11-26-2011 03:45 PM
Hi,
I configured a Cisco 1841 router as easy VPN server. This is the configuration of the router:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$Xgf9$MKt1eImjyrmDwcYnbz0xZ/
enable password 6y5t4r3e2w1q
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
aaa session-id common
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
crypto pki trustpoint TP-self-signed-947142914
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-947142914
revocation-check none
rsakeypair TP-self-signed-947142914
!
!
crypto pki certificate chain TP-self-signed-947142914
certificate self-signed 01
3082023B 308201A4 A0030201 02020101 309D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E45642D 43657274
69666963 6174652D 39343731 34323931 34301E17 0D313131 31323532 30353931
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3934 37313432
39313430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B4C6CC16 5EA2210F D4A0234B 90D9E29C E1132F0D 491CC9BC F513EF57 A5986C31
C03BC061 B3B4E103 0005F992 A7CA2605 8C46FCB2 C22AAC4B 739D1DC2 49EA3883
253D553C A1E7BD3A 26D49347 86414B11 5C03F4E6 A4BD5306 CD857F99 0A567B85
FD639414 C2E25161 74A52A7B 32753F25 AE8FDC73 EC859EEC D8A1C9C4 D8A50EED
02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D
11040930 07820543 6973636F 301F0603 551D2304 18301680 14414AD6 2A674283
54CC008C A6B81E1D 7A3B09A4 8C301D06 03551D0E 04160414 414AD62A 67428354
CC008CA6 B81E1D7A 3B09A48C 300D0609 2A864886 F70D0101 04050003 8181007B
00264BAE A55C3CB0 20F83B46 A047F400 3B5748CA D8C64A49 5484FE1E 7588949F
A8E5EBAE BE5FAD22 0C89FC92 671E0BB6 1355EB76 21E72F07 68F76AE3 2F0CB2C6
EC26A8C1 C3EA1300 CE284F9B 3E3F6BB9 7807CF63 8154BC4B AD33392E 68347E0B
F78AE625 818C3A4E 6E0302D8 26DF4890 08E42063 37BF9026 BF4E251D A86EEA
quit
username root privilege 15 password 0 6y5t4r3e2w1q
username admin secret 5 $1$78MV$Yc7sfwt5PoEm.eKmjPlKw1
username test privilege 15 password 0 test_123
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10 8 periodic
!
crypto isakmp client configuration group cisco
key 6y5t4r3e2w1q
dns 8.8.8.8
domain cisco.com
pool SDM_POOL_client
max-users 1000
netmask 255.255.255.0
!
crypto isakmp client configuration group server_1
key 6y5t4r3e2w1q
dns 8.8.8.8
domain cisco.com
pool SDM_POOL_server_1
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 local-address FastEthernet0/0
crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Loopback0
ip address 172.16.0.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.130 255.255.255.0
speed auto
full-duplex
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
full-duplex
no mop enabled
!
ip local pool SDM_POOL_client 10.10.10.51 10.10.10.190
ip local pool SDM_POOL_server_1 10.10.10.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip http server
ip http authentication local
ip http secure-server
!
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.10.0.0 0.0.255.255 any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 6y5t4r3e2w1q
transport input telnet ssh
!
scheduler allocate 20000 1000
end
One Centos server with VPNC client and several windows clients are connected with the VPN server. Everything works but the problem is that the Centos server with the VPNC clients after arround 30 minutes drops the VPN connection.
I configured the VPNC client with thes option
DPD idle timeout (our side) 0
into the configuration file. But the result is the same. I tried to lower the MTU size but the problem is still there.
Any idea where is the problem?
Regards
Peter
11-27-2011 11:34 AM
show crypto ipsec sa and show vpn-sessiondb detail type remote filter
Please confirm, if the disconnecting Centos server and other clients connecting to the same group and which ones if different.
Are they using same client version?
11-27-2011 12:08 PM
Cisco#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: SDM_CMAP_1, local addr 192.168.1.130
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
current_peer 78.130.133.76 port 4500
PERMIT, flags={}
#pkts encaps: 103481, #pkts encrypt: 103481, #pkts digest: 103481
#pkts decaps: 56223, #pkts decrypt: 56223, #pkts verify: 56223
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.130, remote crypto endpt.: 78.130.133.76
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xA5246B6B(2770627435)
inbound esp sas:
spi: 0x912746A(152204394)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3014, flow_id: FPGA:14, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4396027/441)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA5246B6B(2770627435)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3013, flow_id: FPGA:13, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4271258/438)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.2/255.255.255.255/0/0)
current_peer 192.168.1.1 port 44027
PERMIT, flags={}
#pkts encaps: 110066, #pkts encrypt: 110066, #pkts digest: 110066
#pkts decaps: 143170, #pkts decrypt: 143170, #pkts verify: 143170
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 20
local crypto endpt.: 192.168.1.130, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x5A9A6FDB(1520070619)
inbound esp sas:
spi: 0x87F287C(142551164)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3004, flow_id: FPGA:4, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4439753/417)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5A9A6FDB(1520070619)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3003, flow_id: FPGA:3, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4496815/416)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.52/255.255.255.255/0/0)
current_peer 192.168.1.1 port 1031
PERMIT, flags={}
#pkts encaps: 6117, #pkts encrypt: 6117, #pkts digest: 6117
#pkts decaps: 6551, #pkts decrypt: 6551, #pkts verify: 6551
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.130, remote crypto endpt.: 192.168.1.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xC133DD0F(3241401615)
inbound esp sas:
spi: 0x5AA668F0(1520855280)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3010, flow_id: FPGA:10, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4587967/1551)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC133DD0F(3241401615)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3006, flow_id: FPGA:6, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4587318/1550)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Cisco#
This command don't work -
show vpn-sessiondb detail
The Centos server is in the group 'server_1'. Clients are in the group '
cisco'
The clients use the default Ubuntu vpnc client from the gnome network panel.
I add there lines to the router configuration:
crypto isakmp keepalive 3600 periodic
crypto ipsec security-association idle-time 86400
Is there other idle configuration command that I can add to the router?
Regards
p.s when I added the idle commands I make a infinite ping to all machines. After ~30 minutes the ping dies. It's a problem in the router's configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide