Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RAVPN is not working!!

Hi,

I have PIX with OS ver 7.2 and I am trying to setup RAVPN, however it keeps failing and I get the following error on the PIX when enabling the crypto debug commands:

Apr 05 01:47:15 [IKEv1]: Group = ccie, IP = 192.1.24.114, Error: Unable to remov

e PeerTblEntry

Apr 05 01:47:20 [IKEv1]: Group = ccie, IP = 192.1.24.114, Removing peer from pee

r table failed, no match!

And the following error is from my VPN client ver 4.8.01:

The remote peer is no longer responding

01:53:32.493 04/05/08 Sev=Warning/2 IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

Here is my PIX VPN config:

crypto ipsec transform-set ccie esp-des esp-md5-hmac

crypto dynamic-map ccie 1 set transform-set ccie

crypto dynamic-map ccie 1 set reverse-route

crypto map cciemap 1 ipsec-isakmp dynamic ccie

crypto map cciemap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group ccie type ipsec-ra

tunnel-group ccie general-attributes

address-pool ccie

tunnel-group ccie ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication (outside) none

Any idea of why the VPN is failing?

R/ Haitham

1 ACCEPTED SOLUTION

Accepted Solutions

Re: RAVPN is not working!!

Haitham,

I have seen times that NAT statements cause that "no match" trouble. But after a deep look, it is about your transform set hash and isakmp policy hash mismatch. Issue the following

crypto isakmp policy 1

hash md5

Do not forget to apply your NAT statements. After ACL change, following is also missing.

nat (inside) 0 access-list inside_nat0_outbound

Please attach the latest config.

Regards

14 REPLIES

Re: RAVPN is not working!!

Hi Haitham,

First of all, Your VPN IP pool does not meet RFC 1918. Please create a new pool according to section "3. Private Address Space" in following link

http://www.faqs.org/rfcs/rfc1918.html

If too lazy to read, just choose a pool in 192.168.x.x not 192.x.x.x

Second and most probably, check your Exempt NAT statement for VPN pool. Or post the related config for me to check

Also try restarting the PIX after your config is done

Regards

New Member

Re: RAVPN is not working!!

Hi Husycisco, Well I understand of your above answers but is it required NAT exemption rule as what I understand can we use NAT/PAT to allow VPN network traffic for Inside/DMZ Zone whatever you want to allow. Thanks

Re: RAVPN is not working!!

Hi Richard,

Exempt NAT is not a must, but is the widely used NAT type for simple RA VPN. But in scenarios where required, like in spoke to spoke topology, NAT/PAT can be implemented instead exempt NAT.

Regards

New Member

Re: RAVPN is not working!!

Hi husycisco,

I agree on the private addressing and on the NAT points, however would creating a non-private IP pool and not configuring NAT, really prevent the RAVPN from coming up?

R/Haitham

Re: RAVPN is not working!!

Haitham,

Your IP addressing does not actually end up with the error you are encountering right now, but missing/wrong NAT statements may cause this. Please attach your sanitized config.

New Member

Re: RAVPN is not working!!

Husycisco,

I added the NAT config as you suggested and also changed the NAT as you advised but this also didnt bring this into working environment! Please note that this configuration is in the lab, so don't beat me on using some public addresses:)

Attached please find the full PIX config file.

Appreciate your feedback on how to make the RAVPN work!

R/ Haitham

Re: RAVPN is not working!!

Haitham,

There are some simple configuration steps missing in your config.

First of all, you do not have a default route. X is your default gateway for PIX

route outside 0.0.0.0 0.0.0.0 192.1.24.x

Second, basic NAT and global statements. If you want to proceed without them, which is not the best practice in fact, you should disable nat-control. Following would be the best practice for NAT statements. Btw there are two configs in txt you attach, in one the VPN pool is 1.1.1.0 and in other 192.168.1.0. I am assuming 1.1.1.0 is active in following config suggestion. Also keep in mind that 192.168.1.0 is the default IP config of the most off the shelve internet modem/routers, so that would make a conflict with VPN user's local network. Stick with RFC 1918, but do not use widely used ranges like this.

no static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

nat (inside) 0 inside_nat0_outbound

nat (inside) 1 0 0

global (outside) 1 interface

access-list inside_nat0_outbound permit ip 10.10.10.0 255.255.255.0 1.1.1.0 255.255.255.224

Third, for the sake of simplicty, apply the following

no crypto dynamic-map ccie 1 set reverse-route

tunnel-group ccie ipsec-attributes

no isakmp ikev1-user-authentication (outside) none

And last, use the latest version of Cisco VPN client, or at least version 5.x

Regards

New Member

Re: RAVPN is not working!!

Hi Husycisco, May i know whats a meaning of this coomand no static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 in above configuration.

New Member

Re: RAVPN is not working!!

husycisco,

Thanks for your response but still same problem!!

Please check attached the updated config!!

R/ Haitham

Re: RAVPN is not working!!

Haitham,

I assumed you were using 1.1.1.0 as the VPN pool in my previous suggestion but I see that you use 192.168.1.0. Then you should make the following modification

no access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 1.1.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

New Member

Re: RAVPN is not working!!

huskcisco,

I changed it but still giving the same error!

I am not sure whether the NAT has anything to do with failing the tunnel to get established, it should has more to do with the communications after the establishement! Should we look somewhere else!

R/ Haitham

Re: RAVPN is not working!!

Haitham,

I have seen times that NAT statements cause that "no match" trouble. But after a deep look, it is about your transform set hash and isakmp policy hash mismatch. Issue the following

crypto isakmp policy 1

hash md5

Do not forget to apply your NAT statements. After ACL change, following is also missing.

nat (inside) 0 access-list inside_nat0_outbound

Please attach the latest config.

Regards

New Member

Re: RAVPN is not working!!

Thanks husycisco, and now it finally worked!

So it was due to the hash mismatch between Phase I and Phase II!!

Thanks for your support and patience.

R/ Haitham

Re: RAVPN is not working!!

Haitham,

You are welcome. Nice to hear that issue is resolved.

Regards

237
Views
0
Helpful
14
Replies
CreatePlease login to create content