Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco VPN 1720 Problem

Hi,

Greetings! I have a unit of Cisco 1720 router with 3DES/FW 12.2(T) featureset with hardware encryption engine.

I'm trying to set up

i) IPSEC tunnel in btween this router and another cisco router using preshared key authentication with primary and backup tunnel

ii) Cisco VPN client (3.6.3) with Cisco 1720 using preshared key authentication and xauth local

I've managed to set up the site to site tunnel but VPN client still failed to connect.

The error messages are :

Dec 11 06:20:08.629: ISAKMP (0:0): received packet from 203.116.120.116 (N) NEW

SA

.Dec 11 06:20:08.629: ISAKMP: local port 500, remote port 500

.Dec 11 06:20:08.629: ISAKMP: Created a peer node for 203.116.120.116

.Dec 11 06:20:08.629: ISAKMP (0:119): Setting client config settings 81942FE4

.Dec 11 06:20:08.629: ISAKMP (0:119): (Re)Setting client xauth list localuser an

d state

.Dec 11 06:20:08.629: ISAKMP: Locking CONFIG struct 0x81942FE4 from crypto_ikmp_

config_initialize_sa, count 1

.Dec 11 06:20:08.633: ISAKMP (0:119): processing SA payload. message ID = 0

.Dec 11 06:20:08.633: ISAKMP (0:119): processing ID payload. message ID = 0

.Dec 11 06:20:08.633: ISAKMP (0:119): processing vendor id payload

.Dec 11 06:20:08.633: ISAKMP (0:119): vendor ID seems Unity/DPD but bad major

.Dec 11 06:20:08.633: ISAKMP (0:119): vendor ID is XAUTH

.Dec 11 06:20:08.633: ISAKMP (0:119): processing vendor id payload

.Dec 11 06:20:08.633: ISAKMP (0:119): vendor ID is DPD

.Dec 11 06:20:08.633: ISAKMP (0:119): processing vendor id payload

.Dec 11 06:20:08.633: ISAKMP (0:119): vendor ID is Unity

.Dec 11 06:20:08.637: ISAKMP (0:119): Checking ISAKMP transform 1 against priori

ty 3 policy

.Dec 11 06:20:08.637: ISAKMP: encryption 3DES-CBC

.Dec 11 06:20:08.637: ISAKMP: hash SHA

.Dec 11 06:20:08.637: ISAKMP: default group 2

.Dec 11 06:20:08.637: ISAKMP: auth XAUTHInitPreShared

.Dec 11 06:20:08.637: ISAKMP: life type in seconds

.Dec 11 06:20:08.637: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

.Dec 11 06:20:08.637: ISAKMP (0:119): Xauth authentication by pre-shared key off

ered but does not match policy!

The last line of the log indicates xauth authentication by pre-shared key offerred dose not match policy. However I have defined a specific crypto policy using pre-shared key authenticaion.

I have tried a few days to resolve the problem but to no avail. Your help will be greatly appreciated. Attached is the config file Here is the config file ( for security reasons, IP addresses have been replaced and some of sensitive data are markes as xxxx )

version 12.2

service config

service timestamps debug datetime msec

service timestamps log datetime show-timezone

service password-encryption

!

hostname router

!

logging buffered 16384 debugging

logging rate-limit console 10 except emergencies

logging console critical

aaa new-model

!

!

aaa authentication login default local

aaa authentication login nopass none

aaa authentication login localuser local

aaa authentication login linepass line

aaa authentication login xauth_list group radius

aaa authentication login userauthen local

aaa session-id common

enable secret 5 xxxx

enable password 7 xxxx

!

username xxxx password 7 xxxx

username xxxx privilege 15 password 7 xxxx

username xxxx password 7 xxxx

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip rcmd remote-username xxxx

ip rcmd source-interface Loopback0

!

!

ip tftp source-interface Loopback0

ip domain-name xxxx

!

ip audit notify log

ip audit po max-events 100

ip accounting-threshold 16384

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 30

encr 3des

authentication pre-share

group 2

crypto isakmp key 1234 address 200.100.100.100 no-xauth

crypto isakmp key 1234 address 190.100.100.100 no-xauth

!

crypto isakmp client configuration group cisco

key 1234

pool ourpool

!

crypto ipsec security-association lifetime kilobytes 100000

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set vpnsites esp-3des esp-sha-hmac

.

crypto dynamic-map dynmap 10

set transform-set vpnsites

!

!

crypto map vpnsitesmap client authentication list localuser

crypto map vpnsitesmap client configuration address respond

crypto map vpnsitesmap 5 ipsec-isakmp dynamic dynmap

crypto map vpnsitesmap 10 ipsec-isakmp

description Primary VPN Tunnel

set peer 200.100.100.100

set transform-set vpnsites

set pfs group2

match address hamgre1

crypto map vpnsitesmap 20 ipsec-isakmp

description Backup VPN Tunnel

set peer 190.100.100.100

set transform-set vpnsites

set pfs group2

match address hamgre2

!

