11-29-2006 02:50 AM
I am having problem with our Cisco router 1841. I configured it for vpn remote client access and it works, but once connected I can't remote access the server inside the network. I can mount the root drive but can't browse the folder in the drive. I can mount the individual folder inside the drive but can't open files someone has created in that drive. Is this router config problem or file server? Router has IOS 12.4 and the file server is running Windows 2000 server.
Also, I would like to remote access the file server from outside without using vpn. Should I use standard access list or extended? Any sample config will be appreciated.
11-29-2006 07:49 AM
Hello -
Sniffer traces between the server and the router would let us know what might be happening. Before you get into that, can you turn on "deb cry isa" & "deb cry ipsec" try your VPN client to mount the folder and open the file.
See if there are any debugs (make sure you do "term mon" if doing a telnet) and send those.
Also try inserting the command "crypto ipsec df-bit clear" globally. See if that helps.
12-01-2006 03:55 PM
I erased the configuration of the router and start all over again. This time with radius enabled for authentication to remote vpn users. Now I can't even connect using vpn. Below is the debug messages I got. Do you have any clue what part of the configuration I should go to fix the vpn access? I am using vpn client version 4. Thanks.
===debug messages======
*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 3 against priority 1 policy
*Dec 1 23:39:12.715: ISAKMP: encryption AES-CBC
*Dec 1 23:39:12.715: ISAKMP: hash SHA
*Dec 1 23:39:12.715: ISAKMP: default group 2
*Dec 1 23:39:12.715: ISAKMP: auth pre-share
*Dec 1 23:39:12.715: ISAKMP: life type in seconds
*Dec 1 23:39:12.715: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Dec 1 23:39:12.715: ISAKMP: keylength of 256
..............
*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 5 against priority 1 policy
*Dec 1 23:39:12.715: ISAKMP: encryption AES-CBC
*Dec 1 23:39:12.715: ISAKMP: hash SHA
*Dec 1 23:39:12.715: ISAKMP: default group 2
*Dec 1 23:39:12.715: ISAKMP: auth XAUTHInitPreShared
*Dec 1 23:39:12.715: ISAKMP: life type in seconds
*Dec 1 23:39:12.715: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Dec 1 23:39:12.715: ISAKMP: keylength of 128
*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!
*Dec 1 23:39:12.715: ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 3
......................
*Dec 1 23:39:12.771: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Dec 1 23:39:12.839: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Dec 1 23:39:12.839: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Dec 1 23:39:12.839: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Dec 1 23:39:12.839: ISAKMP:(0:1:SW:1):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1): constructed NAT-T vendor-02 ID
*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Dec 1 23:39:12.919: ISAKMP (0:134217729): ID payload
next-payload : 10
type : 1
address : 209.xxx.xx.xx
protocol : 17
port : 0
length : 12
*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1):Total payload length: 12
*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1): sending packet to 63.xx.xx.xx my_port 500 peer_port 3 (R) AG_INIT_EXCH
*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*Dec 1 23:39:12.919: ISAKMP:(0:1:SW:1):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2
........................
*Dec 1 23:39:49.191: ISAKMP (0:134217730): received packet from 64.xx.xx.xx dport 500 sport 3 Global (R) AG_INIT_EXCH
*Dec 1 23:39:49.191: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 64.xx.xx.xx was not encrypted and it should've been.
12-02-2006 12:22 AM
Here's d running config:
version 12.4
..............deleted.........
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_2 group radius
!
aaa session-id common
memory-size iomem 25
ip cef
!
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
[delete]
ip inspect name FastEthernet_0 tftp
!
!
ip domain name abcd.com
ip name-server 20x.xxx.xxx.xxx
ip name-server 20x.xxx.xxx.xxx
!
!
crypto pki trustpoint TP-self-signed-458006412
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-458006412
revocation-check none
rsakeypair TP-self-signed-458006412
!
!
crypto pki certificate chain TP-self-signed-458006412
certificate self-signed 01
[deleted]
quit
username abcdef privilege 15 secret 5 $abcdefgjhAm.
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key abcdef
dns 192.168.1.1 192.168.1.2
wins 192.168.1.1 192.168.1.2
domain domain.local
pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list default
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ETH-LAN$
ip address 192.168.1.200 255.255.255.0
ip access-group 100 in
ip inspect FastEthernet_0 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 20x.xxx.xx.xx 255.255.255.0
ip access-group 101 in
ip nat outside
ip virtual-reassembly
service-module t1 remote-alarm-enable
no cdp enable
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 172.16.1.1 172.16.1.30
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Serial0/0/0 overload
!
access-list 10 remark SDM_ACL Category=16
access-list 10 permit 192.0.0.0 0.255.255.255
access-list 100 remark SDM_ACL Category=17
access-list 100 permit udp host 192.168.1.1 eq 1645 host 192.168.1.200
access-list 100 permit udp host 192.168.1.1 eq 1646 host 192.168.1.200
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=17
access-list 101 permit ip 172.16.1.0 0.0.0.31 any
access-list 101 permit udp any host 20x.xxx.xx.xx eq non500-isakmp
access-list 101 permit udp any host 20x.xxx.xx.xx eq isakmp
access-list 101 permit esp any host 20x.xxx.xx.xx
access-list 101 permit ahp any host 20x.xxx.xx.xx
access-list 101 permit tcp any any eq telnet
access-list 101 permit icmp any any echo-reply
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip any 172.16.1.0 0.0.0.31
access-list 102 permit ip 192.0.0.0 0.255.255.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 timeout 10 key abcdefg
!
control-plane
!
banner login ^CC
....deleted.....
^C
!
line con 0
exec-timeout 0 0
login authentication abcdefg
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end
r1841#
12-06-2006 11:24 PM
Hi,
Do you want to authenticate the users on radius or the VPN Group.
CONFIG:
aaa authorization network sdm_vpn_group_ml_2 group radius
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
Based upon the above configuration, you have configured the router to go to radius for Group Name, Preshared key, etc. If you only want to authenticate the users via Radius and use the VPNGroup Parameters configured on the router, you need to reconfigure the router.
REVISED CONFIG:
aaa authorization network sdm_vpn_group_ml_2 local
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
And for authenticate the users via Radius, configure the router with the below configuration:
aaa authentication login VPNXAUTH group radius
crypto map SDM_CMAP_1 client authentication list VPNXAUTH
Let me know how it goes.
Regards,
Arul
** Please rate all helpful posts **
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide