REMOTE ACCESS VPN PROBLEM

matteodiiulio · ‎12-03-2013

Hello,

i have problems with remote ipsec access on 877.

here my config:

aaa new-model

!

aaa authentication login local_authentication local

aaa authorization network default local

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp keepalive 3600 periodic

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group euezvpn

key ********

pool ezvpn

acl split-tunneling

crypto isakmp profile eunet

match identity group euezvpn

client authentication list local_authentication

isakmp authorization list default

client configuration address respond

client configuration group euezvpn

!

crypto ipsec transform-set set esp-3des esp-md5-hmac

crypto map eu-ezvpn 50 ipsec-isakmp dynamic eu-ezvpn

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp authentication pap callin

ppp chap hostname aliceadsl

ppp chap password 7 14161E020F012B2F3724

ppp pap sent-username aliceadsl password 7 1108150C14170A081726

ppp ipcp dns request

ppp ipcp wins request

crypto map eu-ezvpn

ip local pool ezvpn 192.168.10.1 192.168.10.20

ip nat inside source static udp 10.30.82.1 4500 interface Dialer0 4500

ip nat inside source list 101 interface Dialer0 overload

access-list 101 deny ip 10.30.82.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 101 permit ip 10.30.82.0 0.0.0.255 any

ip access-list extended split-tunneling

permit ip any any

the auth is successfully, but the client can't connect, here the debug of crypto isakmp:

(2035):Checking IPSec proposal 10

*Mar 11 13:24:19.224: ISAKMP:(2035):transform 1, IPPCP LZS

*Mar 11 13:24:19.224: ISAKMP: attributes in transform:

*Mar 11 13:24:19.224: ISAKMP: encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.224: ISAKMP: SA life type in seconds

*Mar 11 13:24:19.224: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.228: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.228: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.228: ISAKMP:(2035):Checking IPSec proposal 11

*Mar 11 13:24:19.228: ISAKMP: transform 1, ESP_3DES

*Mar 11 13:24:19.228: ISAKMP: attributes in transform:

*Mar 11 13:24:19.228: ISAKMP: authenticator is HMAC-MD5

*Mar 11 13:24:19.228: ISAKMP: encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.228: ISAKMP: SA life type in seconds

*Mar 11 13:24:19.228: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.228: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.228: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.228: ISAKMP:(2035):Checking IPSec proposal 12

*Mar 11 13:24:19.228: ISAKMP: transform 1, ESP_3DES

*Mar 11 13:24:19.228: ISAKMP: attributes in transform:

*Mar 11 13:24:19.228: ISAKMP: authenticator is HMAC-SHA

*Mar 11 13:24:19.228: ISAKMP: encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.228: ISAKMP: SA life type in seconds

*Mar 11 13:24:19.228: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.228: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.228: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.228: ISAKMP:(2035):Checking IPSec proposal 13

*Mar 11 13:24:19.228: ISAKMP: transform 1, ESP_DES

*Mar 11 13:24:19.228: ISAKMP: attributes in transform:

*Mar 11 13:24:19.228: ISAKMP: authenticator is HMAC-MD5

*Mar 11 13:24:19.228: ISAKMP: encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.228: ISAKMP: SA life type in seconds

*Mar 11 13:24:19.228: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.232: ISAKMP:(2035):Checking IPSec proposal 13

*Mar 11 13:24:19.232: ISAKMP:(2035):transform 1, IPPCP LZS

*Mar 11 13:24:19.232: ISAKMP: attributes in transform:

*Mar 11 13:24:19.232: ISAKMP: encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.232: ISAKMP: SA life type in seconds

*Mar 11 13:24:19.232: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.232: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.232: ISAKMP:(2035):Checking IPSec proposal 14

*Mar 11 13:24:19.232: ISAKMP: transform 1, ESP_DES

*Mar 11 13:24:19.232: ISAKMP: attributes in transform:

*Mar 11 13:24:19.232: ISAKMP: authenticator is HMAC-MD5

*Mar 11 13:24:19.232: ISAKMP: encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.232: ISAKMP: SA life type in seconds

*Mar 11 13:24:19.232: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.232: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.232: ISAKMP:(2035):Checking IPSec proposal 15

*Mar 11 13:24:19.232: ISAKMP: transform 1, ESP_NULL

*Mar 11 13:24:19.232: ISAKMP: attributes in transform:

*Mar 11 13:24:19.232: ISAKMP: authenticator is HMAC-MD5

*Mar 11 13:24:19.232: ISAKMP: encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.232: ISAKMP: SA life type in seconds

*Mar 11 13:24:19.232: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.232: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.236: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.236: ISAKMP:(2035):Checking IPSec proposal 16

*Mar 11 13:24:19.236: ISAKMP: transform 1, ESP_NULL

*Mar 11 13:24:19.236: ISAKMP: attributes in transform:

*Mar 11 13:24:19.236: ISAKMP: authenticator is HMAC-SHA

*Mar 11 13:24:19.236: ISAKMP: encaps is 61443 (Tunnel-UDP)

*Mar 11 13:24:19.236: ISAKMP: SA life type in seconds

*Mar 11 13:24:19.236: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 11 13:24:19.236: ISAKMP:(2035):atts are acceptable.

*Mar 11 13:24:19.236: ISAKMP:(2035): IPSec policy invalidated proposal with error 8

*Mar 11 13:24:19.236: ISAKMP:(2035): phase 2 SA policy not acceptable! (local 10.30.82.1 remote *********)

*Mar 11 13:24:19.236: ISAKMP: set new node 1311674722 to QM_IDLE

*Mar 11 13:24:19.236: ISAKMP:(2035):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 2208329888, message ID = 1311674722

*Mar 11 13:24:19.236: ISAKMP:(2035): sending packet to ********** my_port 4500 peer_port 55954 (R) QM_IDLE

*Mar 11 13:24:19.236: ISAKMP:(2035):Sending an IKE IPv4 Packet.

*Mar 11 13:24:19.236: ISAKMP:(2035):purging node 1311674722

*Mar 11 13:24:19.236: ISAKMP:(2035):deleting node 1387548713 error TRUE reason "QM rejected"

*Mar 11 13:24:19.240: ISAKMP:(2035):Node 1387548713, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar 11 13:24:19.240: ISAKMP:(2035):Old State = IKE_QM_READY New State = IKE_QM_READY

*Mar 11 13:24:19.296: ISAKMP (0:2035): received packet from ********** dport 4500 sport 55954 Global (R) QM_IDLE

R1#

*Mar 11 13:24:19.296: ISAKMP: set new node -169411968 to QM_IDLE

*Mar 11 13:24:19.296: ISAKMP:(2035): processing HASH payload. message ID = -169411968

*Mar 11 13:24:19.296: ISAKMP:(2035): processing DELETE payload. message ID = -169411968

*Mar 11 13:24:19.300: ISAKMP:(2035):peer does not do paranoid keepalives.

Any ideas??

if i try locally, the vpn works fine.

when i apply the crypto map on local address i'm able to connect, but i can't ping remote lan.

Thank You

matteodiiulio · ‎12-03-2013

i forgot internal svi, sry

interface Vlan99

ip address 10.30.82.1 255.255.255.0

no ip redirects

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452