Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
299
Views
0
Helpful
3
Replies

Easy VPN server with 1701

admin_2
Level 3
Level 3

‎03-12-2004 05:17 AM - edited ‎02-21-2020 01:04 PM

Hi,

I'm trying to make an easy VPN server with a router 1701. I'm also using VPN client 4.0.2 (D).

It doesn't work, and all I obtain is this message in the client:

1 14:15:48.456 03/12/04 Sev=Warning/2 IPSEC/0x6370001E

Unexpected TCP control packet received from 80.59.2.213, src port 10000, dst port 4773, flags 14h

¿Can anybody help me?

If you want, I can post my configuration.

Labels:
0 Helpful
3 Replies 3

wsherlock
Level 1
Level 1

‎03-15-2004 06:02 AM

By all means post your config. I will have a look and see if there is any problem. From the debug it looks as though you are using NAT-T port 10000. Can you confirm this?

0 Helpful

Not applicable
In response to wsherlock

‎03-16-2004 12:45 AM

Finally I managed to solve the problem, but there are still some problems during IKE negotiation.

Can anyone post an example with simultaneous point to point VPN plus VPN server for VPN software clients?

Thanks in advance.

0 Helpful

wsherlock
Level 1
Level 1
In response to

‎03-18-2004 02:27 AM

Here you go. Although it is a bit lazy.

service password-encryption

!

hostname router

!

!

username admin privilege 15 password admin

username usera password usera

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

no ip domain lookup

ip domain name

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address xxx.xxx.xxx.xxx no-xauth

!

crypto isakmp client configuration group vpngroup

key vpnkey

dns xxx.xxx.xxx.xxx

wins xxx.xxx.xxx.xxx

domain acme.com

pool vpnpool

!

!

crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set SDM_TRANSFORMSET_1

!

!

crypto map SDM_CMAP_1 client authentication list userauthen

crypto map SDM_CMAP_1 isakmp authorization list groupauthor

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to remotesiteIP

set peer xxx.xxx.xxx.xxx

set transform-set SDM_TRANSFORMSET_1

match address 102

crypto map SDM_CMAP_1 99 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface FastEthernet0/0

description $FW_INSIDE$

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip access-group 100 in

ip nat inside

speed auto

no keepalive

no shut

!

interface Ethernet1/0

description $FW_OUTSIDE$

ip address xxx.xxx.xxx.xxx 255.255.255.0

ip access-group 101 in

ip nat outside

ip inspect DEFAULT100 out

crypto map SDM_CMAP_1

no shut

!

!

ip local pool vpnpool 10.45.1.1 10.45.1.10

ip nat inside source route-map SDM_RMAP_1 interface e1/0 overload

ip nat inside source static xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy

ip classless

ip route 0.0.0.0 0.0.0.0 e1/0

ip http server

ip http authentication local

ip http secure-server

!

!

!

ip access-list extended PAT

ip access-list extended PAT_ACL

ip access-list extended addr-pool

ip access-list extended group-lock

ip access-list extended service

ip access-list extended timeout

ip access-list extended wins-servers

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip xxx.xxx.xxx.xxx 0.0.0.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=0

access-list 101 remark IPSec Rule

access-list 101 permit ip any 10.44.50.0 0.0.0.255

access-list 101 permit udp any host xxx.xxx.xxx.xxx eq non500-isakmp

access-list 101 permit udp any host xxx.xxx.xxx.xxx eq isakmp

access-list 101 permit esp any host xxx.xxx.xxx.xxx

access-list 101 permit ahp any host xxx.xxx.xxx.xxx

access-list 101 deny ip xxx.xxx.xxx.xxx 0.0.0.255 any

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip xxx.xxx.xxx.xxx 0.0.0.255 xxx.xxx.xxx.xxx 0.0.0.255

dialer-list 1 protocol ip permit

!

route-map SDM_RMAP_1 permit 1

match ip address PAT_ACL

!

radius-server authorization permit missing Service-Type

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password cisco

transport input telnet

!

no scheduler allocate

!

end

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents