03-12-2004 05:17 AM - edited 02-21-2020 01:04 PM
Hi,
I'm trying to make an easy VPN server with a router 1701. I'm also using VPN client 4.0.2 (D).
It doesn't work, and all I obtain is this message in the client:
1 14:15:48.456 03/12/04 Sev=Warning/2 IPSEC/0x6370001E
Unexpected TCP control packet received from 80.59.2.213, src port 10000, dst port 4773, flags 14h
¿Can anybody help me?
If you want, I can post my configuration.
03-15-2004 06:02 AM
By all means post your config. I will have a look and see if there is any problem. From the debug it looks as though you are using NAT-T port 10000. Can you confirm this?
03-16-2004 12:45 AM
Finally I managed to solve the problem, but there are still some problems during IKE negotiation.
Can anyone post an example with simultaneous point to point VPN plus VPN server for VPN software clients?
Thanks in advance.
03-18-2004 02:27 AM
Here you go. Although it is a bit lazy.
service password-encryption
!
hostname router
!
!
username admin privilege 15 password admin
username usera password usera
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
ip domain name
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address xxx.xxx.xxx.xxx no-xauth
!
crypto isakmp client configuration group vpngroup
key vpnkey
dns xxx.xxx.xxx.xxx
wins xxx.xxx.xxx.xxx
domain acme.com
pool vpnpool
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set SDM_TRANSFORMSET_1
!
!
crypto map SDM_CMAP_1 client authentication list userauthen
crypto map SDM_CMAP_1 isakmp authorization list groupauthor
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to remotesiteIP
set peer xxx.xxx.xxx.xxx
set transform-set SDM_TRANSFORMSET_1
match address 102
crypto map SDM_CMAP_1 99 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip access-group 100 in
ip nat inside
speed auto
no keepalive
no shut
!
interface Ethernet1/0
description $FW_OUTSIDE$
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip access-group 101 in
ip nat outside
ip inspect DEFAULT100 out
crypto map SDM_CMAP_1
no shut
!
!
ip local pool vpnpool 10.45.1.1 10.45.1.10
ip nat inside source route-map SDM_RMAP_1 interface e1/0 overload
ip nat inside source static xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
ip classless
ip route 0.0.0.0 0.0.0.0 e1/0
ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended PAT
ip access-list extended PAT_ACL
ip access-list extended addr-pool
ip access-list extended group-lock
ip access-list extended service
ip access-list extended timeout
ip access-list extended wins-servers
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=0
access-list 101 remark IPSec Rule
access-list 101 permit ip any 10.44.50.0 0.0.0.255
access-list 101 permit udp any host xxx.xxx.xxx.xxx eq non500-isakmp
access-list 101 permit udp any host xxx.xxx.xxx.xxx eq isakmp
access-list 101 permit esp any host xxx.xxx.xxx.xxx
access-list 101 permit ahp any host xxx.xxx.xxx.xxx
access-list 101 deny ip xxx.xxx.xxx.xxx 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip xxx.xxx.xxx.xxx 0.0.0.255 xxx.xxx.xxx.xxx 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map SDM_RMAP_1 permit 1
match ip address PAT_ACL
!
radius-server authorization permit missing Service-Type
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password cisco
transport input telnet
!
no scheduler allocate
!
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: