09-28-2010 11:33 PM
Hi all,
There is problem with my remote access vpn on my cisco1841.
My vpn client have the following error while trying to establish vpn to my 1841. I was prompted for username and password but fail to connect after that.
1)No private IP address was assigned by the peer
2)Failed to process ModeCfg Reply (NavigatorTM:175)
Below is my config. Pls advise and thks in advance.
Current configuration : 5229 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
username test privilege 15 password 7 066767677676
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login remotevpn local
aaa authorization exec default local
aaa authorization network remotevpn local
aaa session-id common
ip subnet-zero
ip cef
!
!
!
!
ip ips po max-events 100
no ip domain lookup
ip domain name yourdomain.com
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key test address 12.x.x.x
!
crypto isakmp client configuration group vpn
key cisco
dns 192.x.x.x
domain test
pool vpnpool
acl split_tunnel
crypto isakmp profile vpn_client
match identity group vpn
client authentication list remotevpn
isakmp authorization list remotevpn
client configuration address respond
!
!
crypto ipsec transform-set set esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set set
set isakmp-profile vpn_client
reverse-route
!
!
crypto map test 10 ipsec-isakmp
set peer 12.x.x.x
set transform-set set
match address 120
crypto map test 65535 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 10.x.x.x 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname test
ppp chap password test
ppp pap sent-username test password test
crypto map test
!
ip local pool vpnpool 192.x.x.1 192.x.x.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 10.x.x.x 443 6.x.x.x 443 extendable
ip nat inside source static tcp 10.x.x.x 80 6.x.x.x 80 extendable
!
ip access-list extended inbound
evaluate mis
ip access-list extended outbound
permit ip any any reflect mis
ip access-list extended split_tunnel
permit ip 10.x.x.x 0.0.0.255 192.x.x.x 0.0.0.255
!
access-list 1 permit any
access-list 100 permit tcp any host 6.x.x.x eq 443
access-list 100 permit tcp host 2.x.x.x host 6.x.x.x eq 80
access-list 100 permit udp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any any established
access-list 100 permit tcp any any ack
access-list 100 permit tcp any any psh
access-list 100 permit tcp any eq domain any
access-list 100 permit esp any any
access-list 100 permit tcp any host 6.x.x.x eq 22
access-list 110 remark SDM_ACL Category=18
access-list 110 deny ip 10.x.x.0 0.0.0.255 192.x.x.0 0.0.0.255
access-list 110 deny ip 10.x.x.0 0.0.0.255 192.x.x.0 0.0.0.255
access-list 110 permit ip 10.x.x.0 0.0.0.255 any
access-list 120 permit ip 10.x.x.0 0.0.0.255 1.x.x.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server enable traps tty
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
banner login ^C
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
line vty 5 15
privilege level 15
transport input ssh
!
end
09-29-2010 05:37 AM
Please turn on logs on the VPN Client, and also enable debug on the router:
debug cry isa
debug cry ipsec
Try to connect with the vpn client, and collect all the logs to further investigate the issue.
09-29-2010 07:21 PM
Hi Jennifer,
Thks. it turn out that it was the isp routing issue problem. Once they change the routing path, problem was solved.
Can you advise how i can configure split dns in my 1841? My split tunneling works but i need split dns. THks in advance.
09-29-2010 08:38 PM
You can configure split-dns command in the vpn client group configuration:
However, I believe it might only be supported from version 12.4 onwards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide