01-07-2004 12:03 PM - edited 02-20-2020 11:11 PM
I have a site to site VPN currently in place. I am using a 2600 on my side. I now need to get remote access for home users implemented. I am getting error: 412: Secure VPN terminated by locally by client. Remote peer no longer responding.
Below is my config.
Current configuration : 3940 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname scpa
!
logging queue-limit 100
no logging console
enable secret xxx
enable password xxxx
!
username ***** password xxxx
memory-size iomem 15
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
!
ip inspect name scpa udp
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 43200
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ********* address 128..x.x.x
!
crypto isakmp client configuration group sriclient
key sriremote
dns *******
domain ********
pool ippool
!
!
crypto ipsec transform-set menlo esp-3des esp-sha-hmac
crypto ipsec transform-set sriremote esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set sriremote
!
!
crypto map scpa client authentication list userauthen
crypto map scpa isakmp authorization list group
crypto map scpa client configuration address respond
crypto map scpa 1 ipsec-isakmp
set peer 128.x.x.x
set transform-set menlo
set pfs group1
match address 110
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
description SCPA inside private address
ip address 192.168.0.1 255.255.255.0
ip access-group 102 out
ip nat inside
ip inspect scpa in
speed auto
half-duplex
!
interface FastEthernet0/1
description SCPA external address
ip address x.x.x.52 255.255.255.224
ip access-group 101 in
ip nat outside
no ip mroute-cache
speed auto
half-duplex
crypto map scpa
!
ip local pool ippool 10.0.0.1 10.0.0.20
ip nat pool ipsec x.x.x.57 199.234.154.57 netmask 255.255.255.224
ip nat inside source route-map internet interface FastEthernet0/1 overload
ip nat inside source route-map ipsec pool ipsec overload
ip nat inside source static tcp 192.168.0.5 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.0.5 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.0.5 443 interface FastEthernet0/1 443
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 199.234.154.33
!
!
!
access-list 100 deny ip 192.168.0.0 0.0.0.255 128.18.0.0 0.0.255.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny pim any any
access-list 101 deny ip host 10.0.0.0 any
access-list 101 deny ip host 192.168.0.0 any
access-list 101 permit tcp any host 199.234.154.52 eq www
access-list 101 permit tcp any host 199.234.154.52 eq smtp
access-list 101 permit tcp any host 199.234.154.52 eq 443
access-list 101 permit tcp any host 199.234.154.52 established
access-list 101 permit udp host 128.18.241.1 host 199.234.154.57 eq isakmp
access-list 101 permit ip 128.18.0.0 0.0.255.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any any eq telnet
access-list 102 deny ip host 199.234.154.53 128.18.0.0 0.0.255.255
access-list 102 permit ip any any
access-list 105 permit ip 192.168.0.0 0.0.0.255 128.18.0.0 0.0.255.255
access-list 110 permit ip host 199.234.154.57 128.18.0.0 0.0.255.255
!
route-map internet permit 10
match ip address 100
!
route-map ipsec permit 10
match ip address 105
!
snmp-server community scpa_public RO
snmp-server enable traps tty
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password xxx
!
!
end
Can anybody tell what is wrong? I am using the VPN client 4.0
01-07-2004 06:49 PM
First things first, I strongly suggest you change your key under the VPN group (key sriremote), since you have pasted your group name and password, and the IP address of your router in here. All someone has to do is guess the local username you have configured on this router (the password is easy to find) and they'll be into your network.
I think the problem here is your access-list 101 is not allowing these packets in. Try taking it off the interface temproraily and try a client connection. If it works then we know that's the problem.
To allow VPN clients in you'll have to add something like the following:
access-list 101 permit udp any host 199.234.154.52 eq isakmp
access-list 101 permit esp any host 199.234.154.52
and just in case the client and router negotiate UDP encapsulation (NAT-T):
access-list 101 permit udp any host 199.234.154.52 eq 4500
and also allow the unencrypted form of the traffic in:
access-list 101 permit ip 10.0.0.0 0.0.0.31 192.168.0.0 0.0.0.255
You have to specify "any" as the source address cause you don't know the IP address of the VPN client.
01-08-2004 05:16 AM
Thanks,
I have since got it working. Yes the VPN group, names etc, I just added in there to post here. I just used a simple word for this example. But good point! Thank you.
I also had to add the line
ip access-list extended protocol
ip access-list extended tunnele-password
01-08-2004 10:39 AM
Another question if anybody can help??
Yes the "VPN client" did initially work, but it
killed my tunnel for my site to site VPN. The other side of my VPN is a checkpoint NG. I have since placed my old original config back in, without the client VPN configurations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide