×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASK THE EXPERT- TROUBLESHOOTING IPSEC VPNS ON IOS

Unanswered Question
May 23rd, 2003
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Troubleshooting IPSec VPNs on IOS with Cisco expert Afaq Khan. Afaq is part of Technical Assistance Center (TAC) based out of San Jose, where he has been working for the VPN TAC team as the customer support engineer for almost two years now. Feel free to post any questions relating to Troubleshooting IPSec VPNs on IOS. Remember to use the rating system to let Afaq know if you’ve received an adequate response.

Afaq might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 6. Visit this forum often to view responses to your questions and the questions of other community members.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
Loading.
sanjay.sangwan Sun, 05/25/2003 - 00:28
User Badges:

HI,


We have a typical Remote access VPN Scenario where central site has a VPN concentrator 3005 with a router connected to ISP with a 64K leased line.

There are 10 differrent branch offices with a LAN of 8 users at each site.If I am using an ISDN router with IPSEC software at each branch.Will it be sufficient to establish the VPN tunnel to the central site for all the users?


or, Do I need to use an ISDN router with no IPSEC IOS in combination with an VPN hardware client box at each site?Pls clarify


Sanjay

Network Engineer

Muscat, OMan

shahryar.k Sun, 05/25/2003 - 00:55
User Badges:

Hi Sanjay,


You donot need any client hardware. Your IPSec enabled Routers at all the spoke sites would act as VPN gateways and you can have site-site VPN tunnel.For the users sitting on the LAN it would be transparent for them becuase all the interesting traffice will be protected by the IPSec tunnel. So it will be non intrusive to the clients. You can even use your own private address space to talk to the central site.


Hope it solves your problem.


Regards


sanjay.sangwan Sun, 05/25/2003 - 04:38
User Badges:

Hi,


But I heard that in site to site VPNs we need to have static public address on both the sides and we need to define peer IP address at both the ends.In this case as my branch router is dynamically getting the IP address from ISP.Wil this router act as a vpn client on behalf of all the LAN users?

IN what kind of scenarios , we are using the hardware client box.Pls clarify.....


sanjay


shahryar.k Sun, 05/25/2003 - 07:18
User Badges:

Hi Sanjay,


yeah now i got the complete picture. If you are using the cisco 800 series routers then now Cisco has made it real "easy". There is a new feature introduced called Easy VPN Solution in which if you have a cisco 800 series router or cisco 1700 series router you can now have a central VPN concentrator, which wil act as the Easy VPN server and your router running the IPSec feature set ,will act as a client (so far only in 800,1700 and 900uBR routers). All the policy will be pushed down to the Router and the dynamic IP address doesnot really matter.


If you donot have the said routers( or if you already have those hardware clients i.e Cisco 3002) you can use the Hardware Client as the Easy VPN client and NAT the private IP address on the hardware client to the outside interface address on your edge Router.


Now this will make life really simple. Just define one policy for all the remote sites and the Concentrator ( easy vpn server) will push it down to all the clients.


P.S. This server feature is currently available on all 3000 series concentrators.

afakhan Mon, 05/26/2003 - 14:28
User Badges:
  • Bronze, 100 points or more

Hi Sanjay,


you wont need any client (software or hardware), when you have branchoffice routers having vpn tunnel directly to your vpn3k, ie, site to site VPNs.


In case, if they dont have static IPs, you can configure your routers as IOS Easy vpn clients, and connect to VPN3K as the VPN server.


Hopefully, this would give you some insight:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a00800a8565.html


Please feel free to get back if you have more Qs.


Thanks,

Afaq, CSE


matthewtan Sun, 05/25/2003 - 23:02
User Badges:

Hi, i have a problem regarding Cisco VPN client 4.0 and 2621 router running IOS 12.2(17). I am using Cisco ACS 2.3.6.2 Unix for AAA using Radius.

Below is the debug log captured on the router after i failed to connect using the client.


*Mar 1 03:12:14: ISAKMP (0:0): received packet from 203.125.xxx.xx (N) NEW SA

*Mar 1 03:12:14: ISAKMP: local port 500, remote port 500

*Mar 1 03:12:14: ISAKMP (0:1): Setting client config settings 8215E230

*Mar 1 03:12:14: ISAKMP (0:1): (Re)Setting client xauth list vpnauthen and state

*Mar 1 03:12:14: ISAKMP: Created a peer node for 203.125.xxx.xx

*Mar 1 03:12:14: ISAKMP: Locking struct 8215E230 from crypto_ikmp_config_initialize_sa

*Mar 1 03:12:14: ISAKMP (0:1): processing SA payload. message ID = 0

*Mar 1 03:12:14: ISAKMP (0:1): processing ID payload. message ID = 0

*Mar 1 11:12:14: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 203.125.xxx.xx

*Mar 1 03:12:14: ISAKMP (0:1): incrementing error counter on sa: reset_retransmission

*Mar 1 03:12:15: ISAKMP (0:1): retransmitting phase 1 AG_NO_STATE...

*Mar 1 03:12:15: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

*Mar 1 03:12:15: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. AG_NO_STATE


I was wondering whether the VPN client version i m using is compatible with the IOS version. What could hv caused the problem.


afakhan Mon, 05/26/2003 - 14:40
User Badges:
  • Bronze, 100 points or more

Hi ,

Thanks for posting the Q.


To be able to connect with the client 4.0 (or any vpn 3000 client version), you would need to upgrade your router to 12.2.8T (or later) code -or- you can use 12.3 mainline code.


this ios version doesn't support easy vpn server.

http://www.cisco.com/warp/public/471/ios-unity.html


Thx

Afaq


matthewtan Mon, 05/26/2003 - 18:19
User Badges:

Hi Afaq,


Really appreciate yr fast response. As my router do not hv enough RAM to support 12.2(8T) or 12.3, i decided to try the Cisco Secure VPN client 1.1.

I tried installing the client on a Win2k notebook and after reboot, it will prompt ifcfg.exe failed. When i right-click on the SafeNet icon, i saw a prompt "no driver installed". Understand that the 1.1 client support NT4.0, was wondering whether it can be installed on a Win2000 machine.


Rgds,

Matthew

kennethchew Sun, 05/25/2003 - 23:04
User Badges:

Hi,


I'm currently trying to connect a 837 router as a Easy VPN client to a Cisco VPN concentrator. However, whenver the tunnel tries to come up, i get the error message "Processing of Aggressive mode failed with peer at x.x.x.x".

I've tried the same config on a 827 and it work fine. What could be the reason?


I'm using Version 12.2(13)ZG for my 837.


Regards

afakhan Mon, 05/26/2003 - 14:44
User Badges:
  • Bronze, 100 points or more

Hi ,


12.2(13)ZG has Easy VPN Phase II implementation, so it should work fine on c837 as well.


Please post the config/complete crypto(debug cry isa/debug cry ips) debugs to further analyze the situation.


Thanks,

Afaq, CCIE


kennethchew Mon, 05/26/2003 - 16:33
User Badges:

Dear Afaq,


The debug output,




*Mar 1 00:15:20.571: ISAKMP (3): Total payload length: 15

*Mar 1 00:15:20.571: ISAKMP (0:3): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM

*Mar 1 00:15:20.571: ISAKMP (0:3): Old State = IKE_READY New State = IKE_I_AM1


*Mar 1 00:15:20.571: ISAKMP (0:3): beginning Aggressive Mode exchange

*Mar 1 00:15:20.571: ISAKMP (0:3): sending packet to xxx.xxx.xxx.xxx my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar 1 00:15:20.767: ISAKMP (0:3): received packet from xxx.xxx.xxx.xxx dport 500 sport 500 Global (I) AG_INIT_EXCH

*Mar 1 00:15:20.767: ISAKMP (0:3): processing SA payload. message ID = 0

*Mar 1 00:15:20.767: ISAKMP (0:3): processing ID payload. message ID = 0

*Mar 1 00:15:20.767: ISAKMP (0:3): processing vendor id payload

*Mar 1 00:15:20.767: ISAKMP (0:3): vendor ID is Unity

*Mar 1 00:15:20.767: ISAKMP (0:3): processing vendor id payload

*Mar 1 00:15:20.767: ISAKMP (0:3): vendor ID seems Unity/DPD but major 215 mismatch

*Mar 1 00:15:20.771: ISAKMP (0:3): vendor ID is XAUTH

*Mar 1 00:15:20.771: ISAKMP (0:3): processing vendor id payload

*Mar 1 00:15:20.771: ISAKMP (0:3): vendor ID is DPD

*Mar 1 00:15:20.771: ISAKMP: no pre-shared key based on address zzz.zzz.zzz.zzz !

*Mar 1 00:15:20.771: ISAKMP: Looking for a matching key for xxx.xxx.xxx.xxx in default : success

*Mar 1 00:15:20.771: ISAKMP (0:3): found peer pre-shared key matching xxx.xxx.xxx.xxx

*Mar 1 00:15:20.771: ISAKMP : Scanning profiles for xauth ...

*Mar 1 00:15:20.771: ISAKMP (0:3) Authentication by xauth preshared

*Mar 1 00:15:20.771: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 65527 policy

*Mar 1 00:15:20.771: ISAKMP: encryption 3DES-CBC

*Mar 1 00:15:20.775: ISAKMP: hash MD5

*Mar 1 00:15:20.775: ISAKMP: default group 2

*Mar 1 00:15:20.775: ISAKMP: auth pre-share

*Mar 1 00:15:20.775: ISAKMP: life type in seconds

*Mar 1 00:15:20.775: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 00:15:20.775: ISAKMP (0:3): Hash algorithm offered does not match policy!

*Mar 1 00:15:20.775: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Mar 1 00:15:20.775: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 65528 policy

*Mar 1 00:15:20.775: ISAKMP: encryption 3DES-CBC

*Mar 1 00:15:20.775: ISAKMP: hash MD5

*Mar 1 00:15:20.775: ISAKMP: default group 2

*Mar 1 00:15:20.775: ISAKMP: auth pre-share

*Mar 1 00:15:20.775: ISAKMP: life type in seconds

*Mar 1 00:15:20.779: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 00:15:20.779: ISAKMP (0:3): Authentication method offered does not match policy!

*Mar 1 00:15:20.779: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Mar 1 00:15:20.779: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 65529 policy

*Mar 1 00:15:20.779: ISAKMP: encryption 3DES-CBC

*Mar 1 00:15:20.779: ISAKMP: hash MD5

*Mar 1 00:15:20.779: ISAKMP: default group 2

*Mar 1 00:15:20.779: ISAKMP: auth pre-share

*Mar 1 00:15:20.779: ISAKMP: life type in seconds

*Mar 1 00:15:20.779: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 00:15:20.783: ISAKMP (0:3): Hash algorithm offered does not match policy!

*Mar 1 00:15:20.783: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Mar 1 00:15:20.783: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 65530 policy

*Mar 1 00:15:20.783: ISAKMP: encryption 3DES-CBC

*Mar 1 00:15:20.783: ISAKMP: hash MD5

*Mar 1 00:15:20.783: ISAKMP: default group 2

*Mar 1 00:15:20.783: ISAKMP: auth pre-share

*Mar 1 00:15:20.783: ISAKMP: life type in seconds

*Mar 1 00:15:20.783: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 00:15:20.783: ISAKMP (0:3): Preshared authentication offered but does not match policy!

*Mar 1 00:15:20.783: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Mar 1 00:15:20.783: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 65531 policy

*Mar 1 00:15:20.787: ISAKMP: encryption 3DES-CBC

*Mar 1 00:15:20.787: ISAKMP: hash MD5

*Mar 1 00:15:20.787: ISAKMP: default group 2

*Mar 1 00:15:20.787: ISAKMP: auth pre-share

*Mar 1 00:15:20.787: ISAKMP: life type in seconds

*Mar 1 00:15:20.787: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 00:15:20.787: ISAKMP (0:3): Encryption algorithm offered does not match policy!

*Mar 1 00:15:20.787: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Mar 1 00:15:20.787: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 65532 policy

*Mar 1 00:15:20.787: ISAKMP: encryption 3DES-CBC

*Mar 1 00:15:20.787: ISAKMP: hash MD5

*Mar 1 00:15:20.787: ISAKMP: default group 2

*Mar 1 00:15:20.791: ISAKMP: auth pre-share

*Mar 1 00:15:20.791: ISAKMP: life type in seconds

*Mar 1 00:15:20.791: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 00:15:20.791: ISAKMP (0:3): Encryption algorithm offered does not match policy!

*Mar 1 00:15:20.791: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Mar 1 00:15:20.791: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 65533 policy

*Mar 1 00:15:20.791: ISAKMP: encryption 3DES-CBC

*Mar 1 00:15:20.791: ISAKMP: hash MD5

*Mar 1 00:15:20.791: ISAKMP: default group 2

*Mar 1 00:15:20.791: ISAKMP: auth pre-share

*Mar 1 00:15:20.791: ISAKMP: life type in seconds

*Mar 1 00:15:20.791: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 00:15:20.795: ISAKMP (0:3): Encryption algorithm offered does not match policy!

*Mar 1 00:15:20.795: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Mar 1 00:15:20.795: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 65534 policy

*Mar 1 00:15:20.795: ISAKMP: encryption 3DES-CBC

*Mar 1 00:15:20.795: ISAKMP: hash MD5

*Mar 1 00:15:20.795: ISAKMP: default group 2

*Mar 1 00:15:20.795: ISAKMP: auth pre-share

*Mar 1 00:15:20.795: ISAKMP: life type in seconds

*Mar 1 00:15:20.795: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 00:15:20.795: ISAKMP (0:3): Encryption algorithm offered does not match policy!

*Mar 1 00:15:20.795: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Mar 1 00:15:20.799: ISAKMP (0:3): Checking ISAKMP transform 4 against priority 65535 policy

*Mar 1 00:15:20.799: ISAKMP: encryption 3DES-CBC

*Mar 1 00:15:20.799: ISAKMP: hash MD5

*Mar 1 00:15:20.799: ISAKMP: default group 2

*Mar 1 00:15:20.799: ISAKMP: auth pre-share

*Mar 1 00:15:20.799: ISAKMP: life type in seconds

*Mar 1 00:15:20.799: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 00:15:20.799: ISAKMP (0:3): Encryption algorithm offered does not match policy!

*Mar 1 00:15:20.799: ISAKMP (0:3): atts are not acceptable. Next payload is 0

*Mar 1 00:15:20.799: ISAKMP (0:3): no offers accepted!

*Mar 1 00:15:20.799: ISAKMP (0:3): phase 1 SA policy not acceptable! (local xxx.xxx.xxx.xxx remote xxx.xxx.xxx.xxx)

*Mar 1 00:15:20.807: ISAKMP (0:3): incrementing error counter on sa: construct_fail_ag_init

*Mar 1 00:15:20.807: ISAKMP (0:3): Unknown Input: state = IKE_I_AM1, major, minor = IKE_MESG_FROM_PEER, IKE_AM_EXCH


*Mar 1 00:15:20.807: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at xxx.xxx.xxx.xxx



The config,



hostname c837

!

logging buffered warnings

no logging monitor

!

ip subnet-zero

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool SohoDHCP

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1


!

ip urlfilter alert

ip audit notify log

ip audit po max-events 100

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

ip mtu adjust

!

crypto ipsec client ezvpn GROUP

connect auto

group GROUPID key 6 GROUPPWD

mode client

peer xxx.xxx.xxx.xxx

!

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

crypto ipsec client ezvpn group inside

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/100

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

dsl power-cutback 0

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

ppp pap sent-username ISP_USERNAME password 7 ISP_Password

crypto ipsec client ezvpn GROUP

!


ip classless

ip route 0.0.0.0 0.0.0.0 ATM0

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent


ip http server

no ip http secure-server

!


suguilian Tue, 05/27/2003 - 00:17
User Badges:

it seems that the ISAKMP policies on the client and thd server(encryption algorithm) don't match. you may try to use the same policy on the two boxes.

kennethchew Tue, 05/27/2003 - 00:25
User Badges:

Hi,


Thanks for the reply.

I'm running the 837 as a Easy VPN Client. Isn't it suppose to download the settings off my VPN server? Any way, I've tried the same config on a 827 and it works. What could be the problem? What am i missing out here?

afakhan Thu, 06/05/2003 - 10:36
User Badges:
  • Bronze, 100 points or more

Hi,


Easy vpn client uses built-in IKE policies, your understanding is right.


try using a different IOS version, 12.2.13ZH.


thx

Afaq

afakhan Thu, 06/05/2003 - 23:52
User Badges:
  • Bronze, 100 points or more

Dear Kenneth,


If it doesn't resolve the issue, please feel free to open up a TAC case with the relevant information.


Regards,

Afaq

kpong Tue, 05/27/2003 - 01:33
User Badges:

Dear Afaq,


I have a cisc7206, running IOS 12.2.15T2, is configured to as an l2tp/ipsec vpn server for the WinXp/98/2k. The CEF and flow switching are enabled in all interfaces, and the mtu size 1300 is defined in the L2tp virtual-template to aviod the fragmentation. I can success to make the vpn connection from my WinXp and Win98 used Native MS VPN client. However, I found a high CPU utilization in L2X data daemon process when tranferring a large amount of data from my Win98, but it doesn't happen when using WinXp.


Could you please advise what can I do to fix the high cpu utilization problem ?


Thanks,

Victor




afakhan Tue, 05/27/2003 - 13:41
User Badges:
  • Bronze, 100 points or more

Hi,


Thanks for the Q.


I'd suggest you to sniff into the packets (leaving win98 ) and compare it with what you see on xp/w2k machines, if they are different, what if you lower down the MTU size on Win98 NIC, does that help?


let me know.


Regards,

Afaq


kpong Sun, 06/01/2003 - 01:31
User Badges:

Hi Afaq,


The MTU size may not be the cause of the high cpu utilization problem on my router, because I found the switching methods are disabled in the virtural access interface when the l2tp/ipsec client of my win98 is connected with enabled the ip header compression in the TCP/IP setting to my router. So, the traffic in the l2tp tunnel are passed to process switching resulted in high cpu usage.


Then, I disabled the ip header compression and tried again. The switching methods are enabled in the virtual access interface. The taffic in l2tp/ipsec tunnel are passed to fast switching.


The virtual-template for l2tp/ipsec in my router had been added the command " ip tcp header-compression" when I was performing the test.


Could you advise why the switching methods are disabled ?


Here is output of the sh ip int vir-access of my win98 connection with enabled ip header compression :-


Virtual-Access4 is up, line protocol is up

Interface is unnumbered. Using address of FastEthernet4/1

Broadcast address is 255.255.255.255

Peer address is

MTU is 1400 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are always sent

ICMP unreachables are always sent

ICMP mask replies are never sent

IP fast switching is disabled

IP fast switching on the same interface is disabled

IP Flow switching is enabled

IP CEF switching is disabled

IP Null turbo vector

IP Null turbo vector

IP multicast fast switching is disabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, Flow, Flow Cache

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is enabled and compressing

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is disabled

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

BGP Policy Mapping is disabled


Thanks

afakhan Fri, 06/06/2003 - 00:22
User Badges:
  • Bronze, 100 points or more

Hi,


TCP Header compression on the virtual-access interface is not a supported feature by IOS as of now.


This issue is documented in CSCdz05851.

Switching path (CEF/Fast Sw.) would only work with compression disabled.



thx

Afaq

davisdev Wed, 05/28/2003 - 09:10
User Badges:

Hi.


We are trying to implement vpn in our offices, but we are having some problems on the configuration of the cental site and remote users, on the central site we are using a cisco pix firewall 515-ur and in the remote access we have cisco client 3.x. The problem is that when we are trying to connect to the central site it seems that the pix doesn´t receive any information to allow the tunnel with the client, I give the debug crypto ipsec command, but doesn´t show anything. I check all the configuration on the central site and the remote and it seems ok, but doesn´t work. I would appreciate any sugestion?


thx


David

afakhan Wed, 05/28/2003 - 10:11
User Badges:
  • Bronze, 100 points or more

Hi David,


Thanks for posting the Q.


Please check the following:

1 - you have configured your PIX and/or client as per cisco documentation, point to:

http://www.cisco.com/warp/public/110/pix3000.html

2 - try doing some packet debugging on the router in front of pix(if you have any), to see if you are receving udp500/udp4500 traffic into pix from the vpn clients IPs, if not then:

3 - make sure your isp is not blocking udp500 or udp4500 traffic-


hope this helps.

Thanks,

Afaq


ptr609 Wed, 05/28/2003 - 10:05
User Badges:

Hi - We want to implement a pix501 to 3005 site to site connection. The 3005 works great for client connections. The remote sites with the 501's have dsl modems running 256k to the internet. The 501s are behind dsl which have public addresses that change and gives dhcp addreses to the client computers. In setting up the 501's it (the 501) needs to do its own dhcp right? This is because of routing on the inside of the 3005. If I were to set dhcp at the pix501 it cannot get an internet connection because the dsl modem will not nat my addresses just the addreses it has setup. Is there a way to setup dhcp at the 501 and still get access to the peer (3005) network and the internet with out the ability of changing the dsl modem.

afakhan Wed, 05/28/2003 - 10:20
User Badges:
  • Bronze, 100 points or more

Hi,


The best bet for you is to go for Easy VPN client setup for PIX FW using NAT-T, this way you can use existing DSL modems (even if they are doing NAT) for PIX IP, just make sure that:


1 - you have PIX OS V6.3.1 or later (NAT-T)

2 - VPN3005 OS V3.6.3 or later (NAT-T)

3 - configure your pix fw as easy vpn client, see this:

http://www.cisco.com/warp/public/110/pix-ios-easyvpn.html


you can create a new group on vpn3005 to accept connection from this pix(as you do for vpn3002s).


hope it helps.

thanks,

Afaq


rlcarr Thu, 05/29/2003 - 05:00
User Badges:

Lifetime values.


The default lifetime values for Phase I and Phase II seem high. What do the experts recommend people use for IKE and IPSec lifetimes. Are the default lifetime long enough for somebody to be able to hack?

For the IKE I would be using the pre-shared key.


Thanks,

~ron

afakhan Thu, 05/29/2003 - 09:43
User Badges:
  • Bronze, 100 points or more

Hi Ron,


IKE Phase II default lifetime(3600s) is used most of the time, you can lower down the IKE lifetime (default 86,400s) to a lower value.


Remember that data is encrypted using IPSec SAs(not IKE SA), so if you want to make your tunnel more hijack-proof, try enabling "PFS" so that everytime Phase II lifetime expires, you would re-calculate DH values, and session keys, making it more difficult to crack a session.


hope it help.s

thx

Afaq

rick.mader Thu, 05/29/2003 - 14:24
User Badges:

Afaq,

I have remote vpn clients that can connect with my PIX 515. Works Great!


I have the need to create a site to site VPN between my Pix and a Linksys.


When I created the tunnel between the sites ,the remote site could access the files, drawing and Database on my net that they needed.

BUT my remote vpn clients could not get in.

I shut down the site to site and reloaded the pix and restored the prev config.

BTW the following config is not the config I tested when the Remote VPN's

could not connect.

I would like to be able to have both site-to-site vpn and remote vpn clients

on the same interface of the Pix running simultaeously.


MY Questions are...

What does this statement from the Output Interpreter mean?


WARNING: (VPN) There are 'crypto map {map_name} {seq_num} match

address' access-lists defined that are not covered by 'nat 0' access-list '101':

TRY THIS: Ensure that NAT is disabled for IPsec traffic, as

defined by crypto map access-lists.


How do I correct it?

and

Does the following crypto map appear to be correct for what I would like to

accomplish?

Following is the pertinent parts of the config that I sent through the Output Interpreter:


PIX Version 6.1(1)

|

|

Content edited

|

|

access-list 101 permit ip any 192. X. X .0 255.255.255.0

access-list 101 permit ip 10. X. X .0 255.255.255.0 38.X.X.0

|

nat (inside) 0 access-list 101

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set des-set esp-des esp-md5-hmac


crypto dynamic-map ciscoclient 4 set transform-set des-set

crypto map staticmap 20 ipsec-isakmp dynamic ciscoclient

crypto map staticmap 15 ipsec-isakmp

crypto map staticmap 15 match address 101

crypto map staticmap 15 set peer 12 . X . X . X (same address as below)

crypto map staticmap 15 set transform-set des-set

crypto map staticmap interface outside

isakmp enable outside


isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

isakmp key *******address 12.X.X.X netmask 255.255.255.255


isakmp policy 100 authentication pre-share

isakmp policy 100 encryption des

isakmp policy 100 hash md5

isakmp policy 100 group 2

isakmp policy 100 lifetime 5000


I am running this config through the Output Interpreter to glean as many errors as I can before putting it on the production Firewall.


One other Item... I changed the second line in ACL 101 to 102 and

then changed the ACL that the crypto map refers to 102 and got pretty much the same Warning.

Thanks,

Rick

afakhan Fri, 05/30/2003 - 11:11
User Badges:
  • Bronze, 100 points or more

Hi,


please make sure that you create a separate acl for "nat 0" than your L2L crypto access-list #101, and then bypass NAT for both site to site and remote access VPNs using the newly created acl.


http://www.cisco.com/warp/public/110/pix3000.html


site to site plus remote access should work fine.



thanks,

Afaq


rick.mader Fri, 05/30/2003 - 14:25
User Badges:

Afaq,

Is this what you described ...?

//acl for nat 0 statement

//bypass nat for remote access

access-list 101 permit ip any 192. X . X ..0 255.255.255.0

//bypass nat for site to site

access-list 101 permit ip 10. X . X .0 255.255.255.0 38. X . X .0 255.255.255.0

//acl for crypto map

access-list 102 permit ip 10. X . X .0 255.255.255.0 38. X . X .0 255.255.255.0


apply to config-

nat (inside) 0 access-list 101


crypto map staticmap 15 ipsec-isakmp

crypto map staticmap 15 match address 102

crypto map staticmap 15 set peer 12.X . X . X

crypto map staticmap 15 set transform-set des-set

Thanks Rick

afakhan Mon, 06/02/2003 - 14:32
User Badges:
  • Bronze, 100 points or more

Hi ,


you got it.

if there is any problem afterwards, let me know.


thx

Afaq

gjstem Thu, 05/29/2003 - 20:38
User Badges:

I heard through one of our local Cisco SE's that that when using ipsec over gre on cisco ios, the code is optimized to run tunnel mode rather than transport mode even though you are adding uneccessary extra overhead onto each ip packet. Could you elaborate on that?


thanks,


Gregory Stemberger

afakhan Fri, 05/30/2003 - 12:26
User Badges:
  • Bronze, 100 points or more

Hi Greg,


Thanks for the Q.


IPSec inside the GRE will always uses tunnel mode, since the traffic is initiated from the host.


so transport mode would not work in this case, Gre inisde IPSec supports both modes.


thx

Afaq


gjstem Fri, 05/30/2003 - 12:39
User Badges:

Thanks for the reply AFaq,

Let me try to rephrase my question to make it more clear.

I'm referring to a standard configuration scenario in which you are running IPSEC over GRE or GRE inside of IPSEC. (crypto maps applied to gre tunnels) I've seen configs in which private traffic is being wrapped with a new header via the gre tunnel which are routable addresses and then on top of that using IPSEC tunnel mode that is wrapping the packet again with the ipsec enpoints even though you could have just used transport mode on top the ipsec so that just the payload was encrypted. I've heard that using IPSEC tunnel mode over GRE is more optmized in the Cisco IOS code and therefore recommended even though you are adding extra overhead. Is that a true statement?



thanks,

Greg

afakhan Mon, 06/02/2003 - 09:04
User Badges:
  • Bronze, 100 points or more

Hi,


Tranport mode should be used for such configuration, based on my experience with Cisco IOS, I'd not suggest Tunnel mode for Gre/IPsec configuration.


Thanks for posting the question.


Thanks

Afaq, CSE

gjstem Mon, 06/02/2003 - 21:40
User Badges:

Afaq,


Thanks again for the response.


I've actually got a second question with regards to Cisco VPN's using IOS. Could you tell me if there are any issues with running ipsec/gre tunnels over multiple t1's to the internet with load balancing configured. I'm wondering if there is anything that i need to be concerned with when recieving or sending ipsec/gre packets on different t1's utilizing either per packet or per destination load sharing?


thanks,


Gregory Stemberger

afakhan Tue, 06/03/2003 - 13:48
User Badges:
  • Bronze, 100 points or more

Hi ,


Thanks for the question Greg.


there were some caveats, CEF per-packet load-balancing:

CSCdx34698

CSCdx74089


other than that, there could be some packet reordering issues esp. with per-packet load balancing, but it should work.


Thanks

Afaq

bdedek Fri, 05/30/2003 - 07:14
User Badges:

Hi,


I have deployed 5 site-to-site VPNs, central site is a 3640 with encryption card behind a corporate firewall performing NAT (unfortunately not Cisco). Three sites terminate IPSEC tunnel into Linksys VPN routers with GRE tunnels extending to old 2503s with ISDN backup. Other 2 locations use 1760s with vpn bundle behind the same PIX (2 VPNs inside one private network with PIX). They also use GRE tunnels and do ISDN backup.


I have two questions.


1. I have done some research on DMVPN, and it looks great but I have heard that it doesn't work when routers are behind NAT devices. Is this true and if so, do you know when it may be resolved?


2. We bring our VPNs into our main Internet connection at the hub. Is there some sort of QoS I can add to my configurations to prevent our normal Internet traffic (web, ftp, other) from degrading our VPNs. I know our firewall is not Cisco actually SUN, but the good thing is that our main gateway router that forwards to the firewall is also the VPN gateway. So, if I am correct in my assumption, I would put a QoS policy on the main router to prioritize VPN traffic over other traffic when going to the firewall. Any help is appreciated. BTW, how do most companies share their internet connection with mission critical VPNs?


Thanks,

Billy


bdedek Fri, 06/06/2003 - 10:17
User Badges:

Thanks Afaq.


I am trying to setup a test lab using the DMVPN with NAT. I have a host vpn router behind a firewall device with static external NAT IP allowing IPSEC through (IKE + ESP). The other device is directly connected to the internet.


I have installed 12.3.1 on both test systems, so I should have the fixed code. My setups begin and the debugs look good during the ISAKMP negotiations but fail with :


000414: Jun 6 12:47:08: ISAKMP (0:41): phase 2 SA policy not acceptable! (local *true internal ip of hub* remote *external ip of remote*)


I suspect its failing because the host is trying to negotiate using its true ip rather than the NAT ip. All other ISAKMP negotiations reference the NAT ip instead of the internal ip. I have seen reference in other posts to a CRYPTO ISAKMP IDENTITIY command. Could this fix my problem? Also, do I have to open the firewall to allow something for the NHRP to get this to work? Are there any references or config examples to using DMVPN with NAT?


Thanks

Billy

gou Fri, 05/30/2003 - 16:31
User Badges:

Hi, I'm trying to run a L2TP win2k client going to a Win2k L2TP server.


Everything works fine when the client has a public IP address connecting to the public IP of the L2TP server. How ever, if the client is on a private IP NATed by a Cisco 3620, the client will not connect.


Is there any special configuration that will allow the Cisco 3620 router to pass through the L2TP IPSEC traffic so that the client can connect to the L2TP server? I know it is possible to make your PIX firewall pass through PPTP, but what about passing through L2TP on an IOS router?


Thanks, please CC [email protected].

afakhan Mon, 06/02/2003 - 09:27
User Badges:
  • Bronze, 100 points or more

Hi,


Thanks for the Q.


IPsec is not compatible with NAT (unless its static (1-to-1, or many-to-many)), in your scenario, it seems like that client (workstation) IP is getting PATed on the cisco router.


there can be two solutions:

1 - Use NAT-T for windows (doesn't apply to every platform) hotfix:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0802.asp


2 - Use 12.2(13)T or later version, they have a feature called:

IPSec Through Network Address Translation Support

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatesp.htm


hope it helps.

thx

Afaq

habgooda Sat, 05/31/2003 - 16:00
User Badges:

I am configuring a series of IPSEC VPN's between a PIX 515E (running 6.31)and a number of 1760 (122-13.T3) routers. Even though they clearly have the pre-shared key defined, I am continuing to receive:

00:54:30: ISAKMP: local port 500, remote port 500

00:54:30: ISAKMP (0:1): No Cert or pre-shared address key.

The PIX is terminating successfully a number of PIX and VPN client VPNs across this and other interfaces. Full connectivity is available between the hosts (across one intermediary 3640 router).

Excerpts are as follows:

IOS Router

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key FA478dsgfsrC&DSF hostname FIREWALL.DOMAIN.COM

crypto isakmp key FA478dsgfsrC&DSF hostname FIREWALL

crypto isakmp key FA478dsgfsrC&DSF hostname 192.168.100.2

!

!

crypto ipsec transform-set wan-strong esp-3des esp-sha-hmac

!

crypto map test 50 ipsec-isakmp

set peer 192.168.100.2

set transform-set wan-strong

match address TEST-VPN

!

!

interface Serial0/0

ip address 10.76.248.106 255.255.255.252

encapsulation ppp

ip ospf message-digest-key 1 md5 7 08321F1D273656011B07

no fair-queue

crypto map test

!

ip access-list extended TEST-VPN

deny ip 10.78.24.0 0.0.7.255 10.76.248.0 0.0.0.255

deny ip 10.78.24.0 0.0.7.255 192.168.100.0 0.0.0.255

permit ip 10.78.24.0 0.0.7.255 any

permit ip any 10.78.24.0 0.0.7.255

!

PIX:

access-list TEST-VPN permit ip any 10.78.24.0 255.255.248.0

access-list TEST-VPN permit ip 10.78.24.0 255.255.248.0 any

sysopt connection permit-ipsec

crypto ipsec transform-set wan-strong esp-3des esp-sha-hmac

crypto map dmz-wan-vpn 50 ipsec-isakmp

crypto map dmz-wan-vpn 50 match address TEST-VPN

crypto map dmz-wan-vpn 50 set peer ROUTER1

crypto map dmz-wan-vpn 50 set transform-set wan-strong

crypto map dmz-wan-vpn interface dmz-wan

isakmp enable dmz-wan

isakmp key ******** address ROUTER1 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption des

isakmp policy 2 hash md5

isakmp policy 2 group 2

isakmp policy 2 lifetime 86400

isakmp policy 3 authentication pre-share

isakmp policy 3 encryption 3des

isakmp policy 3 hash sha

isakmp policy 3 group 1

isakmp policy 3 lifetime 86400

habgooda Sun, 06/01/2003 - 18:05
User Badges:

Resolved - obvious mistake using the keyword hostname rather than address.

kristine.meganc... Mon, 06/02/2003 - 15:03
User Badges:

Hi,


I have the following problem. On HQ there is a 837 router configured for serving software easy vpn clients with authentication. I want to connect a branch office with a site-to-site vpn without authentication. The branch office has a dynamic address so when i add the CLI : crypto isakmp key XXXX address 0.0.0.0 0.0.0.0 no-xauth (with another key than my clients are running) - i cannot connect anymore with the software easy vpn clients.

Is there a configuration that i can have a site-to-site vpn (no easy vpn because i have to authenticate otherwise) and the software easy vpn clients with authentication ?


Thx,

Kristine

HI Afaq,

We have PIX firewall and One internet router (3600) .Can you pls tell me on which device i should enable the VPN (upgrading the IOS )? Can you pls list down the advantages and disadvantages for each method ? We are looking for site to site VPN .Which method will be best for this?


Regards,

Sachin

afakhan Wed, 06/04/2003 - 14:21
User Badges:
  • Bronze, 100 points or more

Hi Sachin,


Thanks for the Q.


Cisco IOS are a better candidate for IPSec VPNs, when you need features like routing/QoS/IPSec HA etc. etc.

You just need to download the IOS that has crypto feature set.

PIX would work fine as well, but they lack the above features as available in IOS for IPSec VPNs.


Feel free to touch base with me, if you have further questions.

Thanks

Afaq


Actions

This Discussion