Re: VPN server on cisco 2821

J.altami01 · ‎01-12-2006

Does anybody knows how to troubleshoot the vpn server cisco 2821. I Turned on the debug and I received the next message.

00982: *Jan 12 17:43:14.467 PCTime: ISAKMP: encryption AES-CBC

00983: *Jan 12 17:43:14.467 PCTime: ISAKMP: hash MD5

00984: *Jan 12 17:43:14.467 PCTime: ISAKMP: default group 2

00985: *Jan 12 17:43:14.467 PCTime: ISAKMP: auth pre-share

00986: *Jan 12 17:43:14.467 PCTime: ISAKMP: life type in seconds

00987: *Jan 12 17:43:14.467 PCTime: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

00988: *Jan 12 17:43:14.467 PCTime: ISAKMP: keylength of 128

00989: *Jan 12 17:43:14.467 PCTime: ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!

I've tried many ways to configure the equipment ( CLI and SDM ) witout positive results.

spremkumar · ‎01-13-2006

Hi

On the first look its seems to be a Encryption Algorithm mismatch which has to be set rite to get the tunnel activated.

Along with that can you post out ur VPN Server config here ?

regds

J.altami01 · ‎01-13-2006

Hi thanks a lot. the problem was solved ...

I missconfigured a default route >:-(

At this moment I have a good tunel but I can not pass any traffic to the inside local network just the local router interface but thats all....

I still searching if you know the reason I really appreciate...

JCar

cpopour · ‎01-13-2006

What type of traffic will not pass?

Can you ping anything on the local network, if not its a routing issue or you might have the vpn addresses the same as the local network? If you can ping then it could be a dns or wins resolution issue.

cpopour · ‎01-13-2006

If you have Nat enabled on the local interface, make sure that you are excluding the vpn traffic from nat, I believe nat is checked before it looks for packets to be put in the vpn tunnel. The return vpn traffic maybe natted and tries to go out the public interface rather thatn inot the vpn tunnel.

jackko · ‎01-13-2006

the issue may be related to the nat/pat or the crypto acl. please post the entire config with public ip masked.

J.altami01 · ‎01-13-2006

here is the config at begin i tried without NAT and now I using NAT but the problem remains.

Building configuration...

Current configuration : 5195 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret xxxx

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network hw-client-groupname local

!

aaa session-id common

!

resource policy

!

clock timezone PCTime -6

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

!

ip cef

!

no ip bootp server

ip domain name

ip name-server 10.1.20.236

ip name-server 10.9.1.51

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto keyring xxxx

pre-shared-key address 0.0.0.0 0.0.0.0 key xxx

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp policy 20

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group hw-client-groupname

key xxxxx

dns 10.1.20.236 10.9.1.51

domain xxx.com

pool ippool

acl 108

crypto isakmp profile VPNclient

match identity group hw-client-groupname

client authentication list userauthen

isakmp authorization list hw-client-groupname

client configuration address respond

crypto isakmp profile DMVPN

keyring dmvpnspokes

match identity address 0.0.0.0

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

mode transport

!

crypto ipsec profile cisco

set security-association lifetime seconds 120

set transform-set strong

set isakmp-profile DMVPN

!

crypto dynamic-map dynmap 10

set transform-set strong

set isakmp-profile VPNclient

reverse-route

!

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$

ip address 10.1.21.9 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description $ES_WAN$$FW_OUTSIDE$

ip address x.x.x.x 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map dynmap

!

ip local pool ippool 10.20.21.230 10.20.21.235

ip classless

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1

ip route 10.0.0.0 255.0.0.0 10.1.21.1

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source route-map nonat interface GigabitEthernet0/1 overload

!

logging trap debugging

access-list 101 deny ip 10.0.0.0 0.255.255.255 10.20.21.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 108 permit ip 10.0.0.0 0.255.255.255 10.20.21.0 0.0.0.255

!

route-map nonat permit 10

match ip address 101

!

control-plane

cpopour · ‎01-13-2006

Hi, It looks like you might have a routing conflict Ie network rouing sumarization possibly but not knowing the rest of your network schema I can only speculate. I see there is no routing protocol enabled on this route. Does the network know that the 10.20.21.0 subnet(vpn pool) is accessed by the 10.1.21.9 ip address on gigabit0/0.

Also looking at the default route 10.0.0.0 255.0.0.0 10.20.21.1 the packets would be sent back to this interface, thus not eaching the vpn tunnel,

I've had better luck in using a completely different subnet for the vpn pool addresses ie 192.168.1.0 for example and making sure that subnet gets routed to the correct interface, 10.1.21.9 on gig0/0. This way the possible routing protocol conflict gets eliminated.

spremkumar · ‎01-16-2006

Hi

In addition to the other post i would like to suggest to modify the static route defined in your configuration.

you have mentioned the default route pointing towards the Gig 0/1,if you know the ip address of the device which will serve as the gateway for you router you can mention up the ip address of the same.

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 x.x.x.x

where x.x.x.x is the ip address of the device which is going to serve as the gateway here.

regds

J.altami01 · ‎01-16-2006

Since this equipment is a VPN server for mobile users and Remoto SOHO's I do not know the remote IP address ( DSL's dynamic's IP ) , Now the Int Gi0/1 is the public interface pointing to Internet.

At this moment I made a couple of changes:

I disable the NAT in Both interfaces and use a subnet valid into the hole Network, setting the segments or subnets that the final users have to reach and is WORKING now .:!!!!

Is something really strange ...

Last question do you recommend to use the NAT in both interfaces..????

Thanks a lot to everyone in advance....

JCar

cpopour · ‎01-16-2006

Hi, Since this server is being used for remote users only it sounds like nat is not required.

Nat simply takes a private addresss and converts it to a valid public based on the access-list you configure and the public pool or interface you use.

If there are no users(other than vpn users) I wouldnt configure NAT

I would however configure an inbound access list on gig0/1(Iternet interface) to allow ipsec and isakmp traffic only. (ports 50,41, and 500)

As it stands now I could potentially telnet into that public ip address(if known) and get a prompt for a password.

Just a suggestion