Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
988
Views
0
Helpful
3
Replies

remote vpn using cisco1841

donnie
Level 1
Level 1

‎09-28-2010 11:33 PM

Hi all,

There is problem with my remote access vpn on my cisco1841.

My vpn client have the following error while trying to establish vpn to my 1841. I was prompted for username and password but fail to connect after that.

1)No private IP address was assigned by the peer

2)Failed to process ModeCfg Reply (NavigatorTM:175)

Below is my config. Pls advise and thks in advance.

Current configuration : 5229 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
username test privilege 15 password 7 066767677676
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login remotevpn local
aaa authorization exec default local
aaa authorization network remotevpn local
aaa session-id common
ip subnet-zero
ip cef
!
!
!
!
ip ips po max-events 100
no ip domain lookup
ip domain name yourdomain.com
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key test address 12.x.x.x
!
crypto isakmp client configuration group vpn
key cisco
dns 192.x.x.x
domain test
pool vpnpool
acl split_tunnel
crypto isakmp profile vpn_client
   match identity group vpn
   client authentication list remotevpn
   isakmp authorization list remotevpn
   client configuration address respond
!
!
crypto ipsec transform-set set esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set set
set isakmp-profile vpn_client
reverse-route
!
!
crypto map test 10 ipsec-isakmp
set peer 12.x.x.x
set transform-set set
match address 120
crypto map test 65535 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 10.x.x.x 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname test

ppp chap password test

ppp pap sent-username test password test

crypto map test
!
ip local pool vpnpool 192.x.x.1 192.x.x.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 10.x.x.x 443 6.x.x.x 443 extendable
ip nat inside source static tcp 10.x.x.x 80 6.x.x.x 80 extendable

!
ip access-list extended inbound
evaluate mis
ip access-list extended outbound
permit ip any any reflect mis
ip access-list extended split_tunnel
permit ip 10.x.x.x 0.0.0.255 192.x.x.x 0.0.0.255
!
access-list 1 permit any
access-list 100 permit tcp any host 6.x.x.x eq 443
access-list 100 permit tcp host 2.x.x.x host 6.x.x.x eq 80
access-list 100 permit udp any any
access-list 100 permit icmp any any
access-list 100 permit tcp any any established
access-list 100 permit tcp any any ack
access-list 100 permit tcp any any psh
access-list 100 permit tcp any eq domain any
access-list 100 permit esp any any
access-list 100 permit tcp any host 6.x.x.x eq 22
access-list 110 remark SDM_ACL Category=18
access-list 110 deny   ip 10.x.x.0 0.0.0.255 192.x.x.0 0.0.0.255
access-list 110 deny   ip 10.x.x.0 0.0.0.255 192.x.x.0 0.0.0.255
access-list 110 permit ip 10.x.x.0 0.0.0.255 any
access-list 120 permit ip 10.x.x.0 0.0.0.255 1.x.x.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server enable traps tty
route-map nonat permit 10
match ip address 110
!
!
!
control-plane
!
banner login ^C
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
line vty 5 15
privilege level 15
transport input ssh
!
end

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-29-2010 05:37 AM

Please turn on logs on the VPN Client, and also enable debug on the router:

debug cry isa

debug cry ipsec

Try to connect with the vpn client, and collect all the logs to further investigate the issue.

0 Helpful

donnie
Level 1
Level 1
In response to Jennifer Halim

‎09-29-2010 07:21 PM

Hi Jennifer,

Thks. it turn out that it was the isp routing issue problem. Once they change the routing path, problem was solved.

Can you advise how i can configure split dns in my 1841? My split tunneling works but i need split dns. THks in advance.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to donnie

‎09-29-2010 08:38 PM

You can configure split-dns command in the vpn client group configuration:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr.html#wp1518907

However, I believe it might only be supported from version 12.4 onwards.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents