I am running a 881-w in the office. We have a couple of outside sales people that need access from time to time.
I installed and tried connecting to our router with Cisco VPN Client.
I think I may have configured something in the EZVPN settings wrong.
Any help would be appreciated, I am pulling what little hair I have left out.
Here is the error I get from VPN client.
Initializing the connection...
Contacting the security gateway at 220.127.116.11...
Contacting the security gateway at 18.104.22.168...
Negotiating security policies...
Secure VPN Connection terminated locally by the Client.
Reason 401: An unrecognized error occurred while establishing the VPN connection.
Here is my config file
Using 5484 out of 262136 bytes ! ! Last configuration change at 19:50:57 UTC Sun Mar 23 2014 by admin ! version 15.1 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ashly ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings ! aaa new-model ! ! aaa authentication login default local aaa authentication login USER local aaa authorization network GROUP local ! ! ! ! ! aaa session-id common memory-size iomem 10 ! crypto pki trustpoint TP-self-signed-2605410574 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2605410574 revocation-check none rsakeypair TP-self-signed-2605410574 ! ! crypto pki certificate chain TP-self-signed-2605410574 certificate self-signed 01 nvram:IOS-Self-Sig#6.cer ip source-route ! ! ip dhcp excluded-address 10.10.10.1 ! ! ip cef ip domain name yourdomain.com ip name-server 22.214.171.124 ip name-server 126.96.36.199 no ipv6 cef ! ! license udi pid CISCO881W-GN-A-K9 sn FTX134280PZ ! ! username admin privilege 15 secret 5 ######################## username ashlyguy privilege 15 password 0 ######## username mike password 0 ####### ! ! ! ! no ip ftp passive ! crypto ctcp port 10000 ! crypto isakmp policy 1 encr aes authentication pre-share group 2 lifetime 7200 crypto isakmp key Cisco address 0.0.0.0 0.0.0.0 crypto isakmp client configuration address-pool local EZVPN ! crypto isakmp client configuration group EZVPN key ####### dns 188.8.131.52 wins 192.168.1.42 pool EZVPN_POOL netmask 255.255.255.0 crypto isakmp profile EZVPN_PROFILE match identity group EZVPN client authentication list USER isakmp authorization list GROUP client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac ! crypto ipsec profile EZVPN_PROFILE set transform-set EZVPN_SET set isakmp-profile EZVPN_PROFILE ! ! ! ! ! ! interface FastEthernet0 spanning-tree portfast ! interface FastEthernet1 spanning-tree portfast ! interface FastEthernet2 spanning-tree portfast ! interface FastEthernet3 spanning-tree portfast ! interface FastEthernet4 description $ES_WAN$$ETH-WAN$ ip address 184.108.40.206 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Virtual-Template1 type tunnel ip unnumbered FastEthernet4 tunnel mode ipsec ipv4 tunnel path-mtu-discovery tunnel protection ipsec profile EZVPN_PROFILE ! interface wlan-ap0 description Service module interface to manage the embedded AP ip unnumbered Vlan1 arp timeout 0 ! interface Wlan-GigabitEthernet0 description Internal switch interface connecting to the embedded AP ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! ip local pool EZVPN 192.168.1.240 192.168.1.243 ip forward-protocol nd ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source list inside-nat-pool interface FastEthernet4 overload ip route 0.0.0.0 0.0.0.0 220.127.116.11 ! ip access-list standard rtraccess permit 192.168.1.0 0.0.0.255 ! ip access-list extended inside-nat-pool permit ip 192.168.1.0 0.0.0.255 any ! no cdp run
----------------------------------------------------------------------- ^C ! line con 0 no modem enable line aux 0 line 2 no activation-character no exec transport preferred none transport input all line vty 0 4 access-class rtraccess in privilege level 15 transport input ssh transport output telnet ssh ! end
Hi, probably there's something misconfigured, I will first check if the problem is this command that you have on the Router: crypto ctcp port 10000
That command is instructing the router to listen for the IPsec connection on TCP port 10000
By default the client won't use ESP over TCP, but instead will use UDP.
So, change the client to use TCP port 10000 to connect, or remove the command from the router to allow the client to connect using UDP. If the problem persists, you can share the output from "debug cry isa" and "debug cry ipsec" from the router along with the logs from the client itself.
Hope it helps.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...