Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is my VPN working???

EASYVPN on my cisco 851 wga k9 not suer if it is working or not

did this??

MY VLAN1 is unassigned in the past it had ip address of BVI1

MyRouter#show ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
Dot11Radio0                unassigned      YES TFTP   up                    up

Dot11Radio0.1              unassigned      YES unset  up                    up

FastEthernet0              unassigned      YES unset  up                    up

FastEthernet1              unassigned      YES unset  up                    up

FastEthernet2              unassigned      YES unset  up                    up

FastEthernet3              unassigned      YES unset  up                    down

FastEthernet4              72.88.223.20    YES NVRAM  up                    up

Vlan1                      unassigned      YES NVRAM  up                    up

NVI0                       unassigned      YES unset  up                    up

BVI1                       192.168.69.1    YES NVRAM  up                    up

Virtual-Dot11Radio0        unassigned      YES TFTP   down                  down

Virtual-Dot11Radio0.1      unassigned      YES unset  down                  down

Virtual-Template1          72.88.223.20    YES TFTP   down                  down

Virtual-Access1            unassigned      YES unset  down                  down

MyRouter#

Any ideas

Tom

16 REPLIES
New Member

Is my VPN working???

Hi

Do a Show Crypto iskamp sa    should say QM_IDLE

Rich

Cisco Employee

Is my VPN working???

Hello Tom,

The virtual-access interface should be up but as Richard said, you should check "show crypto isa sa" to see if there is any output. If you see QM_IDLE, it means phase1 is up and we need to have a look at "show crypto ips sa" to see if phase2 came up.

The best would be if you could attach your configuration and possibly the following debugs: debug crypto isa and debug crypto ipsec.

Warm Regards,

Rose

New Member

Is my VPN working???

Richard/Rose

Thanks for the responce

MyRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

MyRouter#show crypto ips sa

MyRouter#debug crypto isa
Crypto ISAKMP debugging is on
MyRouter#debug crypto ipsec
Crypto IPSEC debugging is on

How do I stop debug?

Here is my config

MyRouter#show config
Using 5935 out of 131072 bytes
!
! Last configuration change at 10:17:09 EST Tue Dec 27 2011 by netman
! NVRAM config last updated at 10:17:10 EST Tue Dec 27 2011 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 192.168.69.15 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 loc
al
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 group sdm-vpn-server-group-1 lo
cal
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01 nvram:IOS-Self-Sig#3302.cer
username netman privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group TGCSVPN
key ourvpn
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our
pool SDM_POOL_1
max-users 10
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group WGP-1
   match identity group WGP-2
   match identity group ACCTG
   match identity group CSVC
   match identity group TGCSVPN
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 72.88.223.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.70.75 192.168.70.99
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
!
ip access-list extended denyDHCP
deny   udp any any eq bootpc
deny   udp any any eq bootps
permit ip any any
!
ip radius source-interface BVI1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
no cdp run
radius-server host 192.168.69.15 auth-port 1645 acct-port 1646
!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175148
ntp server 141.165.5.137
end

MyRouter#

See anything wrong?

Thanks  Tom

New Member

Is my VPN working???

Hi

I Dont see the Crypto Map and also not one attached to an interface

Rich

New Member

Re: Is my VPN working???

Rich

MyRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

MyRouter#show crypto ips sa

MyRouter#

I did these two commands but the second one does not show anything is that what you mean?

If so what do I need to do ?

Am I missing code? if so what do I need to add

You need more info let me know

Thanks

Tom

New Member

Is my VPN working???

Hi

You need

crypto map MY VPN 1 ipsec-isakmp

set peer 10.1.1.1 9 (The IP Addr of other end of the tunnel)

set transform-set ESP-3DES-SHA (your transform set)

match address 101  ( create access-list for intresting traffic for the VPN)

Remeber you settings will need to match you transforset at the other end

Then apply you crypto-map to an interface i.e.

interface atm0.1

crypto map MY VPN

Try that

Rich

New Member

Is my VPN working???

Richard

This is a little of my head I am new to VPN on a cisco

But maybe if I tell you a little more you might know what I need

I have some laptop and desktop users from there homes that need to VPN to my network

I used CCP to install EASYVPN

The crypto commands in my config have some of the info you asked for

Not sure where to go here

Thanks

Tom

New Member

Is my VPN working???

New Member

Is my VPN working???

Richard

I am using a cisco 851 anyconnect not support on this router

I am using EASYVPN

Is this the same info?

Tom

Hall of Fame Super Silver

Re: Is my VPN working???

Tom,

I believe Rich was thinking about a site-site VPN. In that case, your would need the bits he mentioned.

You have user-based VPN setup. Unless and until a user actually connects via VPN, you will not see any ISAKMP Security Associations (SAs).

Here is typical output from a VPN device (an ASA in this case):

asa-1/pri/act# sh cry isakmp sa

   Active SA: 10

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 10

1   IKE Peer: x.x.x.x

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: x.x.x.x

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE

Notice two types: L2L (LAN to LAN) and user.

In your case, you would only expect to see a user type of SA with State AM_ACTIVE for each user successfully connected via VPN. If no users are connected, the command will not return any output.

