cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3270
Views
0
Helpful
21
Replies

Help with Easy VPN Server

ryan_david
Level 1
Level 1

Hi,

I have been trying to configure Cisco1941/K9 as Easy VPN Server through CiscoCP.

The tunnel comes up but I cannot pass any traffic to the secure LAN (GigEth 0/1). When the tunnel comes up, I can ping the Loopback interface and the GigEth 0/1 interface IPs.

Here is my config:

Router#show run

Building configuration...

Current configuration : 4492 bytes

!

! Last configuration change at 05:56:26 UTC Thu Jul 12 2012 by admin

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

!

aaa new-model

!

!

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization network VPN_Cisco local

!

!

!

aaa session-id common

!

!

no ipv6 cef

!

!

!

ip domain name domain.net

ip cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-765105936

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-765105936

revocation-check none

rsakeypair TP-self-signed-765105936

!

!

crypto pki certificate chain TP-self-signed-765105936

certificate self-signed 01

30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 37363531 30353933 36301E17 0D313230 36323630 39323033

355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3736 35313035

39333630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

C1B7E661 4893D83A EFE44B76 92BAA71A 6375C854 88D49791 4533E51A 551D8EF7

F82E2432 E65B401D 27FE4896 2105B38A CB1908C1 9AE2FC19 8A9393C3 1B618390

EE6CB1CC 5C8B8811 04FA198E 16F3297B 6B15F974 13EE4897 74270D31 97270547

4590ACA6 68606596 97C5D4D5 462CACA0 CDDAC35A 17415302 CFD4E329 8E7E542D

02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D

23041830 1680142E FF686472 569BCCF1 552B1200 D35060DB 5B660F30 1D060355

1D0E0416 04142EFF 68647256 9BCCF155 2B1200D3 5060DB5B 660F300D 06092A86

4886F70D 01010505 00038181 00558F64 05207D35 AA4BD086 4579ACF6 BCF6A851

1D0EA15B 75DBFA45 E01FBA5C 6F827C42 1A50DD11 8922F1E5 3384B8D8 8DD6C222

0187E501 82C1C557 8AD3445C A4450241 75D771CF 3A6428A6 7E1FC7E5 8B418E65

74D265DD 06251C7D 6EF39CE9 3D692763 FE03F795 AE865885 CFF660A5 4C1FF603

3AF09B1E 243EA5ED 7E4C30B9 3A

quit

license udi pid CISCO1941/K9 sn xxxxxxxxxxxx

hw-module ism 0

!

!

!

username admin privilege 15 secret 5 xxxxxxxxxxxxxxx

username ryan privilege 0 password 0 xxxxxxxxxxxxxxx

!

redundancy

dns 10.127.8.20

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 10.127.31.26 255.255.255.252

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

ip local pool SDM_POOL_1 10.127.52.3 10.127.52.254

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

ip route 10.0.0.0 255.0.0.0 10.127.31.25

!

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 10.0.0.0 0.255.255.255 any

access-list 150 remark VPN Clients

access-list 150 remark CCP_ACL Category=2

access-list 150 permit ip 10.127.52.0 0.0.0.255 10.0.0.0 0.255.255.255

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line 67

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

transport input telnet

!

scheduler allocate 20000 1000

end

 

I hope somebody can help me solve this.

Thank you in advance,

Ryan                  

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN_Group1

key xxxxxxxxxxx

pool SDM_POOL_1

acl 100

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

match identity group VPN_Group1

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list VPN_Cisco

client configuration address initiate

client configuration address respond

virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

interface Loopback0

ip address 10.127.15.1 255.255.255.0

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address xxx.xxx.xxx.xxx 255.255.255.224

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to configure route for the pool as it falls into your class A 10.0.0.0/8 route towards the inside:

ip route 10.127.52.0 255.255.255.0 GigabitEthernet0/0

View solution in original post

Hi Ryan,

As Jennifer mentioned add the the specific route on the router and also try by adding the route on the .25 device.

so the second route on .25 device : ip route 10.127.52.0 255.255.255.0 10.127.31.26.

Try this let us know the results.

Thx

MS

View solution in original post

21 Replies 21

Jennifer Halim
Cisco Employee
Cisco Employee

You would need to configure route for the pool as it falls into your class A 10.0.0.0/8 route towards the inside:

ip route 10.127.52.0 255.255.255.0 GigabitEthernet0/0

Hi Jennifer,

I tried this out but I still get the same results. Once the tunnel is up, I can ping the Loopback0 interface and the GigEth 0/1 interface but still no ping even to the next hop which is 10.127.31.25.

Thank you in advance.

Ryan

Yadhu Tony
Level 1
Level 1

Hello Ryan,

I met the same problem recently. Hope this link will help you out https://supportforums.cisco.com/message/3682321#3682321

Best Regards,

Tony

Regards,
Tony

http://yadhutony.blogspot.com

Hi Tony,

I have not enabled ZBFW yet but I will consider checking your config when I enable it. For now I want to do this step first then I will go with ZBFW.

Thanks.

Cheers,

Ryan

Hi Ryan,

As Jennifer mentioned add the the specific route on the router and also try by adding the route on the .25 device.

so the second route on .25 device : ip route 10.127.52.0 255.255.255.0 10.127.31.26.

Try this let us know the results.

Thx

MS

Hi MS,

That did it! Thanks to you and Jennifer.

My next problem would be the ZBFW now.

Which should I tag as the correct answer now? But I give you both credit for it.

Cheers,

Ryan

ryan_david
Level 1
Level 1

Hi,

The config above now works fine but i need to use LDAP authentication now so that the users would need not tell me their passwords to configure to the router.

Any help please?

Thank you in advance,

Ryan

Here is how to configure ldap server:

ldap attribute-map ad-map

map type sAMAccountName username

ldap server ldapVPN

ipv4

attribute map ad-map

transport port 3268

bind authenticate root-dn "" password

base-dn ""

authentication bind-first

search-filter user-object-type top

Then change the following:

FROM:

aaa authentication login ciscocp_vpn_xauth_ml_1 local

TO:

aaa authentication login ciscocp_vpn_xauth_ml_1 group ldapVPN

Hi Jennifer,

Thank you for your reply.

I will try this out and will let you know the results later.

Best Regards,

Ryan

Hi Jennifer,

Sorry for taking too long.

My colleague tried to configure the router for LDAP but not all options were configured in exactly as you stated.

The config is below. The input username and password window shows up but it does not accept the test account.

hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa group server ldap ASIA-LDAP
server server1.domain.net
!
aaa authentication login ciscocp_vpn_xauth_ml_1 group server1.domain.net
aaa authentication login ASIA-LDAP-AUTHE group ASIA-LDAP
aaa authorization network NXP_VPN_Cisco local
aaa authorization network ASIA-LDAP-AUTHO group ldap
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
!
!
!
!
!
ip domain name domain.net
ip cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-765105936
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-765105936
revocation-check none
rsakeypair TP-self-signed-765105936
!
!
crypto pki certificate chain TP-self-signed-765105936
certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 37363531 30353933 36301E17 0D313230 36323630 39323033
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3736 35313035
  39333630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C1B7E661 4893D83A EFE44B76 92BAA71A 6375C854 88D49791 4533E51A 551D8EF7
  F82E2432 E65B401D 27FE4896 2105B38A CB1908C1 9AE2FC19 8A9393C3 1B618390
  EE6CB1CC 5C8B8811 04FA198E 16F3297B 6B15F974 13EE4897 74270D31 97270547
  4590ACA6 68606596 97C5D4D5 462CACA0 CDDAC35A 17415302 CFD4E329 8E7E542D
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 1680142E FF686472 569BCCF1 552B1200 D35060DB 5B660F30 1D060355
  1D0E0416 04142EFF 68647256 9BCCF155 2B1200D3 5060DB5B 660F300D 06092A86
  4886F70D 01010505 00038181 00558F64 05207D35 AA4BD086 4579ACF6 BCF6A851
  1D0EA15B 75DBFA45 E01FBA5C 6F827C42 1A50DD11 8922F1E5 3384B8D8 8DD6C222
  0187E501 82C1C557 8AD3445C A4450241 75D771CF 3A6428A6 7E1FC7E5 8B418E65
  74D265DD 06251C7D 6EF39CE9 3D692763 FE03F795 AE865885 CFF660A5 4C1FF603
  3AF09B1E 243EA5ED 7E4C30B9 3A
        quit
license udi pid CISCO1941/K9 sn xxxxxxxxxx
hw-module ism 0
!
!
!
username admin privilege 15 secret 5 $1$rVI4$WIP5x6at0b1Vot5LbdlGN/
username ryan privilege 0 password 0 pass1234
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_Group1
key xxxxxxxxxxxxx
dns 10.127.8.20
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_Group1
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list NXP_VPN_Cisco
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Loopback0
ip address 10.127.15.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address xxx.xxx.164.121 255.255.255.224
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.127.31.26 255.255.255.252
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 10.127.20.129 10.127.20.254
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 10.0.0.0 255.0.0.0 10.127.31.25
ip route 10.127.20.128 255.255.255.128 GigabitEthernet0/0
!
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
!
!
!
!
!
!
!
ldap attribute-map ASIA-username-map
map type sAMAccountName username
!
ldap server server1.domain.net
ipv4 10.127.8.20
attribute map ASIA-username-map
bind authenticate root-dn CN=NDB\,\ S1234567,OU=Service\ Accounts,OU=Admin,OU=A
ccounts,DC=domain,DC=net password password1
base-dn DC=domain,DC=net
search-filter user-object-type account
authentication bind-first
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input telnet
!
scheduler allocate 20000 1000
end

Any more ideas?

Thank you and Best Regards,

Ryan

Here is the debug info:

Aug 29 14:19:57.477: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Aug 29 14:19:57.477: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 29 14:19:57.477: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 p
olicy
Aug 29 14:19:57.477: ISAKMP:      encryption AES-CBC
Aug 29 14:19:57.477: ISAKMP:      hash SHA
Aug 29 14:19:57.477: ISAKMP:      default group 2
Aug 29 14:19:57.477: ISAKMP:      auth pre-share
Aug 29 14:19:57.477: ISAKMP:      life type in seconds
Aug 29 14:19:57.477: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Aug 29 14:19:57.477: ISAKMP:      keylength of 128
Aug 29 14:19:57.477: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Aug 29 14:19:57.477: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 29 14:19:57.477: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 p
olicy
Aug 29 14:19:57.477: ISAKMP:      encryption AES-CBC
Aug 29 14:19:57.477: ISAKMP:      hash MD5
Aug 29 14:19:57.477: ISAKMP:      default group 2
Aug 29 14:19:57.477: ISAKMP:      auth pre-share
Aug 29 14:19:57.477: ISAKMP:      life type in seconds
Aug 29 14:19:57.477: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Aug 29 14:19:57.477: ISAKMP:      keylength of 128
Aug 29 14:19:57.477: ISAKMP:(0):Encryption algorithm offered does not match poli
cy!
Aug 29 14:19:57.477: ISAKMP:(0):atts are not acceptable. Next payload is 3
Aug 29 14:19:57.477: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 p
olicy
Aug 29 14:19:57.477: ISAKMP:      encryption 3DES-CBC
Aug 29 14:19:57.477: ISAKMP:      hash SHA
Aug 29 14:19:57.477: ISAKMP:      default group 2
Aug 29 14:19:57.477: ISAKMP:      auth XAUTHInitPreShared
Aug 29 14:19:57.477: ISAKMP:      life type in seconds
Aug 29 14:19:57.477: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Aug 29 14:19:57.477: ISAKMP:(0):atts are acceptable. Next payload is 3
Aug 29 14:19:57.477: ISAKMP:(0):Acceptable atts:actual life: 86400
Aug 29 14:19:57.477: ISAKMP:(0):Acceptable atts:life: 0
Aug 29 14:19:57.477: ISAKMP:(0):Fill atts in sa vpi_length:4
Aug 29 14:19:57.477: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
Aug 29 14:19:57.477: ISAKMP:(0):Returning Actual lifetime: 86400
Aug 29 14:19:57.477: ISAKMP:(0)::Started lifetime timer: 86400.

Aug 29 14:19:57.477: ISAKMP:(0): processing KE payload. message ID = 0
Aug 29 14:19:57.481: ISAKMP:(0): processing NONCE payload. message ID = 0
Aug 29 14:19:57.481: ISAKMP:(0): vendor ID is NAT-T v2
Aug 29 14:19:57.481: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Aug 29 14:19:57.481: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_
AWAIT

Aug 29 14:19:57.481: ISAKMP:(17030): constructed NAT-T vendor-02 ID
Aug 29 14:19:57.481: ISAKMP:(17030):SA is doing pre-shared key authentication pl
us XAUTH using id type ID_IPV4_ADDR
Aug 29 14:19:57.481: ISAKMP (17030): ID payload
        next-payload : 10
        type         : 1
        address      : xxx.xxx.164.121
        protocol     : 0
        port         : 0
        length       : 12
Aug 29 14:19:57.481: ISAKMP:(17030):Total payload length: 12
Aug 29 14:19:57.481: ISAKMP:(17030): sending packet to xxx.xxx.89.252 my_port 50
0 peer_port 59463 (R) AG_INIT_EXCH
Aug 29 14:19:57.481: ISAKMP:(17030):Sending an IKE IPv4 Packet.
Aug 29 14:19:57.481: ISAKMP:(17030):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REP
LY
Aug 29 14:19:57.481: ISAKMP:(17030):Old State = IKE_R_AM_AAA_AWAIT  New State =
IKE_R_AM2

Aug 29 14:19:57.969: ISAKMP (17030): received packet from xxx.xxx.89.252 dport 4
500 sport 59464 Global (R) AG_INIT_EXCH
Aug 29 14:19:57.969: ISAKMP:(17030): processing HASH payload. message ID = 0
Aug 29 14:19:57.969: ISAKMP:(17030): processing NOTIFY INITIAL_CONTACT protocol
1
        spi 0, message ID = 0, sa = 0x31CDB674
Aug 29 14:19:57.969: ISAKMP:received payload type 20
Aug 29 14:19:57.969: ISAKMP (17030): His hash no match - this node outside NAT
Aug 29 14:19:57.969: ISAKMP:received payload type 20
Aug 29 14:19:57.969: ISAKMP (17030): His hash no match - this node outside NAT
Aug 29 14:19:57.969: ISAKMP:(17030):SA authentication status:
        authenticated
Aug 29 14:19:57.969: ISAKMP:(17030):SA has been authenticated with xxx.xxx.89.25
2
Aug 29 14:19:57.969: ISAKMP:(17030):Detected port,floating to port = 59464
Aug 29 14:19:57.969: ISAKMP: Trying to find existing peer xxx.xxx.164.121/xxx.xxx
.89.252/59464/
Aug 29 14:19:57.969: ISAKMP:(17030):SA authentication status:
        authenticated
Aug 29 14:19:57.969: ISAKMP:(17030): Process initial contact,
bring down existing phase 1 and 2 SA's with local xxx.xxx.164.121 remote xxx.xxx.
89.252 remote port 59464
Aug 29 14:19:57.969: ISAKMP:(17030):returning IP addr to the address pool
Aug 29 14:19:57.973: AAA/BIND(0000005E): Bind i/f
Aug 29 14:19:57.973: ISAKMP: Trying to insert a peer xxx.xxx.164.121/xxx.xxx.89.2
52/59464/,  and inserted successfully 31631C20.
Aug 29 14:19:57.973: ISAKMP:(17030):Returning Actual lifetime: 86400
Aug 29 14:19:57.973: ISAKMP: set new node -1278956094 to CONF_XAUTH
Aug 29 14:19:57.973: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Aug 29 14:19:57.973: ISAKMP:(17030):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 823679976, message ID = 3016011202
Aug 29 14:19:57.973: ISAKMP:(17030): sending packet to xxx.xxx.89.252 my_port 45
00 peer_port 59464 (R) QM_IDLE
Aug 29 14:19:57.973: ISAKMP:(17030):Sending an IKE IPv4 Packet.
Aug 29 14:19:57.973: ISAKMP:(17030):purging node -1278956094
Aug 29 14:19:57.973: ISAKMP: Sending phase 1 responder lifetime 86400

Aug 29 14:19:57.973: ISAKMP:(17030):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
Aug 29 14:19:57.973: ISAKMP:(17030):Old State = IKE_R_AM2  New State = IKE_P1_CO
MPLETE

Aug 29 14:19:57.973: ISAKMP:(17030):Need XAUTH
Aug 29 14:19:57.973: ISAKMP: set new node 1150323749 to CONF_XAUTH
Aug 29 14:19:57.973: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
Aug 29 14:19:57.973: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Aug 29 14:19:57.977: ISAKMP:(17030): initiating peer config to xxx.xxx.89.252. I
D = 1150323749
Aug 29 14:19:57.977: ISAKMP:(17030): sending packet to xxx.xxx.89.252 my_port 45
00 peer_port 59464 (R) CONF_XAUTH
Aug 29 14:19:57.977: ISAKMP:(17030):Sending an IKE IPv4 Packet.
Aug 29 14:19:57.977: ISAKMP:(17030):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLE
TE
Aug 29 14:19:57.977: ISAKMP:(17030):Old State = IKE_P1_COMPLETE  New State = IKE
_XAUTH_REQ_SENT

Aug 29 14:20:12.977: ISAKMP:(17030): retransmitting phase 2 CONF_XAUTH    115032
3749 ...
Aug 29 14:20:12.977: ISAKMP (17030): incrementing error counter on node, attempt
1 of 5: retransmit phase 2
Aug 29 14:20:12.977: ISAKMP (17030): incrementing error counter on sa, attempt 1
of 5: retransmit phase 2
Aug 29 14:20:12.977: ISAKMP:(17030): retransmitting phase 2 1150323749 CONF_XAUT
H
Aug 29 14:20:12.977: ISAKMP:(17030): sending packet to xxx.xxx.89.252 my_port 45
00 peer_port 59464 (R) CONF_XAUTH
Aug 29 14:20:12.977: ISAKMP:(17030):Sending an IKE IPv4 Packet.
Aug 29 14:20:13.213: ISAKMP (17030): received packet from xxx.xxx.89.252 dport 4
500 sport 59464 Global (R) CONF_XAUTH
Aug 29 14:20:13.213: ISAKMP:(17030):processing transaction payload from xxx.xxx.
89.252. message ID = 1150323749
Aug 29 14:20:13.213: ISAKMP: Config payload REPLY
Aug 29 14:20:13.213: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
Aug 29 14:20:13.213: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
Aug 29 14:20:13.213: AAA/AUTHEN/LOGIN (0000005E): Pick method list 'ciscocp_vpn_
xauth_ml_1'
Aug 29 14:20:13.213: ISAKMP:(17030):deleting node 1150323749 error FALSE reason
"Done with xauth request/reply exchange"
Aug 29 14:20:13.213: ISAKMP:(17030):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Aug 29 14:20:13.213: ISAKMP:(17030):Old State = IKE_XAUTH_REQ_SENT  New State =
IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

Aug 29 14:20:13.213: %AAA-3-BADSERVERTYPEERROR: Cannot process authentication se
rver type *invalid_group_handle*
Aug 29 14:20:13.213: ISAKMP: set new node 486362040 to CONF_XAUTH
Aug 29 14:20:13.213: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
Aug 29 14:20:13.213: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Aug 29 14:20:13.213: ISAKMP:(17030): initiating peer config to xxx.xxx.89.252. I
D = 486362040
Aug 29 14:20:13.213: ISAKMP:(17030): sending packet to xxx.xxx.89.252 my_port 45
00 peer_port 59464 (R) CONF_XAUTH
Aug 29 14:20:13.213: ISAKMP:(17030):Sending an IKE IPv4 Packet.
Aug 29 14:20:13.213: ISAKMP:(17030):Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOG
IN
Aug 29 14:20:13.213: ISAKMP:(17030):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
New State = IKE_XAUTH_REQ_SENT

Aug 29 14:20:13.221: ISAKMP (17030): received packet from xxx.xxx.89.252 dport 4
500 sport 59464 Global (R) CONF_XAUTH
Aug 29 14:20:13.221: ISAKMP:(17030): phase 2 packet is a duplicate of a previous
packet.
Aug 29 14:20:13.221: ISAKMP:(17030): retransmitting due to retransmit phase 2
Aug 29 14:20:13.221: ISAKMP:(17030): retransmitting phase 2 CONF_XAUTH    115032
3749 ...
Aug 29 14:20:13.721: ISAKMP:(17030): retransmitting phase 2 CONF_XAUTH    115032
3749 ...
Aug 29 14:20:13.721: ISAKMP (17030): incrementing error counter on node, attempt
1 of 5: retransmit phase 2
Aug 29 14:20:13.721: ISAKMP (17030): incrementing error counter on sa, attempt 1
of 5: retransmit phase 2
Aug 29 14:20:13.721: ISAKMP:(17030): retransmitting phase 2 1150323749 CONF_XAUT
H
Aug 29 14:20:13.721: ISAKMP:(17030): sending packet to xxx.xxx.89.252 my_port 45
00 peer_port 59464 (R) CONF_XAUTH
Aug 29 14:20:13.721: ISAKMP:(17030):Sending an IKE IPv4 Packet.
Aug 29 14:20:20.461: ISAKMP (17030): received packet from xxx.xxx.89.252 dport 4
500 sport 59464 Global (R) CONF_XAUTH
Aug 29 14:20:20.461: ISAKMP:(17030):processing transaction payload from xxx.xxx.
89.252. message ID = 486362040
Aug 29 14:20:20.461: ISAKMP: Config payload REPLY
Aug 29 14:20:20.461: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
Aug 29 14:20:20.461: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
Aug 29 14:20:20.461: AAA/AUTHEN/LOGIN (0000005E): Pick method list 'ciscocp_vpn_
xauth_ml_1'
Aug 29 14:20:20.461: ISAKMP:(17030):deleting node 486362040 error FALSE reason "
Done with xauth request/reply exchange"
Aug 29 14:20:20.461: ISAKMP:(17030):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Aug 29 14:20:20.461: ISAKMP:(17030):Old State = IKE_XAUTH_REQ_SENT  New State =
IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

Aug 29 14:20:20.461: ISAKMP: set new node 422616020 to CONF_XAUTH
Aug 29 14:20:20.461: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
Aug 29 14:20:20.461: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
Aug 29 14:20:20.461: ISAKMP:(17030): initiating peer config to xxx.xxx.89.252. I
D = 422616020
Aug 29 14:20:20.461: ISAKMP:(17030): sending packet to xxx.xxx.89.252 my_port 45
00 peer_port 59464 (R) CONF_XAUTH
Aug 29 14:20:20.461: ISAKMP:(17030):Sending an IKE IPv4 Packet.
Aug 29 14:20:20.461: ISAKMP:(17030):Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOG
IN
Aug 29 14:20:20.461: ISAKMP:(17030):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
New State = IKE_XAUTH_REQ_SENT

Aug 29 14:20:28.721: ISAKMP:(17030): retransmitting phase 2 CONF_XAUTH    115032
3749 ...
Aug 29 14:20:28.721: ISAKMP (17030): incrementing error counter on node, attempt
2 of 5: retransmit phase 2
Aug 29 14:20:28.721: ISAKMP (17030): incrementing error counter on sa, attempt 1
of 5: retransmit phase 2
Aug 29 14:20:28.721: ISAKMP:(17030): retransmitting phase 2 1150323749 CONF_XAUT
H
Aug 29 14:20:28.721: ISAKMP:(17030): sending packet to xxx.xxx.89.252 my_port 45
00 peer_port 59464 (R) CONF_XAUTH
Aug 29 14:20:28.721: ISAKMP:(17030):Sending an IKE IPv4 Packet.
Aug 29 14:20:30.181: ISAKMP (17030): received packet from xxx.xxx.89.252 dport 4
500 sport 59464 Global (R) CONF_XAUTH
Aug 29 14:20:30.181: ISAKMP:(17030):processing transaction payload from xxx.xxx.
89.252. message ID = 422616020
Aug 29 14:20:30.181: ISAKMP: Config payload REPLY
Aug 29 14:20:30.181: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
Aug 29 14:20:30.181: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
Aug 29 14:20:30.181: AAA/AUTHEN/LOGIN (0000005E): Pick method list 'ciscocp_vpn_
xauth_ml_1'
Aug 29 14:20:30.181: ISAKMP:(17030):deleting node 422616020 error FALSE reason "
Done with xauth request/reply exchange"
Aug 29 14:20:30.181: ISAKMP:(17030):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Aug 29 14:20:30.181: ISAKMP:(17030):Old State = IKE_XAUTH_REQ_SENT  New State =
IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

Aug 29 14:20:30.181: ISAKMP: set new node -1636242556 to CONF_XAUTH
Aug 29 14:20:30.181: ISAKMP:(17030): initiating peer config to xxx.xxx.89.252. I
D = 2658724740
Aug 29 14:20:30.181: ISAKMP:(17030): sending packet to xxx.xxx.89.252 my_port 45
00 peer_port 59464 (R) CONF_XAUTH
Aug 29 14:20:30.181: ISAKMP:(17030):Sending an IKE IPv4 Packet.
Aug 29 14:20:30.181: ISAKMP:(17030):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGI
N
Aug 29 14:20:30.181: ISAKMP:(17030):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
New State = IKE_XAUTH_SET_SENT

Aug 29 14:20:30.401: ISAKMP (17030): received packet from xxx.xxx.89.252 dport 4
500 sport 59464 Global (R) CONF_XAUTH
Aug 29 14:20:30.401: ISAKMP:(17030):processing transaction payload from xxx.xxx.
89.252. message ID = -1636242556
Aug 29 14:20:30.401: ISAKMP: Config payload ACK
Aug 29 14:20:30.401: ISAKMP:(17030):peer does not do paranoid keepalives.

Aug 29 14:20:30.401: ISAKMP:(17030):peer does not do paranoid keepalives.

Aug 29 14:20:30.401: ISAKMP:(17030):deleting SA reason "Needed xauth" state (R)
CONF_XAUTH    (peer xxx.xxx.89.252)
Aug 29 14:20:30.401: ISAKMP:(17030):       (blank) XAUTH ACK Processed
Aug 29 14:20:30.401: ISAKMP:(17030):deleting node -1636242556 error FALSE reason
"Transaction mode done"
Aug 29 14:20:30.401: ISAKMP:(17030):Talking to a Unity Client
Aug 29 14:20:30.401: ISAKMP:(17030):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
Aug 29 14:20:30.401: ISAKMP:(17030):Old State = IKE_XAUTH_SET_SENT  New State =
IKE_P1_COMPLETE

Aug 29 14:20:30.401: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Aug 29 14:20:30.401: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAK
MP
Aug 29 14:20:30.401: IPSEC(key_engine_delete_sas): delete all SAs shared with pe
er xxx.xxx.89.252
Aug 29 14:20:30.401: ISAKMP:(17030):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Aug 29 14:20:30.401: ISAKMP:(17030):Old State = IKE_P1_COMPLETE  New State = IKE
_DEST_SA

Aug 29 14:20:30.401: ISAKMP:(17030):deleting SA reason "Needed xauth" state (R)
CONF_XAUTH    (peer xxx.xxx.89.252)
Aug 29 14:20:30.401: ISAKMP: Unlocking peer struct 0x31631C20 for isadb_mark_sa_
deleted(), count 0
Aug 29 14:20:30.405: ISAKMP: Deleting peer node by peer_reap for xxx.xxx.89.252:
31631C20
Aug 29 14:20:30.405: ISAKMP:(17030):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Aug 29 14:20:30.405: ISAKMP:(17030):Old State = IKE_DEST_SA  New State = IKE_DES
T_SA

Aug 29 14:20:30.405: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Aug 29 14:20:30.405: ISAKMP (17030): received packet from xxx.xxx.89.252 dport 4
500 sport 59464 Global (R) MM_NO_STATE
Aug 29 14:20:43.721: ISAKMP:(17030): retransmitting phase 2 MM_NO_STATE 11503237
49 ...
Aug 29 14:20:43.721: ISAKMP (17030): incrementing error counter on node, attempt
3 of 5: retransmit phase 2
Aug 29 14:20:43.721: ISAKMP (17030): incrementing error counter on sa, attempt 1
of 5: retransmit phase 2
Aug 29 14:20:43.721: ISAKMP:(17030): retransmitting phase 2 1150323749 MM_NO_STA
TE
Aug 29 14:20:43.721: ISAKMP:(17030): sending packet to xxx.xxx.89.252 my_port 45
00 peer_port 59464 (R) MM_NO_STATE
Aug 29 14:20:43.721: ISAKMP:(17030):Sending an IKE IPv4 Packet.

Thank you and Best Regards,

Ryan

Hi,

Any ideas about this anyone?

I was able to confirm that LDAP has root-dn bind done.

But I can't seem to get it to work.

Thank you in advance.

Ryan

Can you share the output of "show ldap server all", and also run "debug ldap" and try to authenticate via the vpn client. I assume that it does prompt you to enter username and password, right?

Hi Jennifer,

Thank you for replying.

Here is the debug info and output of show ldap. And yes it prompts me to enter username and password but does not seem to pass it on.

Thank you and Best Regards,

Ryan

Router#show ldap server all
Server Information for server1.domain.net
================================
Server name             :server1.domain.net
Server IP               :10.127.8.20
Server listening Port   :3268
Connection status       :UP
Bind Root-dn            :CN=NDB\, S1234567,OU=Service Accounts,OU=Admin,OU=Accou
nts,DC=asia,DC=pilkington,DC=net
Root Bind status        :Root-dn Bind Done
Server mode             :Non-Secure
Cipher Suite            :0x00
Authentication Seq      :Bind/Compare password first. Search next
Authentication Procedure:Bind with user password
Base-Dn                 :DC=domain,DC=net
Attribute map           :ASIA-username-map
Request timeout             :30
----------------------------------
* LDAP STATISTICS *
Total messages  [Sent:68, Received:68]
Response delay(ms) [Average:473, Maximum:548]
Total search    [Request:0, ResultEntry:0, ResultDone:0]
Total bind      [Request:68, Response:68]
Total extended  [Request:0, Response:0]
Total compare   [Request:0, Response:0]
----------------------------------


Router#
Aug 31 03:04:27.404: AAA/BIND(00000056): Bind i/f
Aug 31 03:04:27.424: AAA/BIND(00000057): Bind i/f
Aug 31 03:04:31.896: AAA/AUTHEN/LOGIN (00000057): Pick method list 'ciscocp_vpn_
xauth_ml_1'
Aug 31 03:04:31.896: LDAP: LDAP: Queuing AAA request 87 for processing
Aug 31 03:04:31.896: LDAP: Received queue event, new AAA request
Aug 31 03:04:31.896: LDAP: LDAP authentication request
Aug 31 03:04:31.900: LDAP: Attempting first  next available LDAP server
Aug 31 03:04:31.900: LDAP: Got next LDAP server :server1.domain.net
Aug 31 03:04:31.900: LDAP: First Task: Send bind req
Aug 31 03:04:31.900: LDAP: Authentication policy: bind-first
Aug 31 03:04:31.900: LDAP: Dynamic map configured
Aug 31 03:04:31.900: LDAP: Dynamic map found for aaa type=username
Aug 31 03:04:31.900: LDAP: Bind: User-DN=sAMAccountName=ryan,DC=domain,DC=netldap_req_encode
Doing socket write
Aug 31 03:04:31.900: LDAP:  LDAP bind request sent successfully (reqid=115)
Aug 31 03:04:31.900: LDAP: Sent the LDAP request to server
Aug 31 03:04:32.364: LDAP: Received socket event
Aug 31 03:04:32.364: LDAP: Checking the conn status
Aug 31 03:04:32.364: LDAP: Socket read event socket=0
Aug 31 03:04:32.364: LDAP: Found socket ctx
Aug 31 03:04:32.364: LDAP: Receive event: read=1, errno=9 (Bad file number)
Aug 31 03:04:32.364: LDAP: Passing the client ctx=31BC7010ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_read_activity lc 0x30C757EC

Doing socket read
LDAP-TCP:Bytes read = 109
ldap_match_request succeeded for msgid 4 h 0
changing lr 0x30DA1630 to COMPLETE as no continuations
removing request 0x30DA1630 from list as lm 0x31BF7518 all 0
ldap_msgfree
ldap_msgfree

Aug 31 03:04:32.364: LDAP: LDAP Messages to be processed: 1
Aug 31 03:04:32.364: LDAP: LDAP Message type: 97
Aug 31 03:04:32.364: LDAP: Got ldap transaction context from reqid 115ldap_parse
_result

Aug 31 03:04:32.364: LDAP: resultCode:    49     (Invalid credentials)
Aug 31 03:04:32.364: LDAP: Received Bind Responseldap_parse_result
ldap_err2string

Aug 31 03:04:32.364: LDAP: Ldap Result Msg: FAILED:Invalid credentials, Result c
ode =49
Aug 31 03:04:32.364: LDAP: LDAP Bind operation result : failed
Aug 31 03:04:32.364: LDAP: Restoring root bind status of the connection
Aug 31 03:04:32.364: LDAP: Performing Root-Dn bind operationldap_req_encode
Doing socket write
Aug 31 03:04:32.364: LDAP: Root Bind on CN=NDB\, S1234567,OU=Service Accounts,OU
=Admin,OU=Accounts,DC=domain,DC=net initiated.ldap_msgfree

Aug 31 03:04:32.364: LDAP: Closing transaction and reporting error to AAA
Aug 31 03:04:32.364: LDAP: Transaction context removed from list [ldap reqid=115
]
Aug 31 03:04:32.364: LDAP: Notifying AAA: REQUEST FAILED
Aug 31 03:04:32.364: LDAP: Received socket event
Aug 31 03:04:32.912: LDAP: Received socket event
Aug 31 03:04:32.912: LDAP: Checking the conn status
Aug 31 03:04:32.912: LDAP: Socket read event socket=0
Aug 31 03:04:32.912: LDAP: Found socket ctx
Aug 31 03:04:32.912: LDAP: Receive event: read=1, errno=9 (Bad file number)
Aug 31 03:04:32.912: LDAP: Passing the client ctx=31BC7010ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_read_activity lc 0x30C757EC

Doing socket read
LDAP-TCP:Bytes read = 22
ldap_match_request succeeded for msgid 5 h 0
changing lr 0x29DA08BC to COMPLETE as no continuations
removing request 0x29DA08BC from list as lm 0x31BF7518 all 0
ldap_msgfree
ldap_msgfree

Aug 31 03:04:32.912: LDAP: LDAP Messages to be processed: 1
Aug 31 03:04:32.912: LDAP: LDAP Message type: 97
Aug 31 03:04:32.912: LDAP: Got ldap transaction context from reqid 116ldap_parse
_result

Aug 31 03:04:32.912: LDAP: resultCode:    0     (Success)
Aug 31 03:04:32.912: LDAP: Received Bind Response
Aug 31 03:04:32.912: LDAP: Received Root Bind Response ldap_parse_result

Aug 31 03:04:32.912: LDAP: Ldap Result Msg: SUCCESS, Result code =0
Aug 31 03:04:32.912: LDAP: Root DN bind Successful on :CN=NDB\, S1234567,OU=Serv
ice Accounts,OU=Admin,OU=Accounts,DC=domain,DC=net
Aug 31 03:04:32.912: LDAP: Transaction context removed from list [ldap reqid=116
]ldap_msgfree
ldap_result
wait4msg (timeout 0 sec, 1 usec)
ldap_select_fd_wait (select)
ldap_err2string

Aug 31 03:04:32.912: LDAP: Finished processing ldap msg, Result:Success
Aug 31 03:04:32.912: LDAP: Received socket event

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: