: ISAKMP: auth pre-share
*Sep 28 08:07:28.521: ISAKMP: life type in seconds
*Sep 28 08:07:28.521: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.521: ISAKMP:(0):Hash algorithm offered does not match policy!
*Sep 28 08:07:28.521: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Sep 28 08:07:28.521: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy
*Sep 28 08:07:28.521: ISAKMP: encryption 3DES-CBC
*Sep 28 08:07:28.521: ISAKMP: hash SHA
*Sep 28 08:07:28.521: ISAKMP: unknown DH group 14
*Sep 28 08:07:28.521: ISAKMP: auth pre-share
*Sep 28 08:07:28.521: ISAKMP: life type in seconds
*Sep 28 08:07:28.521: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.521: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.521: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.521: ISAKMP:(0):Checking ISAKMP transform 2 against priority 65535 policy
*Sep 28 08:07:28.521: ISAKMP: encryption 3DES-CBC
*Sep 28 08:07:28.521: ISAKMP: hash SHA
*Sep 28 08:07:28.525: ISAKMP: default group 2
*Sep 28 08:07:28.525: ISAKMP: auth pre-share
*Sep 28 08:07:28.525: ISAKMP: life type in seconds
*Sep 28 08:07:28.525: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.525: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.525: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.525: ISAKMP:(0):Checking ISAKMP transform 3 against priority 65535 policy
*Sep 28 08:07:28.525: ISAKMP: encryption 3DES-CBC
*Sep 28 08:07:28.525: ISAKMP: hash MD5
*Sep 28 08:07:28.525: ISAKMP: default group 2
*Sep 28 08:07:28.525: ISAKMP: auth pre-share
*Sep 28 08:07:28.525: ISAKMP: life type in seconds
*Sep 28 08:07:28.525: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.525: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.525: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.525: ISAKMP:(0):Checking ISAKMP transform 4 against priority 65535 policy
*Sep 28 08:07:28.525: ISAKMP: encryption DES-CBC
*Sep 28 08:07:28.525: ISAKMP: hash SHA
*Sep 28 08:07:28.525: ISAKMP: default group 1
*Sep 28 08:07:28.525: ISAKMP: auth pre-share
*Sep 28 08:07:28.525: ISAKMP: life type in seconds
*Sep 28 08:07:28.525: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.525: ISAKMP:(0):Authentication method offered does not match policy!
*Sep 28 08:07:28.525: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.525: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65535 policy
*Sep 28 08:07:28.529: ISAKMP: encryption DES-CBC
*Sep 28 08:07:28.529: ISAKMP: hash MD5
*Sep 28 08:07:28.529: ISAKMP: default group 1
*Sep 28 08:07:28.529: ISAKMP: auth pre-share
*Sep 28 08:07:28.529: ISAKMP: life type in seconds
*Sep 28 08:07:28.529: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.529: ISAKMP:(0):Hash algorithm offered does not match policy!
*Sep 28 08:07:28.529: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Sep 28 08:07:28.529: ISAKMP:(0):no offers accepted!
*Sep 28 08:07:28.529: ISAKMP:(0): phase 1 SA policy not acceptable! (local 115.111.23.94 remote 11.19.75.34)
*Sep 28 08:07:28.529: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Sep 28 08:07:28.529: ISAKMP:(0): sending packet to 11.19.75.34 my_port 500 peer_port 500 (R) MM_NO_STATE
*Sep 28 08:07:28.529: ISAKMP:(0):peer does not do paranoid keepalives.
*Sep 28 08:07:28.529: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 11.19.75.34)
*Sep 28 08:07:28.529: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.533: ISAKMP:(0): vendor ID seems Unity/DPD but major 228 mismatch
*Sep 28 08:07:28.533: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.533: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Sep 28 08:07:28.533: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.533: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Sep 28 08:07:28.533: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 28 08:07:28.533: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.533: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Sep 28 08:07:28.533: ISAKMP (0:0): FSM action returned error: 2
*Sep 28 08:07:28.533: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 28 08:07:28.533: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Sep 28 08:07:28.537: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 11.19.75.34)
*Sep 28 08:07:28.537: ISAKMP: Unlocking peer struct 0x461E5C28 for isadb_mark_sa_deleted(), count 0
*Sep 28 08:07:28.537: ISAKMP: Deleting peer node by peer_reap for 11.19.75.34: 461E5C28
*Sep 28 08:07:28.537: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Sep 28 08:07:28.537: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
*Sep 28 08:07:28.537: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 28 08:07:28.541: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 11.19.75.34)
*Sep 28 08:07:28.541: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*Sep 28 08:07:28.541: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Sep 28 08:07:29.909: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:07:31.997: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:07:35.829: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:07:43.893: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:07:59.829: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:08:19.805: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:08:28.541: ISAKMP:(0):purging SA., sa=46ED285C, delme=46ED285C
09-27-2010 01:10 PM
This link might help
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml
Im seeing that you are using
interface Virtual-Template1
ip unnumbered Loopback0
And the IP Address of your loopback is
ip address 10.1.1.1 255.255.255.0
If your client is trying to connect from the outside I think you should try something like
interface Virtual-Template1
ip unnumbered FastEthernet0/0
Check that.
09-28-2010 04:29 AM
Diego,
this is not required.
Example configuration:
It's pretty common to use Loopback.
Marcin
09-28-2010 05:56 AM
HI Marcin
Thank You for your support . Now the issues is resolved , now i am able to connect to the VPN , Once Again thank your the link you sent to me. if any clarification can i post my questions..?
Javahar
09-28-2010 09:04 AM
Javahar,
Glad to be of help :-)
Feel free to post additional questions.
And please - for all the people that will stumble onto this by googling, can you specify what you changed to have this working?
Marcin
09-29-2010 12:10 AM
HI Marcin
VPN is established but i am not able to access any workstaion in my local Network , VPN client ip is 192.168.20.XX (no subnet or gateway), my local lan ip is 192.168.2.X , could you please help me in this regards ,
regards
Javahar
09-29-2010 12:27 AM
Javahar,
This looks like a topic for a different thread.
I would first consider looking at routing in this scenario. (Does the router know how to get packets back to client, does the station you're trying to communicate to have porperly set getway to connect to the client?)
Have you given RRI a thought (if is routing).
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide