Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

REMOTE ACCESS VPN PROBLEM

Hello,

i have problems with remote ipsec access on 877.

here my config:

aaa new-model

!

!

aaa authentication login local_authentication local

aaa authorization network default local

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp keepalive 3600 periodic

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group euezvpn

key ********

pool ezvpn

acl split-tunneling

crypto isakmp profile eunet

   match identity group euezvpn

   client authentication list local_authentication

   isakmp authorization list default

   client configuration address respond

   client configuration group euezvpn

!

!

crypto ipsec transform-set set esp-3des esp-md5-hmac

crypto map eu-ezvpn 50 ipsec-isakmp dynamic eu-ezvpn

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp authentication pap callin

ppp chap hostname aliceadsl

ppp chap password 7 14161E020F012B2F3724

ppp pap sent-username aliceadsl password 7 1108150C14170A081726

ppp ipcp dns request

ppp ipcp wins request

crypto map eu-ezvpn

ip local pool ezvpn 192.168.10.1 192.168.10.20

ip nat inside source static udp 10.30.82.1 4500 interface Dialer0 4500

ip nat inside source list 101 interface Dialer0 overload

access-list 101 deny   ip 10.30.82.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 10.30.82.0 0.0.0.255 any

ip access-list extended split-tunneling

permit ip any any

the auth is successfully, but the client can't connect, here the debug of crypto isakmp:

(2035):Checking IPSec proposal 10

*Mar 11 13:24:19.224: ISAKMP:(2035):transform 1, IPPCP LZS

*Mar 11 13:24:19.224: ISAKMP:   attributes in transform:

*Mar 11 13:24:19.224: ISAKMP:      encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.224: ISAKMP:      SA life type in seconds

*Mar 11 13:24:19.224: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.228: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.228: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.228: ISAKMP:(2035):Checking IPSec proposal 11

*Mar 11 13:24:19.228: ISAKMP: transform 1, ESP_3DES

*Mar 11 13:24:19.228: ISAKMP:   attributes in transform:

*Mar 11 13:24:19.228: ISAKMP:      authenticator is HMAC-MD5

*Mar 11 13:24:19.228: ISAKMP:      encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.228: ISAKMP:      SA life type in seconds

*Mar 11 13:24:19.228: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.228: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.228: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.228: ISAKMP:(2035):Checking IPSec proposal 12

*Mar 11 13:24:19.228: ISAKMP: transform 1, ESP_3DES

*Mar 11 13:24:19.228: ISAKMP:   attributes in transform:

*Mar 11 13:24:19.228: ISAKMP:      authenticator is HMAC-SHA

*Mar 11 13:24:19.228: ISAKMP:      encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.228: ISAKMP:      SA life type in seconds

*Mar 11 13:24:19.228: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.228: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.228: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.228: ISAKMP:(2035):Checking IPSec proposal 13

*Mar 11 13:24:19.228: ISAKMP: transform 1, ESP_DES

*Mar 11 13:24:19.228: ISAKMP:   attributes in transform:

*Mar 11 13:24:19.228: ISAKMP:      authenticator is HMAC-MD5

*Mar 11 13:24:19.228: ISAKMP:      encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.228: ISAKMP:      SA life type in seconds

*Mar 11 13:24:19.228: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.232: ISAKMP:(2035):Checking IPSec proposal 13

*Mar 11 13:24:19.232: ISAKMP:(2035):transform 1, IPPCP LZS

*Mar 11 13:24:19.232: ISAKMP:   attributes in transform:

*Mar 11 13:24:19.232: ISAKMP:      encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.232: ISAKMP:      SA life type in seconds

*Mar 11 13:24:19.232: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.232: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.232: ISAKMP:(2035):Checking IPSec proposal 14

*Mar 11 13:24:19.232: ISAKMP: transform 1, ESP_DES

*Mar 11 13:24:19.232: ISAKMP:   attributes in transform:

*Mar 11 13:24:19.232: ISAKMP:      authenticator is HMAC-MD5

*Mar 11 13:24:19.232: ISAKMP:      encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.232: ISAKMP:      SA life type in seconds

*Mar 11 13:24:19.232: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.232: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.232: ISAKMP:(2035):Checking IPSec proposal 15

*Mar 11 13:24:19.232: ISAKMP: transform 1, ESP_NULL

*Mar 11 13:24:19.232: ISAKMP:   attributes in transform:

*Mar 11 13:24:19.232: ISAKMP:      authenticator is HMAC-MD5

*Mar 11 13:24:19.232: ISAKMP:      encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.232: ISAKMP:      SA life type in seconds

*Mar 11 13:24:19.232: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.236: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.236: ISAKMP:(2035):Checking IPSec proposal 16

*Mar 11 13:24:19.236: ISAKMP: transform 1, ESP_NULL

*Mar 11 13:24:19.236: ISAKMP:   attributes in transform:

*Mar 11 13:24:19.236: ISAKMP:      authenticator is HMAC-SHA

*Mar 11 13:24:19.236: ISAKMP:      encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.236: ISAKMP:      SA life type in seconds

*Mar 11 13:24:19.236: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.236: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.236: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.236: ISAKMP:(2035): phase 2 SA policy not acceptable! (local 10.30.82.1 remote *********)

*Mar 11 13:24:19.236: ISAKMP: set new node 1311674722 to QM_IDLE

*Mar 11 13:24:19.236: ISAKMP:(2035):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 2208329888, message ID = 1311674722

*Mar 11 13:24:19.236: ISAKMP:(2035): sending packet to ********** my_port 4500 peer_port 55954 (R) QM_IDLE

*Mar 11 13:24:19.236: ISAKMP:(2035):Sending an IKE IPv4 Packet.

*Mar 11 13:24:19.236: ISAKMP:(2035):purging node 1311674722

*Mar 11 13:24:19.236: ISAKMP:(2035):deleting node 1387548713 error TRUE reason "QM rejected"

*Mar 11 13:24:19.240: ISAKMP:(2035):Node 1387548713, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar 11 13:24:19.240: ISAKMP:(2035):Old State = IKE_QM_READY  New State = IKE_QM_READY

*Mar 11 13:24:19.296: ISAKMP (0:2035): received packet from ********** dport 4500 sport 55954 Global (R) QM_IDLE

R1#

*Mar 11 13:24:19.296: ISAKMP: set new node -169411968 to QM_IDLE

*Mar 11 13:24:19.296: ISAKMP:(2035): processing HASH payload. message ID = -169411968

*Mar 11 13:24:19.296: ISAKMP:(2035): processing DELETE payload. message ID = -169411968

*Mar 11 13:24:19.300: ISAKMP:(2035):peer does not do paranoid keepalives.

Any ideas??

if i try locally, the vpn works fine.

when i apply the crypto map on local address i'm able to connect, but i can't ping remote lan.

Thank You

1 REPLY
New Member

REMOTE ACCESS VPN PROBLEM

i forgot internal svi, sry

interface Vlan99

ip address 10.30.82.1 255.255.255.0

no ip redirects

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

136
Views
0
Helpful
1
Replies
CreatePlease to create content