So to answer your initial question - you need to first fire up a client VPN session and then check your device.

New Member
New Member

Re: Is my VPN working???

Marvin

Thanks

Now I need to find a test machine can you connect  to a vpn site if you are already logged onto a windows domain server?

Tom

Hall of Fame Super Silver

Is my VPN working???

You're welcome.

Generally speaking one can launch a VPN when logged in on a PC that is a member of a Windows domain. You might want to check if Windows firewall is on, especially if the client is running Windows 7.  It can sometimes cause issues.

However, it is always possible that the domain has imposed policies to prevent just about anything. By default that generally wouldn't be the case though.

Either way, just give it a try and go from there. It can't hurt.

New Member

Re: Is my VPN working???

Marvin

Thanks

I just read Richards last post above he pointed me to a link and I think I might have configured this incorrectly

looking into how to correct this

I use Kaspersky internet security windows firewall is disable but kaspersky has a firewall

Would be nice to have someone knowledgeable to test with

I was trying to take my laptop off the domain but am having an issue logging on locally

Reading thru this now

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b34d1f.shtml

on the

Authentication method

Next

:

Specify

used for authenticating the VPN clients. Here, Pre−shared Keys is the

authentication method used. Click   PAGE

I selected a pre exisitng interface should have done what is on that page

No i need to figure how to back this out

Any way to remove existing EASY VPN config so I can redo the setup looks like the doc shows a few things that I do incorrectly

Tom

Hall of Fame Super Silver

Re: Is my VPN working???

Tom,

Just select Configure-Security-VPN-Easy VPN Server and then Edit Easy VPN Server to change your settings.

Your laptop being on the domain should not generally adversely affect your ability to connect to a VPN unless the domain security policy locks you down tightly. It is always nice though to have a locally administered OS to do testing from. If you don't have a separate machine, you can sometimes get by with an OS instance running in a VirtualBox or VMWare Player installation on your domain PC.

New Member

Re: Is my VPN working???

Marvin

Thanks  only problem is the edit does not go thru the same scrrens as the create screens so I deleted the existing easyvpn and created a second one. Only problem with that is the cisco remembers old info

here is my new config and I see some things that does not match the sample config from the article that richard pointed me out I highlighted them


-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------


User Access Verification

Username: netman
Password:

MyRouter#sh cry isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

MyRouter#show run
Building configuration...

Current configuration : 7446 bytes
!
! Last configuration change at 09:27:39 EST Fri Dec 30 2011
! NVRAM config last updated at 09:27:39 EST Fri Dec 30 2011 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxx/
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 192.168.69.15 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 loc
al
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 group sdm-vpn-server-group-1 lo
cal
aaa authorization network ciscocp_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313634 30343234 3333301E 170D3032 30333031 30303038
  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363430
  34323433 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B993 8AAE8B8C D8869842 C0C80A8C 57559B0A 243A306C EF726BD6 A79FBB30
  63569C86 5117E6D9 9E14BF1D 2721D4C6 2CCFB67A D7A03AC3 6BC719DB 1237121C
  8E310E9F 68F65DF7 B5986355 71B6C338 C34EC816 A677028D 0E131859 3A50E498
  C1F94525 2DA35215 3EF10350 018C419A 4F49245F 1218C545 0BE18AA4 04A8F049
  7AA90203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 144D7952 6F757465 722E5447 43534E45 542E434F 4D301F06
  03551D23 04183016 80149A8A F1DA8EF9 7BC577ED 349FDA87 2E93A11F 8D16301D
  0603551D 0E041604 149A8AF1 DA8EF97B C577ED34 9FDA872E 93A11F8D 16300D06
  092A8648 86F70D01 01040500 03818100 3092C5D5 9FA063C7 E85E37A5 7F9B3AC3
  A71B0BF1 A0BE1E4B 088C151A 6E056769 8E8FFCC9 3FA38091 38C53A49 CE1F20BE
  172A1C93 282C5F97 19A6D3B0 CF65552D FEADA8C0 E89075DD 667B6ABE 9CF76D13
  5E23D7CA A3BEC64D 21941DFB 3915D0C4 4221F663 1306DDF8 DF48E0AC DCC43028
  0D392C9C 66EABDED BB4F4D54 5ED039B9
  quit
username netman privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
group 2
!
crypto isakmp client configuration group TGCSVPN
key tgcsvpn01
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our
pool SDM_POOL_1
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group TGCSVPN
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
interface Loopback1
no ip address                                      No ipaddress is this right?????????????????
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 72.88.223.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.70.75 192.168.70.99
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1                              72.88.223.1 not valid ?????????????????
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
!
ip access-list extended denyDHCP
deny   udp any any eq bootpc
deny   udp any any eq bootps
permit ip any any
!
ip radius source-interface BVI1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
no cdp run
radius-server host 192.168.69.15 auth-port 1645 acct-port 1646
!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175144
ntp server 141.165.5.137
end

MyRouter#

Totally confuesed and lost here any ideas please help

Tom

744
Views
0
Helpful
16
Replies