Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
0
Helpful
4
Replies

not function Xauth on Loopback Interface (client 3.5x)

Robert_Berger
Level 1
Level 1

‎07-07-2002 03:23 AM - edited ‎03-08-2019 11:24 PM

Hello,

I have Router 1750 IOS 12.2.8.T4 and Client 3.5.2B + Router to Router Tunnels mit no-xauth.

Serial0.1 is a framerelay to Internet 62.x.x.x.x/30

Loopback0 for tunnel endpoint 212.x.x.x.. from my official internet addresses

When i hang my cryptomap on serial interface everything works.

But when I hang it on Loopback i get no xauth initiate

ISAKMP: local port 500, remote port 500

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> missing statments

>>ISAKMP (0:3): (Re)Setting client xauth list my_useraut and state

>>ISAKMP: Locking CONFIG struct 0x830C3750 from crypto_ikmp_config_initialize_sa, count 2

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

ISAKMP (0:3): processing SA payload. message ID = 0

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

so i never get "atts are acceptable"

My debug cry isa looks like that:

-------------------------------------------

00:38:54: ISAKMP (0:0): received packet from 62.46.141.155 (N) NEW SA

00:38:54: ISAKMP: local port 500, remote port 500

00:38:54: ISAKMP (0:3): processing SA payload. message ID = 0

00:38:54: ISAKMP (0:3): processing ID payload. message ID = 0

00:38:54: ISAKMP (0:3): processing vendor id payload

00:38:54: ISAKMP (0:3): vendor ID seems Unity/DPD but bad major

and so on

Thanks for your help

Robert

Labels:
0 Helpful
4 Replies 4

paqiu
Level 1
Level 1

‎07-07-2002 04:20 AM

Crypto map will be always applied in your outside interface which in your case ise Serial 0.1

If you want to use loopback 0 as your SA identity, use following command:

"crypto map local-address Loopback0

Then you lauch your client target to the loopback 0 (internet ip address), it will be working fine.

Best Regards,

Paul Qiu

0 Helpful

Robert_Berger
Level 1
Level 1
In response to paqiu

‎07-08-2002 01:10 AM

Thanks,

but I still have that statement in. The other Tunnels with no-xaut working well.

Robert

In additional information:

I have also a customer (same router) with a privat address on Serial (from Provider).

So thats why i need to known how it works with loopback before i go to customer.

See part of my config:

--------------------------------------

aaa new-model

aaa authentication login my-useraut local

aaa authorization network my-groupaut local

......

crypto isakmp policy 2

encr 3des

hash sha

authentication pre-share

group 2

!

crypto isakmp policy 5

encryption des

hash md5

authentication pre-share

group 1

lifetime 86400

!

crypto isakmp key ************ address x.x.x.x no-xauth

crypto isakmp key ************ address y.y.y.y no-xauth

crypto isakmp key ************ address z.z.z.z no-xauth

!

crypto isakmp client configuration group bsgvpnclient

key *****

domain bagheera.at

dns 192.168.1.1

pool vpn-dial-pool

acl 120

!

crypto ipsec transform-set cm-transformset ah-md5-hmac esp-des esp-md5-hmac

crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac

!

crypto dynamic-map vpn-dynamic 10

set transform-set vpn-transform

!

crypto map cm-cryptomap local-address Loopback0

crypto map cm-cryptomap client authentication list my-useraut

crypto map cm-cryptomap isakmp authorization list my-groupaut

crypto map cm-cryptomap client configuration address respond

!

crypto map cm-cryptomap 5 ipsec-isakmp

match address 105

set peer x.x.x.x

set transform-set cm-transformset

set security-association lifetime seconds 3600

set security-association lifetime kilobytes 4608000

!

crypto map cm-cryptomap 6 ipsec-isakmp

match address 106

set peer y.y.y.y

set transform-set cm-transformset

set security-association lifetime seconds 3600

set security-association lifetime kilobytes 4608000

!

crypto map cm-cryptomap 7 ipsec-isakmp

match address 107

set peer z.z.z.z

set transform-set cm-transformset

set security-association lifetime seconds 3600

set security-association lifetime kilobytes 4608000

!

crypto map cm-cryptomap 10 ipsec-isakmp dynamic vpn-dynamic

!

.....

0 Helpful

paqiu
Level 1
Level 1
In response to Robert_Berger

‎07-08-2002 05:43 AM

I did a recreats in my LAB, it works with loopback 0 for sure, please check in following config and compare your one what is the difference.

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Light

!

boot system flash:c3660-ik9s-mz.122-8.T.bin

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

!

username cisco password 0 cisco123

clock timezone AUS 10

ip subnet-zero

!

!

no ip domain-lookup

ip domain-name cisco.com

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngrp

key cisco123

domain cisco.com

pool vpnpool

acl 101

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map 3000map local-address Loopback0

crypto map 3000map client authentication list userauthen

crypto map 3000map isakmp authorization list groupauthor

crypto map 3000map client configuration address respond

crypto map 3000map 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

!

!

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

!

!

!

interface Loopback0

ip address 10.66.79.18 255.255.255.255

!

interface FastEthernet0/0

ip address 10.66.79.104 255.255.255.224

duplex auto

speed auto

crypto map 3000map

!

interface FastEthernet0/1

ip address 192.168.103.1 255.255.255.0

duplex auto

speed auto

!

ip local pool vpnpool 192.168.104.1 192.168.104.254

ip classless

ip route 0.0.0.0 0.0.0.0 10.66.79.97

ip http server

ip pim bidir-enable

!

!

access-list 101 permit ip 192.168.103.0 0.0.0.255 192.168.104.0 0.0.0.255

!

!

call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

!

!

end

Light#

Light#show crypto isa sa

dst src state conn-id slot

10.66.79.18 64.104.217.238 QM_IDLE 1 0

Light#debug ip icmp

ICMP packet debugging is on

Light#

4d12h: ICMP: echo reply sent, src 192.168.103.1, dst 192.168.104.3

4d12h: ICMP: echo reply sent, src 192.168.103.1, dst 192.168.104.3

4d12h: ICMP: echo reply sent, src 192.168.103.1, dst 192.168.104.3

4d12h: ICMP: echo reply sent, src 192.168.103.1, dst 192.168.104.3

0 Helpful

Robert_Berger
Level 1
Level 1

‎07-08-2002 06:54 AM

It works now! Thanks.

I had the " crypto map cm-cryptomap" on Interface Loopback0.

(Static Tunnels with no-xauth was working, but no Dynamic)

So at the time i hanged my crypto map on Serial0.1 (and dependend Access-list) it was working. So now it is also easyer with route entrys.

THANKS a lot

Robert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents