Re: remote access VPN

marc.reed · ‎01-07-2004

I have a site to site VPN currently in place. I am using a 2600 on my side. I now need to get remote access for home users implemented. I am getting error: 412: Secure VPN terminated by locally by client. Remote peer no longer responding.

Below is my config.

Current configuration : 3940 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname scpa

!

logging queue-limit 100

no logging console

enable secret xxx

enable password xxxx

!

username ***** password xxxx

memory-size iomem 15

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip source-route

!

ip inspect name scpa udp

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 43200

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ********* address 128..x.x.x

!

crypto isakmp client configuration group sriclient

key sriremote

dns *******

domain ********

pool ippool

!

crypto ipsec transform-set menlo esp-3des esp-sha-hmac

crypto ipsec transform-set sriremote esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set sriremote

!

crypto map scpa client authentication list userauthen

crypto map scpa isakmp authorization list group

crypto map scpa client configuration address respond

crypto map scpa 1 ipsec-isakmp

set peer 128.x.x.x

set transform-set menlo

set pfs group1

match address 110

!

no voice hpi capture buffer

no voice hpi capture destination

!

mta receive maximum-recipients 0

!

interface FastEthernet0/0

description SCPA inside private address

ip address 192.168.0.1 255.255.255.0

ip access-group 102 out

ip nat inside

ip inspect scpa in

speed auto

half-duplex

!

interface FastEthernet0/1

description SCPA external address

ip address x.x.x.52 255.255.255.224

ip access-group 101 in

ip nat outside

no ip mroute-cache

speed auto

half-duplex

crypto map scpa

!

ip local pool ippool 10.0.0.1 10.0.0.20

ip nat pool ipsec x.x.x.57 199.234.154.57 netmask 255.255.255.224

ip nat inside source route-map internet interface FastEthernet0/1 overload

ip nat inside source route-map ipsec pool ipsec overload

ip nat inside source static tcp 192.168.0.5 80 interface FastEthernet0/1 80

ip nat inside source static tcp 192.168.0.5 25 interface FastEthernet0/1 25

ip nat inside source static tcp 192.168.0.5 443 interface FastEthernet0/1 443

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 199.234.154.33

!

access-list 100 deny ip 192.168.0.0 0.0.0.255 128.18.0.0 0.0.255.255

access-list 100 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 deny 53 any any

access-list 101 deny 55 any any

access-list 101 deny pim any any

access-list 101 deny ip host 10.0.0.0 any

access-list 101 deny ip host 192.168.0.0 any

access-list 101 permit tcp any host 199.234.154.52 eq www

access-list 101 permit tcp any host 199.234.154.52 eq smtp

access-list 101 permit tcp any host 199.234.154.52 eq 443

access-list 101 permit tcp any host 199.234.154.52 established

access-list 101 permit udp host 128.18.241.1 host 199.234.154.57 eq isakmp

access-list 101 permit ip 128.18.0.0 0.0.255.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit tcp any any eq telnet

access-list 102 deny ip host 199.234.154.53 128.18.0.0 0.0.255.255

access-list 102 permit ip any any

access-list 105 permit ip 192.168.0.0 0.0.0.255 128.18.0.0 0.0.255.255

access-list 110 permit ip host 199.234.154.57 128.18.0.0 0.0.255.255

!

route-map internet permit 10

match ip address 100

!

route-map ipsec permit 10

match ip address 105

!

snmp-server community scpa_public RO

snmp-server enable traps tty

radius-server authorization permit missing Service-Type

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

password xxx

!

end

Can anybody tell what is wrong? I am using the VPN client 4.0

gfullage · ‎01-07-2004

First things first, I strongly suggest you change your key under the VPN group (key sriremote), since you have pasted your group name and password, and the IP address of your router in here. All someone has to do is guess the local username you have configured on this router (the password is easy to find) and they'll be into your network.

I think the problem here is your access-list 101 is not allowing these packets in. Try taking it off the interface temproraily and try a client connection. If it works then we know that's the problem.

To allow VPN clients in you'll have to add something like the following:

access-list 101 permit udp any host 199.234.154.52 eq isakmp

access-list 101 permit esp any host 199.234.154.52

and just in case the client and router negotiate UDP encapsulation (NAT-T):

access-list 101 permit udp any host 199.234.154.52 eq 4500

and also allow the unencrypted form of the traffic in:

access-list 101 permit ip 10.0.0.0 0.0.0.31 192.168.0.0 0.0.0.255

You have to specify "any" as the source address cause you don't know the IP address of the VPN client.

marc.reed · ‎01-08-2004

Thanks,

I have since got it working. Yes the VPN group, names etc, I just added in there to post here. I just used a simple word for this example. But good point! Thank you.

I also had to add the line

ip access-list extended protocol

ip access-list extended tunnele-password

marc.reed · ‎01-08-2004

Another question if anybody can help??

Yes the "VPN client" did initially work, but it

killed my tunnel for my site to site VPN. The other side of my VPN is a checkpoint NG. I have since placed my old original config back in, without the client VPN configurations.