Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IOS vpn with client 3.5.2

-- begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Since this was posted on a public forum, it is recommended that passwords be changed including encrypted passwords. Please refrain from posting confidential information on the site to reduce security risks involved. -- end ciscomoderator note --

I am trying to setup a VPN using a 1720 with the IOS Firewall PLUS DES and a VPN Client 3.5.2 on W2K Pro. I believe that theconfiguration is correct but I am not able to connect sucessfully. I have included the router config, version information, and VPN Client log file. What am I doing wrong here?

Router Configuration

Current configuration : 4245 bytes

!

version 12.2

no parser cache

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname ksv1720

!

no logging console

enable secret 5 --moderator edit--

enable password --moderator edit--

!

username --moderator edit-- --moderator edit--

memory-size iomem 15

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

!

!

ip domain-name ksvc.com

!

ip inspect name filter tcp alert off audit-trail off timeout 60

ip inspect name filter udp alert off audit-trail off timeout 60

ip audit notify log

ip audit po max-events 100

ip audit name idsrules info action alarm

ip audit name idsrules attack action alarm

!

crypto isakmp policy 1

authentication pre-share

!

crypto isakmp policy 2

hash md5

authentication pre-share

group 2

crypto isakmp key ******** address 0.0.0.0 0.0.0.0 no-xauth

crypto isakmp client configuration address-pool local ourpool

!

crypto isakmp client configuration group 3000client

key ********

dns 192.168.10.2

wins 192.168.10.2

domain ksvc.com

pool ourpool

acl 104

!

!

crypto ipsec transform-set trans2 esp-des esp-md5-hmac

!

crypto dynamic-map vpndynmap 10

set transform-set trans2

!

!

crypto map vpnclient local-address Serial0

crypto map vpnclient client configuration address initiate

crypto map vpnclient client configuration address respond

crypto map vpnclient 10 ipsec-isakmp dynamic vpndynmap

!

!

!

!

interface Loopback0

ip address 10.1.1.1 255.255.255.0

!

interface FastEthernet0

ip address 192.168.10.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip policy route-map nostatic

speed auto

no cdp enable

!

interface Serial0

ip address --moderator edit-- 255.255.255.252

ip access-group 101 in

ip nat outside

ip inspect filter out

ip audit idsrules in

encapsulation ppp

no fair-queue

service-module t1 timeslots 17-24

no cdp enable

crypto map vpnclient

!

ip local pool ourpool 192.168.20.1 192.168.20.254

ip nat inside source route-map nonat interface Serial0 overload

ip nat inside source static 192.168.10.2 --moderator edit--

ip nat inside source static 192.168.10.3 --moderator edit--

ip nat inside source static 192.168.10.150 --moderator edit--

ip classless

ip route 0.0.0.0 0.0.0.0 --moderator edit--

no ip http server

ip pim bidir-enable

!

!

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 23 permit --moderator edit--

access-list 23 permit --moderator edit--

access-list 23 permit 192.168.10.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

access-list 101 permit tcp host --moderator edit-- host --moderator edit-- eq telnet

access-list 101 permit tcp host --moderator edit-- host --moderator edit-- eq 22

access-list 101 permit tcp host --moderator edit-- host --moderator edit-- eq telnet

access-list 101 permit tcp host --moderator edit-- host --moderator edit-- eq 22

access-list 101 permit tcp any host --moderator edit-- eq smtp

access-list 101 permit tcp any host --moderator edit-- eq www

access-list 101 permit tcp any host --moderator edit-- eq pop3

access-list 101 permit tcp any host --moderator edit-- eq www

access-list 101 permit ip any host --moderator edit--

access-list 101 permit udp 192.168.20.0 0.0.0.255 any

access-list 101 permit tcp 192.168.20.0 0.0.0.255 any

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any packet-too-big

access-list 101 permit icmp any any traceroute

access-list 101 permit icmp any any unreachable

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit ahp any any

access-list 101 deny tcp any any

access-list 101 deny udp any any

access-list 102 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 103 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 104 permit ip any 192.168.20.0 0.0.0.255

access-list 104 permit ip 192.168.20.0 0.0.0.255 any

no cdp run

!

route-map nostatic permit 10

match ip address 103

set ip next-hop 10.1.1.2

!

route-map nonat permit 10

match ip address 102

!

!

line con 0

line aux 0

line vty 0 4

password ********

login local

transport input pad udptn telnet rlogin ssh

line vty 5 15

login

!

end

Router Version

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-K8O3SY7-M), Version 12.2(8)T4, RELEASE SOFTWARE (fc1)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2002 by cisco Systems, Inc.

Compiled Sun 05-May-02 20:32 by ccai

Image text-base: 0x80008108, data-base: 0x80D2CDEC

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)

ksv1720 uptime is 19 hours, 39 minutes

System returned to ROM by reload

System image file is "flash:c1700-k8o3sy7-mz.122-8.T4.bin"

cisco 1720 (MPC860T) processor (revision 0x601) with 27853K/4915K bytes of memory.

Processor board ID JAD04440GPP (3011912143), with hardware revision 0000

MPC860T processor: part number 0, mask 32

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 Serial network interface(s)

1 Virtual Private Network (VPN) Module(s)

WIC T1-DSU

32K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

VPN Client Log

13 11:57:11.836 06/14/02 Sev=Info/6 DIALER/0x63300002

Initiating connection.

14 11:57:11.836 06/14/02 Sev=Info/4 CM/0x63100002

Begin connection process

15 11:57:11.906 06/14/02 Sev=Info/4 CM/0x63100004

Establish secure connection using Ethernet

16 11:57:11.906 06/14/02 Sev=Info/4 CM/0x63100026

Attempt connection with server "--moderator edit--"

17 11:57:11.906 06/14/02 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with --moderator edit--.

18 11:57:12.037 06/14/02 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID) to --moderator edit--

19 11:57:12.037 06/14/02 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

20 11:57:17.064 06/14/02 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to --moderator edit--

21 11:57:17.965 06/14/02 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = --moderator edit--

22 11:57:17.965 06/14/02 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO (NOTIFY:NO_PROPOSAL_CHOSEN) from --moderator edit--

23 11:57:17.965 06/14/02 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

24 11:57:17.965 06/14/02 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation

25 11:57:17.965 06/14/02 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "--moderator edit--" because of "DEL_REASON_IKE_NEG_FAILED"

26 11:57:17.965 06/14/02 Sev=Info/5 CM/0x63100029

Initializing CVPNDrv

27 11:57:18.055 06/14/02 Sev=Warning/3 DIALER/0xE3300015

GI VPN start callback failed "CM_IKE_ESTABLISH_FAIL" (3h).

28 11:57:18.065 06/14/02 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

I would greatly appreciate any help you can give.

1 REPLY

Re: IOS vpn with client 3.5.2

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

79
Views
0
Helpful
1
Replies
CreatePlease to create content