Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8809
Views
0
Helpful
1
Replies

VPN Client 401 error

rbabich01
Level 1
Level 1

‎04-02-2014 10:05 AM

I am running a 881-w in the office. We have a couple of outside sales people that need access from time to time.
I installed and tried connecting to our router with Cisco VPN Client.   
I think I may have configured something in the EZVPN settings wrong.  
Any help would be appreciated, I am pulling what little hair I have left out. 
 
Here is the error I get from VPN client. 

 

Initializing the connection...
Contacting the security gateway at 24.103.151.2...
Authenticating user...
Contacting the security gateway at 24.103.151.2...
Negotiating security policies...
Secure VPN Connection terminated locally by the Client.
Reason 401: An unrecognized error occurred while establishing the VPN connection.

 

 Here is my config file 

Using 5484 out of 262136 bytes
!
! Last configuration change at 19:50:57 UTC Sun Mar 23 2014 by admin
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ashly
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login USER local
aaa authorization network GROUP local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-2605410574
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2605410574
 revocation-check none
 rsakeypair TP-self-signed-2605410574
!
!
crypto pki certificate chain TP-self-signed-2605410574
 certificate self-signed 01 nvram:IOS-Self-Sig#6.cer
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
!
!
ip cef
ip domain name yourdomain.com
ip name-server 24.92.226.11
ip name-server 24.92.226.12
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX134280PZ
!
!
username admin privilege 15 secret 5 ########################
username ashlyguy privilege 15 password 0 ########
username mike password 0 #######
!
!
!
!
no ip ftp passive
!
crypto ctcp port 10000
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 7200
crypto isakmp key Cisco address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN
!
crypto isakmp client configuration group EZVPN
 key #######
 dns 8.8.8.8
 wins 192.168.1.42
 pool EZVPN_POOL
 netmask 255.255.255.0
crypto isakmp profile EZVPN_PROFILE
   match identity group EZVPN
   client authentication list USER
   isakmp authorization list GROUP
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
!
crypto ipsec profile EZVPN_PROFILE
 set transform-set EZVPN_SET
 set isakmp-profile EZVPN_PROFILE
!
!
!
!
!
!
interface FastEthernet0
 spanning-tree portfast
!
interface FastEthernet1
 spanning-tree portfast
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 description $ES_WAN$$ETH-WAN$
 ip address 24.103.151.2 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile EZVPN_PROFILE
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool EZVPN 192.168.1.240 192.168.1.243
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list inside-nat-pool interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 24.103.151.1
!
ip access-list standard rtraccess
 permit 192.168.1.0 0.0.0.255
!
ip access-list extended inside-nat-pool
 permit ip 192.168.1.0 0.0.0.255 any
!
no cdp run

!
!
!
!
!
!
control-plane
!
banner exec ^C
-----------------------------------------------------------------------

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------

-----------------------------------------------------------------------
^C
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 access-class rtraccess in
 privilege level 15
 transport input ssh
 transport output telnet ssh
!
end

Labels:
0 Helpful
1 Reply 1

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-02-2014 02:59 PM

Hi, probably there's something misconfigured, I will first check if the problem is this command that you have on the Router: crypto ctcp port 10000 That command is instructing the router to listen for the IPsec connection on TCP port 10000 By default the client won't use ESP over TCP, but instead will use UDP. So, change the client to use TCP port 10000 to connect, or remove the command from the router to allow the client to connect using UDP. If the problem persists, you can share the output from "debug cry isa" and "debug cry ipsec" from the router along with the logs from the client itself. Hope it helps.
0 Helpful
Customers Also Viewed These Support Documents