Solved: 2811 VPDN Configuration

rsjavahar · ‎09-27-2010

HI

I am trying to configure the VPDN on 2811 Router but i am not able to connect to the VPN. frist when i start the VPDN dialer from my PC i am getting this message ,

*Sep 27 12:00:33.314: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at XX.XXX.XX.218

the configuration follows .. Please let me know where i am doing the mistake

Building configuration...

Current configuration : 2043 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname VPN_R1

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable password <removed>

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

ip cef

no ip dhcp use vrf connected

!

ip flow-cache timeout active 1

ip name-server xx.xx.xx.180

ip name-server 1.2.1.211

no ip ips deny-action ips-interface

vpdn enable

!

vpdn-group 1

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

!

username test1234 password 0 test1234

username ciscovpn password 0 ciscovpn

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key CisC01234 address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set ccsp esp-3des esp-sha-hmac

mode transport

!

crypto dynamic-map cc 10

set nat demux

set transform-set ccsp

!

crypto map cisco 10 ipsec-isakmp dynamic cc

!

interface Loopback0

ip address 10.1.1.1 255.255.255.0

!

interface FastEthernet0/0

description $FW_OUTSIDE$

ip address xxx.xxx.xxx.94 xx.xx.xx.252

duplex full

speed 100

crypto map cisco

!

interface FastEthernet0/1

description $FW_INSIDE$

ip address 1xx.1x1.xx3.1x3 255.255.255.192

ip route-cache flow

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered Loopback0

peer default ip address pool l2tp-pool

ppp authentication chap

!

ip local pool pptp 1.100.0.1 1.100.0.10

ip classless

ip route 0.0.0.0 0.0.0.0 1xx.1xx.xx.93

!

ip flow-export source FastEthernet0/1

ip flow-export version 5

ip flow-export destination 1xx.1xx.xxx.250 9996

!

ip http server

no ip http secure-server

!

snmp-server ifindex persist

!

control-plane

!

line con 0

line aux 0

line vty 0 4

password <removed>

login

!

scheduler allocate 20000 1000

!

end

Please let me know why i am not able to connect to the VPN

Marcin Latosiewicz · ‎09-28-2010

Diego,

this is not required.

Example configuration:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_l2tp_nat_pat_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047641

It's pretty common to use Loopback.

Marcin

View solution in original post

Marcin Latosiewicz · ‎09-27-2010

Quick mode is phase 2 IPsec.

Most likely cause:

1. Phase 2 parameters mismatch(PFS, encryption settings)

2. Or maybe landing on wrong profile on other side.

3. Others - would need ipsec and isakmp debugs to confirm. Both sides.

M.

Diego Armando Cambronero Arias · ‎09-27-2010

this migh help

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtvoltun.html#wp1067258

You do not necessary need a loopback in your vitual template. It is recommended but it will work only if loopback is handleing the public IPs

rsjavahar · ‎09-28-2010

HI

I tried to change the Phase 1 & 2 Setting , But still i am not able to connect to the VPN . I am getting this errors .. and in this I find Group 14 , I am trying to connect from my Laptop (XP sP2) Loaded

*Sep 28 08:07:28.509: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (N) NEW SA
*Sep 28 08:07:28.509: ISAKMP: Created a peer struct for 11.19.75.34, peer port 500
*Sep 28 08:07:28.509: ISAKMP: New peer created peer = 0x461E5C28 peer_handle = 0x80000022
*Sep 28 08:07:28.509: ISAKMP: Locking peer struct 0x461E5C28, refcount 1 for crypto_isakmp_process_block
*Sep 28 08:07:28.513: ISAKMP: local port 500, remote port 500
*Sep 28 08:07:28.513: insert sa successfully sa = 46ED285C
*Sep 28 08:07:28.513: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 28 08:07:28.513: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