!

interface Loopback0

ip address 172.30.23.5 255.255.255.255

!

interface Tunnel0

description Primary Tunnel to Main

bandwidth 512

ip address 172.19.170.46 255.255.255.252

ip mtu 1420

delay 2000

tunnel source 180.100.100.100

tunnel destination 200.100.100.100

crypto map vpnsitesmap

!

interface Tunnel1

description Backup Tunnel

bandwidth 512

ip address 172.19.171.46 255.255.255.252

ip mtu 1420

delay 3000

tunnel source 180.100.100.100

tunnel destination 190.100.100.100

crypto map vpnsitesmap

!

interface Ethernet0

description Singapore Internet Connection

ip address 180.100.100.100 255.255.255.224

ip access-group extinacl in

ip access-group extoutacl out

ip accounting output-packets

ip accounting access-violations

no ip mroute-cache

half-duplex

no cdp enable

crypto map vpnsitesmap

!

interface FastEthernet0

description Singapore Internal Network

ip address 10.190.0.12 255.255.240.0

ip accounting output-packets

ip accounting access-violations

no ip mroute-cache

speed auto

half-duplex

no cdp enable

!

router eigrp 1220

network 10.190.0.0 0.0.255.255

network 172.19.170.44 0.0.0.3

network 172.19.171.44 0.0.0.3

network 172.30.0.0

no auto-summary

eigrp log-neighbor-changes

!

ip local pool ourpool 10.190.5.1 10.190.5.2

ip classless

ip route 0.0.0.0 0.0.0.0 180.100.100.99

ip route 190.100.100.100 255.255.255.255 180.100.100.99

ip route 200.100.100.100 255.255.255.255 180.100.100.99

no ip http server

ip pim bidir-enable

!

!

ip access-list extended extinacl

permit udp any host 180.100.100.100 eq isakmp

permit esp any host 180.100.100.100

permit icmp any 180.100.100.0 0.0.0.31 administratively-prohibited

permit icmp any 180.100.100.0 0.0.0.31 echo-reply

permit icmp any 180.100.100.0 0.0.0.31 packet-too-big

permit icmp any 180.100.100.0 0.0.0.31 unreachable

deny ip 10.190.0.0 0.0.255.255 any

permit icmp any host 180.100.100.100 echo

permit tcp any host 180.100.100.100 eq 22

permit tcp any host 180.100.100.100 gt 1023

permit udp any host 180.100.100.100 gt 1023

permit udp 158.43.0.0 0.0.255.255 eq ntp host 180.100.100.100

permit gre host 200.100.100.100 host 180.100.100.100

permit gre host 190.100.100.100 host 180.100.100.100

permit udp 195.66.241.0 0.0.0.255 eq ntp host 180.100.100.100

deny udp host 180.100.100.15 any

deny udp host 180.100.100.17 any

deny ip any any log

ip access-list extended extoutacl

permit ip host 180.100.100.100 any

permit ip 10.190.0.0 0.0.255.255 any

permit ip 192.0.2.0 0.0.0.255 any

deny ip host 180.100.100.255 any

deny ip any any log

ip access-list extended hamgre1

permit gre host 180.100.100.100 host 200.100.100.100

ip access-list extended hamgre2

permit gre host 180.100.100.100 host 190.100.100.100

!

!

snmp-server community public RO

snmp-server community VPN747 RO 10

snmp-server community mngt RW 3

snmp-server trap-source Loopback0

snmp-server location Singapore Firewall

snmp-server contact xxxx

snmp-server host 161.89.20.3 mngt

snmp-server host 161.89.20.30 mngt

snmp-server host 161.89.20.4 mngt

radius-server host 10.190.10.30 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key 7 xxxx

banner login ^CCC No Unauthorised Access Allowed ^C

!

line con 0

exec-timeout 0 0

login authentication nopass

transport preferred none

line aux 0

line vty 0 4

exec-timeout 20 0

password 7 xxxx

login authentication localuser

transport preferred none

transport input telnet ssh

!

ntp clock-period 17180052

ntp server 158.43.128.33

ntp server 158.43.128.66

ntp server 158.43.192.66

ntp server 209.28.72.2

ntp server 207.209.174.162

ntp server 207.209.174.160

ntp server 195.66.241.3

end

Thanks!

1 REPLY
Cisco Employee

Re: Cisco VPN 1720 Problem

Hi,

Your config looks good except ISAKMP authorization list.

Isakmp needs an authorzation list "aaa authorization network local", which is missing in your config. I have enclosed couple of URLs to follow regarding the above mentioned ISAKMP authorization.

http://www.cisco.com/warp/public/471/ios-unity.html#debug

http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_example09186a0080094685.shtml

Make the following changes and try connecting and if you still have any issues, post the debugs from the router along with client debugs.

Regards,

Arul

276
Views
0
Helpful
1
Replies