Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Remote Access VPN on Loopback

Hello All.

I have Cisco 2811, with advipservices.I have connection between my ISP and my router in private network(interface FastEthernet0/0.678). My external ip address is on loopback inteface. When client try to connect he pasess phase 1, then x auth and IKE neg failed.

Message Log from VPN Client:

345    16:55:30.161  10/31/10  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=BB661789962D39E1 R_Cookie=F38F8F267DFABCC9) reason = DEL_REASON_IKE_NEG_FAILED

Message Log form Router:

Oct 31 11:05:13.973: ISAKMP:(1023):deleting node -260979190 error FALSE reason "Informational (in) state 1"
Oct 31 11:05:13.973: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct 31 11:05:13.977: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

Config

aaa authentication login vpn_xauth local
aaa authorization network vpn_grp local

crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key password
dns 192.168.6.10
domain examp.com
pool pl_RmACC
acl 112
configuration version 1
netmask 255.255.255.240
crypto isakmp profile cp_RemVPN
   match identity group VPN
   client authentication list vpn_xauth
   isakmp authorization list vpn_grp
   client configuration address initiate
   client configuration address respond
   client configuration group VPN
!
!
crypto ipsec transform-set ts_transform esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set ts_transform
match address 111
reverse-route
!
!
crypto map cm_vpns local-address Loopback3
crypto map cm_vpns isakmp authorization list vpn_grp
crypto map cm_vpns client configuration address respond
crypto map cm_vpns 10000 ipsec-isakmp dynamic dynmap

!

access-list 111 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 111 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 111 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.15

access-list 112 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 112 permit ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.15
access-list 112 permit ip 192.168.6.0 0.0.0.255 192.168.7.0 0.0.0.15

!

!

ip local pool pl_RmACC 192.168.7.2 192.168.7.14

Where I scew up ?

12 REPLIES
New Member

Re: Remote Access VPN on Loopback

Hi,

can you put Interface configurations ?

Re: Remote Access VPN on Loopback

Hi,

Remove the following Unncessary Lines and try again. And this time port the whole isakmp debug from the router and also from the client.

crypto isakmp profile cp_RemVPN

   no client configuration address initiate

   no client configuration group VPN

no crypto map cm_vpns isakmp authorization list vpn_grp
no crypto map cm_vpns client configuration address respond

Let me know how it goes.

Regards,

Praveen

New Member

Re: Remote Access VPN on Loopback

No, it is still not connected.

Interface config

interface Loopback3
ip address 82.200.163.46 255.255.255.252
ip virtual-reassembly

!

interface FastEthernet0/0.678
encapsulation dot1Q 678
ip address 10.10.1.6 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
crypto map cm_vpns

!

ip route 0.0.0.0 0.0.0.0 10.10.1.5

Debug in attach

Re: Remote Access VPN on Loopback

Hi,

Thank you for the debugs.

debugs show:

map_db_find_best did not find matching map

IPSEC(ipsec_process_proposal): proxy identities not supported

Remove the following line and see what happens:

crypto dynamic-map dynmap 10

   no match address 111

Let me know how it goes.

Regards,

Praveen

New Member

Re: Remote Access VPN on Loopback

Still Same result, not workig

Re: Remote Access VPN on Loopback

Hi,

Configure the following and get me the debugs from the router again please:

crypto dynamic-map dynmap 10

  set isakmp profile cp_RemVPN

Let me know.

Regards,

Praveen

New Member

Re: Remote Access VPN on Loopback

Still same problem. My debugs are attached.

Re: Remote Access VPN on Loopback

Hi,

from the debugs i see that till Phase-2 transform set is not matching at all.. Which PC are you trying to connect from? VPN Client Version?

can you try the following transform set and see what happens:

crypto ipsec transform-set ts_transform_2 esp-aes esp-md5-hmac comp-lzs

crypto dynamic-map dynmap 10
  set transform-set ts_transform ts_transform_2

Send the output of:

show run | sec crypto isakmp

show run | sec crypto dynamic

show run | sec crypto map

Also Send me the Router debugs.

Regards,

Praveen

New Member

Re: Remote Access VPN on Loopback

Still No luck, after all procesess it disconnects.

Cisco Systems VPN Client Version 5.0.07.0410
Client Type(s): Windows, WinNT
Running on: 6.1.7600 ( Windows 7 Ultimate)

show run | sec crypto isakmp
crypto isakmp policy 10000
encr aes
authentication pre-share
group 2
crypto isakmp keepalive 20 3
crypto isakmp client configuration group VPN
key password
dns 192.168.6.10
domain examp.com
pool pl_RmACC
acl 112
configuration version 1
netmask 255.255.255.240
crypto isakmp profile cp_RemVPN
   match identity group VPN
   client authentication list vpn_xauth
   isakmp authorization list vpn_grp
   client configuration address respond
show run | sec crypto dynamic
crypto dynamic-map dynmap 10
set transform-set ts_transform_2
set pfs group2
set isakmp-profile cp_RemVPN
reverse-route
show run | sec crypto map
crypto map cm_vpns local-address Loopback3
crypto map cm_vpns 10000 ipsec-isakmp dynamic dynmap
crypto map cm_vpns

Re: Remote Access VPN on Loopback

You need to enable the crypto map on the interface with the address you are actually connecting to, which means lo3 and not the ethernet trunk port.

New Member

Re: Remote Access VPN on Loopback

Changing interface do not help. If I applay crypto map on lo3 same thing happen.

Corect me if I am wrong, crypto map must be applyed on physical interface with work with trafic. I my case it is fa0/0.678 and I issued command crypto map cm_vpns local-address Loopback3 to show router that actual addres should be on loopback.

Same problem with crypto map applied on int fa0/0.678 and lo3.

New Member

Re: Remote Access VPN on Loopback

Hi guess, All thatnks! I found root cause, crypto dynamic-map dynmap 10  and  crypto map cm_vpns 10000 ipsec-isakmp dynamic dynmap makes VPN drop connection. I remembered TAC engineer remark, he told that if numbers are difer it can make problem, after changing crypto dynamic-map dynmap 10 to 10000 all work great. Can anyone explain this "feature" ?

And when I am add in "crypto dynamic-map" match address statement VPN fails too, why?

1715
Views
4
Helpful
12
Replies
CreatePlease to create content