Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN client 3.6.3

Hi, I have a router 837 and I want that VPN clients can connect trhought it, but now it doesn't work.

The IKE phase works, but no the IPSec phase

I see this in the Log viewer

1 18:43:47.171 11/27/03 Sev=Warning/3 IKE/0xE3000084

The length, 5338592, of the Mode Config option, , is invalid

I did debug crypto ipsec

*Mar 4 10:16:42.835: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.241.68,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

*Mar 4 10:16:42.835: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= 22.81.27.2, remote= 62.83.241.68,

local_proxy= 22.81.27.2/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.200.219/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= comp-lzs ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

And finally this is the configuration of the router

Router_Adsl#sh run

hostname Router_Adsl

!

username xxx password xxxx

aaa new-model

!

!

aaa authentication login vpnusers local

aaa authorization network rubi local

aaa session-id common

ip subnet-zero

ip domain name rubi.net

!

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp identity hostname

crypto isakmp client configuration address-pool local mipool

crypto isakmp xauth timeout 60

!

crypto isakmp client configuration group rubi

key rubi2

dns 192.168.200.2

domain rubi.net

pool mipool

acl 150

!

!

crypto ipsec transform-set mitrans esp-3des esp-sha-hmac

!

crypto dynamic-map mapadinamico 20

description Clientes remotos de la VPN

set transform-set mitrans

reverse-route

!

!

crypto map mimapa client authentication list vpnusers

crypto map mimapa isakmp authorization list rubi

crypto map mimapa client configuration address respond

crypto map mimapa 20 ipsec-isakmp dynamic mapadinamico

!

!

!

!

interface Loopback0

ip address x.x.x.x 255.255.255.255

!

interface Ethernet0

ip address 192.168.200.251 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no ip route-cache

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

dsl power-cutback 0

hold-queue 224 in

!

interface ATM0.1 point-to-point

ip address x.x.x.91 255.255.255.252

ip access-group 135 in

ip nat outside

no ip route-cache

no ip mroute-cache

pvc 1/32

protocol ip 10.10.8.89 broadcast

vbr-nrt 384 128 32

encapsulation aal5mux ip

!

crypto map mimapa

!

ip local pool mipool 192.168.200.218 192.168.200.219

ip nat inside source list 1 interface Loopback0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0.1

!

access-list 1 permit 192.168.200.0 0.0.0.255

access-list 135 deny tcp any eq 135 any eq 135

access-list 135 permit ip any any

access-list 150 permit ip 192.168.200.0 0.0.0.255 any

!

end

Can anybody tell me where the problem is?

Many thanks in advance

2 REPLIES
Silver

Re: VPN client 3.6.3

I remember a case where we were running into this message due to the address pool overlapping with the IP assigned to one of the interfaces. That might be the problem in your case too. The config is pushed to the remote client after ISAKMP and before IPSec SA negotiation. After a sucessful IKE negotiation, an overlapping address might result in the packets being routed incorrectly and IPSec negotioations not taking place.

New Member

Re: VPN client 3.6.3

Try changing to VPN client 4.x (or 3.5.4 if you need 3.x series). 3.6 series was VERY buggy, including not passing through dns servers which made the tunnel look broken.

101
Views
0
Helpful
2
Replies
CreatePlease to create content