*Sep 28 08:07:28.513: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 28 08:07:28.513: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.513: ISAKMP:(0): vendor ID seems Unity/DPD but major 228 mismatch
*Sep 28 08:07:28.513: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.513: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Sep 28 08:07:28.513: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.513: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Sep 28 08:07:28.513: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 28 08:07:28.513: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.513: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Sep 28 08:07:28.517: ISAKMP:(0):Looking for a matching key for 11.19.75.34 in default
*Sep 28 08:07:28.517: ISAKMP:(0): : success
*Sep 28 08:07:28.517: ISAKMP:(0):found peer pre-shared key matching 11.19.75.34
*Sep 28 08:07:28.517: ISAKMP:(0): local preshared key found
*Sep 28 08:07:28.517: ISAKMP : Scanning profiles for xauth ...
*Sep 28 08:07:28.517: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Sep 28 08:07:28.517: ISAKMP:      encryption 3DES-CBC
*Sep 28 08:07:28.517: ISAKMP:      hash SHA
*Sep 28 08:07:28.517: ISAKMP:      unknown DH group 14
*Sep 28 08:07:28.517: ISAKMP:      auth pre-share
*Sep 28 08:07:28.517: ISAKMP:      life type in seconds
*Sep 28 08:07:28.517: ISAKMP:      life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.517: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.517: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.517: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
*Sep 28 08:07:28.517: ISAKMP:      encryption 3DES-CBC
*Sep 28 08:07:28.517: ISAKMP:      hash SHA
*Sep 28 08:07:28.517: ISAKMP:      default group 2
*Sep 28 08:07:28.517: ISAKMP:      auth pre-share
*Sep 28 08:07:28.517: ISAKMP:      life type in seconds
*Sep 28 08:07:28.517: ISAKMP:      life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.517: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.517: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.517: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
*Sep 28 08:07:28.517: ISAKMP:      encryption 3DES-CBC
*Sep 28 08:07:28.517: ISAKMP:      hash MD5
*Sep 28 08:07:28.517: ISAKMP:      default group 2
*Sep 28 08:07:28.517: ISAKMP:      auth pre-share
*Sep 28 08:07:28.517: ISAKMP:      life type in seconds
*Sep 28 08:07:28.517: ISAKMP:      life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.521: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.521: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.521: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
*Sep 28 08:07:28.521: ISAKMP:      encryption DES-CBC
*Sep 28 08:07:28.521: ISAKMP:      hash SHA
*Sep 28 08:07:28.521: ISAKMP:      default group 1
*Sep 28 08:07:28.521: ISAKMP:      auth pre-share
*Sep 28 08:07:28.521: ISAKMP:      life type in seconds
*Sep 28 08:07:28.521: ISAKMP:      life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.521: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*Sep 28 08:07:28.521: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.521: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
*Sep 28 08:07:28.521: ISAKMP:      encryption DES-CBC
*Sep 28 08:07:28.521: ISAKMP:      hash MD5
*Sep 28 08:07:28.521: ISAKMP:      default group 1
*Sep 28 08:07:28.521: ISAKMP:      auth pre-share
*Sep 28 08:07:28.521: ISAKMP:      life type in seconds
*Sep 28 08:07:28.521: ISAKMP:      life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.521: ISAKMP:(0):Hash algorithm offered does not match policy!
*Sep 28 08:07:28.521: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Sep 28 08:07:28.521: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy
*Sep 28 08:07:28.521: ISAKMP:      encryption 3DES-CBC
*Sep 28 08:07:28.521: ISAKMP:      hash SHA
*Sep 28 08:07:28.521: ISAKMP:      unknown DH group 14
*Sep 28 08:07:28.521: ISAKMP:      auth pre-share
*Sep 28 08:07:28.521: ISAKMP:      life type in seconds
*Sep 28 08:07:28.521: ISAKMP:      life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.521: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.521: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.521: ISAKMP:(0):Checking ISAKMP transform 2 against priority 65535 policy
*Sep 28 08:07:28.521: ISAKMP:      encryption 3DES-CBC
*Sep 28 08:07:28.521: ISAKMP:      hash SHA
*Sep 28 08:07:28.525: ISAKMP:      default group 2
*Sep 28 08:07:28.525: ISAKMP:      auth pre-share
*Sep 28 08:07:28.525: ISAKMP:      life type in seconds
*Sep 28 08:07:28.525: ISAKMP:      life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.525: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.525: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.525: ISAKMP:(0):Checking ISAKMP transform 3 against priority 65535 policy
*Sep 28 08:07:28.525: ISAKMP:      encryption 3DES-CBC
*Sep 28 08:07:28.525: ISAKMP:      hash MD5
*Sep 28 08:07:28.525: ISAKMP:      default group 2
*Sep 28 08:07:28.525: ISAKMP:      auth pre-share
*Sep 28 08:07:28.525: ISAKMP:      life type in seconds
*Sep 28 08:07:28.525: ISAKMP:      life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.525: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Sep 28 08:07:28.525: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.525: ISAKMP:(0):Checking ISAKMP transform 4 against priority 65535 policy
*Sep 28 08:07:28.525: ISAKMP:      encryption DES-CBC
*Sep 28 08:07:28.525: ISAKMP:      hash SHA
*Sep 28 08:07:28.525: ISAKMP:      default group 1
*Sep 28 08:07:28.525: ISAKMP:      auth pre-share
*Sep 28 08:07:28.525: ISAKMP:      life type in seconds
*Sep 28 08:07:28.525: ISAKMP:      life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.525: ISAKMP:(0):Authentication method offered does not match policy!
*Sep 28 08:07:28.525: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Sep 28 08:07:28.525: ISAKMP:(0):Checking ISAKMP transform 5 against priority 65535 policy
*Sep 28 08:07:28.529: ISAKMP:      encryption DES-CBC
*Sep 28 08:07:28.529: ISAKMP:      hash MD5
*Sep 28 08:07:28.529: ISAKMP:      default group 1
*Sep 28 08:07:28.529: ISAKMP:      auth pre-share
*Sep 28 08:07:28.529: ISAKMP:      life type in seconds
*Sep 28 08:07:28.529: ISAKMP:      life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 28 08:07:28.529: ISAKMP:(0):Hash algorithm offered does not match policy!
*Sep 28 08:07:28.529: ISAKMP:(0):atts are not acceptable. Next payload is 0
*Sep 28 08:07:28.529: ISAKMP:(0):no offers accepted!
*Sep 28 08:07:28.529: ISAKMP:(0): phase 1 SA policy not acceptable! (local 115.111.23.94 remote 11.19.75.34)
*Sep 28 08:07:28.529: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
*Sep 28 08:07:28.529: ISAKMP:(0): sending packet to 11.19.75.34 my_port 500 peer_port 500 (R) MM_NO_STATE
*Sep 28 08:07:28.529: ISAKMP:(0):peer does not do paranoid keepalives.

*Sep 28 08:07:28.529: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 11.19.75.34)
*Sep 28 08:07:28.529: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.533: ISAKMP:(0): vendor ID seems Unity/DPD but major 228 mismatch
*Sep 28 08:07:28.533: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.533: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Sep 28 08:07:28.533: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.533: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Sep 28 08:07:28.533: ISAKMP:(0): vendor ID is NAT-T v2
*Sep 28 08:07:28.533: ISAKMP:(0): processing vendor id payload
*Sep 28 08:07:28.533: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Sep 28 08:07:28.533: ISAKMP (0:0): FSM action returned error: 2
*Sep 28 08:07:28.533: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 28 08:07:28.533: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*Sep 28 08:07:28.537: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 11.19.75.34)
*Sep 28 08:07:28.537: ISAKMP: Unlocking peer struct 0x461E5C28 for isadb_mark_sa_deleted(), count 0
*Sep 28 08:07:28.537: ISAKMP: Deleting peer node by peer_reap for 11.19.75.34: 461E5C28
*Sep 28 08:07:28.537: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Sep 28 08:07:28.537: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA

*Sep 28 08:07:28.537: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 28 08:07:28.541: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 11.19.75.34)
*Sep 28 08:07:28.541: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
*Sep 28 08:07:28.541: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Sep 28 08:07:29.909: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:07:31.997: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:07:35.829: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:07:43.893: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:07:59.829: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:08:19.805: ISAKMP (0:0): received packet from 11.19.75.34 dport 500 sport 500 Global (R) MM_NO_STATE
*Sep 28 08:08:28.541: ISAKMP:(0):purging SA., sa=46ED285C, delme=46ED285C

Diego Armando Cambronero Arias · ‎09-27-2010

This link might help

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml

Im seeing that you are using

interface Virtual-Template1

ip unnumbered Loopback0

And the IP Address of your loopback is

ip address 10.1.1.1 255.255.255.0

If your client is trying to connect from the outside I think you should try something like

interface Virtual-Template1

ip unnumbered FastEthernet0/0

Check that.

Marcin Latosiewicz · ‎09-28-2010

Diego,

this is not required.

Example configuration:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_l2tp_nat_pat_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047641

It's pretty common to use Loopback.

Marcin

rsjavahar · ‎09-28-2010

HI Marcin

Thank You for your support . Now the issues is resolved , now i am able to connect to the VPN , Once Again thank your the link you sent to me. if any clarification can i post my questions..?

Javahar

Marcin Latosiewicz · ‎09-28-2010

Javahar,

Glad to be of help :-)

Feel free to post additional questions.

And please - for all the people that will stumble onto this by googling, can you specify what you changed to have this working?

Marcin

rsjavahar · ‎09-29-2010

HI Marcin

VPN is established but i am not able to access any workstaion in my local Network , VPN client ip is 192.168.20.XX (no subnet or gateway), my local lan ip is 192.168.2.X , could you please help me in this regards ,

regards

Javahar

Marcin Latosiewicz · ‎09-29-2010

Javahar,

This looks like a topic for a different thread.

I would first consider looking at routing in this scenario. (Does the router know how to get packets back to client, does the station you're trying to communicate to have porperly set getway to connect to the client?)

Have you given RRI a thought (if is routing).

Marcin