Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

secure VPN connection terminated by local host/remote vpn peer is no longer responding

Hi,

I am trying to configure the Router 2911 for Cisco VPN client access for the remote hosts. LAN-switch-router is how my network is set up.

I have used all that is been said on cisco website. but still not able to connect to it by creating the pcf file. It gives me error saying : secure VPN connection terminated by local host/ remote vpn peer is no longer responding.

Not sure if I am missing some configs or I configured something wrong.

belwo is my config:

 

 

aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_10 local
aaa authorization console
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_10 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ipv6 spd queue min-threshold 62
ipv6 spd queue max-threshold 63
ip source-route
ip cef
!
!
!
!
!
ip domain name xyz.LOCAL
ip inspect log drop-pkt
!
multilink bundle-name authenticated
!
parameter-map type inspect global
 log dropped-packets enable
!
crypto pki token default removal timeout 0
!
!
-
-
-
!
!
archive
 log config
  logging enable
  hidekeys

username test password 7 105A0C0A11

!
redundancy
!
!
!
!
ip ssh version 2
!
class-map type inspect match-any MGMT
 match protocol ssh
 match protocol snmp
class-map type inspect match-any ICMP
 match protocol icmp
class-map type inspect match-all IPSEC-VPN
 match access-group name IPSEC-VPN
class-map type inspect match-any TCP-UDP
 match protocol tcp
 match protocol udp
class-map type inspect match-all STATIC-NAT
 match access-group name STATIC-NAT
!
!
policy-map type inspect INSIDE->SELF
 class type inspect ICMP
  pass
 class type inspect MGMT
  pass
 class class-default
  drop
policy-map type inspect INSIDE->OUTSIDE
 class type inspect TCP-UDP
  inspect
 class type inspect ICMP
  inspect
 class class-default
  drop
policy-map type inspect OUTSIDE->SELF
 class type inspect ICMP
  pass
 class type inspect IPSEC-VPN
  pass
 class class-default
  drop
policy-map type inspect OUTSIDE->INSIDE
 class type inspect STATIC-NAT
  inspect
 class class-default
  drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security INSIDE->OUTSIDE-ZP source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE->OUTSIDE
zone-pair security INSIDE->SELF-ZP source INSIDE destination self
 service-policy type inspect INSIDE->SELF
zone-pair security OUTSIDE->SELF-ZP source OUTSIDE destination self
 service-policy type inspect OUTSIDE->SELF
zone-pair security OUTSIDE->INSIDE-ZP source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE->INSIDE
!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
!


!--- Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.


crypto isakmp policy 55
 encr aes 256
 authentication pre-share
 group 2
!

crypto isakmp client configuration group internal
 key key_internal
 dns 10.10.37.33 10.10.37.30
 pool REMOTE_ACCESS_POOL
 save-password
 max-users 10
 netmask 255.255.255.0

crypto isakmp profile Current-ike-profile-1
   match identity group internal
   client authentication list sdm_vpn_xauth_ml_10
   isakmp authorization list sdm_vpn_group_ml_10
   client configuration address respond
   virtual-template 13
!
!

crypto ipsec transform-set EASY esp-aes 256 esp-sha-hmac
!

crypto ipsec profile Current
 set transform-set EASY
 set reverse-route tag 10
 set isakmp-profile Current-ike-profile-1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 1.1.1.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 load-interval 30
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 10.10.64.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface Virtual-Template13 type tunnel
 ip unnumbered GigabitEthernet0/0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile Current
!
ip local pool REMOTE_ACCESS_POOL 10.10.44.2 10.10.44.254
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 10.10.0.0 255.255.0.0 10.10.64.2

!

ip access-list extended IPSEC-VPN
 permit esp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
ip access-list extended NAT
 permit ip 10.10.44.0 0.0.0.255 any
 
ip access-list extended STATIC-NAT
 permit ip any 10.10.37.0 0.0.0.255

!
!
!
!
!
!
snmp-server community ROUTER RO
snmp-server enable traps config
snmp-server host 10.10.37.37 version 2c RO
!
!
!
control-plane
!
!
!
line con 0
 logging synchronous
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 logging synchronous
 transport input ssh
 transport output ssh
line vty 5 15
 logging synchronous
 transport input ssh
 transport output ssh
!
scheduler allocate 20000 1000
end

 

 

 

505
Views
0
Helpful
0
Replies