Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EzVPN on IOS 12.4T and no traffic from client

Hi guys,

I would be appreciated if you give me a hint regarding the issue I have. I configured easy vpn on c2800nm-advipservicesk9-mz.124-15.T15.bin using Xauth and RRI (split tunneling), can even connect using Cisco VPN client (Windows version 5.0.07.0290) or linux latest vpnc client. The problem is that I can't reach anything behind VPN concentrator, including its loopback.

This is ezvpn related config section

========== Start of Config =========

version 12.4

aaa new-model
!
aaa authentication login dmp_vpn_xauth local
aaa authorization network dmp_vpn_group local

!

username example password 7 *****

!

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local EASY-VPN-POOL
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group dmp-group
 key ***
 pool EASY-VPN-POOL
 acl EZVPN_TUNNEL
!                 
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!         
crypto dynamic-map dynmap 1
 set transform-set ESP-AES-SHA
 reverse-route
!         
!         
crypto map dynmap client authentication list dmp_vpn_xauth
crypto map dynmap isakmp authorization list dmp_vpn_group
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap

interface Loopback1
 ip address 192.168.1.1 255.255.255.255
!

interface GigabitEthernet0/0.30
 description Interconnect
 encapsulation dot1Q 30
 ip address 192.168.0.133 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 standby version 2
 standby 0 ip 192.168.0.134
 standby 0 priority 110
 standby 0 preempt

!

interface GigabitEthernet0/0.40
 description ISP-UPLINK
 encapsulation dot1Q 10
 ip address 203.0.113.1 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 crypto map dynmap

!

ip local pool EASY-VPN-POOL 192.168.1.10 192.168.1.30
ip route 0.0.0.0 0.0.0.0 203.0.113.2
ip route 192.168.0.0 255.255.255.0 192.168.0.129

!

no ip http server
ip http authentication local
no ip http secure-server

!

ip nat inside source list nat interface GigabitEthernet0/0.40 overload
ip nat inside source static tcp 192.168.0.102 5061 interface GigabitEthernet0/0.40 5061
ip nat inside source static udp 192.168.0.102 5061 interface GigabitEthernet0/0.40 5061
ip nat inside source static udp 192.168.0.115 5060 interface GigabitEthernet0/0.40 5060
ip nat inside source static tcp 192.168.0.115 5060 interface GigabitEthernet0/0.40 5060
!        
ip access-list extended EZVPN_TUNNEL
 permit ip 192.168.0.0 0.0.0.255 any

!
ip access-list extended EZVPN_TUNNEL
 permit ip 192.168.0.0 0.0.0.255 any

!

ip access-list extended nat
 permit ip 192.168.0.0 0.0.0.255 any

========== End of Config =========

 

After establishing VPN connection from clien I can see ISAKMP SA like this:

bdr1#sh crypto isakmp sa detail
C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

1020  194.44.254.94   195.160.233.253          ACTIVE aes  sha       2  23:30:19 CX  
       Engine-id:Conn-id =  SW:20

 

Let's enable debug (debug crypto isakmp error) and reconnect again:

bdr1#sh debugging
Cryptographic Subsystem:
  Crypto ISAKMP Error debugging is on

bdr1#

*Mar 11 13:19:46.324: ISAKMP:(0):Proposed key length does not match policy
*Mar 11 13:19:46.324: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Mar 11 13:19:46.328: ISAKMP:(0):Hash algorithm offered does not match policy!
*Mar 11 13:19:46.328: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Mar 11 13:19:46.328: ISAKMP:(0):Proposed key length does not match policy
*Mar 11 13:19:46.328: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Mar 11 13:19:46.328: ISAKMP:(0):Hash algorithm offered does not match policy!
*Mar 11 13:19:46.328: ISAKMP:(0):atts are not acceptable. Next payload is 3 Unknown Attr: 0x7005
*Mar 11 13:19:46.384: ISAKMP (0/1022): Unknown Attr: CONFIG_MODE_UNKNOWN (0x7005)
*Mar 11 13:19:46.384: ISAKMP (0/1022): Unknown Attr: MODECFG_HOSTNAME (0x700A)
*Mar 11 13:19:46.404: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
*Mar 11 13:19:46.404: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
*Mar 11 13:19:46.404: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
*Mar 11 13:19:46.404: ISAKMP:(1022): IPSec policy invalidated proposal with error 256

 

From client side (windows Cisco VPN or linux vpnc does not metter):

$ ip r
default via 10.129.193.1 dev p2p1  proto static
192.168.1.0/24 dev tun0  proto kernel  scope link  src 192.168.1.13
203.0.113.1 via 10.129.193.1 dev p2p1  proto static

$ ip addr ls dev tun0
13: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1412 qdisc pfifo_fast state UNKNOWN qlen 500
    link/none
    inet 192.168.1.13/24 brd 192.168.1.255 scope global tun0
       valid_lft forever preferred_lft forever

$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
^C
--- 192.168.1.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

 

And Cisco's IPSec SA:

sh crypto ipsec sa

interface: GigabitEthernet0/0.40
    Crypto map tag: dynmap, local addr 203.0.113.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.13/255.255.255.255/0/0)
   current_peer 99.99.99.99 port 57222
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 194.44.254.94, remote crypto endpt.: 195.160.233.253
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.40
     current outbound spi: 0x29F33178(703803768)

     inbound esp sas:
      spi: 0x9F7AC3D3(2675622867)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2031, flow_id: NETGX:31, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4450002/3127)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x29F33178(703803768)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2032, flow_id: NETGX:32, crypto map: dynmap
        sa timing: remaining key lifetime (k/sec): (4450002/3127)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

 

From the output above I can consider that there is no IPSec packets encrypted/decrypted, also some ISAKMP errors during tunnel establishment.

Could you please help me with this.

Thanks.

1 REPLY
New Member

Up

Up

68
Views
0
Helpful
1
Replies
CreatePlease login to create content