[Config] Client VPN problems on Cisco 1720 in Cisco http://www.dslreports.com/forum/r20760708 en Wed, 03 Dec 2008 02:42:23 EDT Wed, 03 Dec 2008 02:42:23 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20789597 kamikatze : Make sure the dynamic crypto map has the lowest priority of all.

Something like this
crypto map map-static-1 1139 ipsec-isakmp
crypto map map-static-1 1140 ipsec-isakmp
crypto map map-static-1 1144 ipsec-isakmp
crypto map map-vpnclient-1 3000 ipsec-isakmp dynamic vpn_client]]> http://www.dslreports.com/forum/remark,20789597 Mon, 14 Jul 2008 14:07:13 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20788087 kubaff :
Am not sure if it's picking from

1. crypto map cm-cryptomap isakmp authorization list groupauthor

or

2. crypto isakmp client configuration group VPNclient
key folco123]]> http://www.dslreports.com/forum/remark,20788087 Mon, 14 Jul 2008 09:11:23 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20787996 kubaff : Based on the link below, you might try and confirm the pre-shared keys on both sides.

»www.cisco.com/en/US/tech/tk583/t···25.shtml]]> http://www.dslreports.com/forum/remark,20787996 Mon, 14 Jul 2008 08:43:13 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20777226 anon : Scratch that, it is only working from one network, not from any others. From tho customer PC we get:
[code]
###.###.###.81 ###.###.###.144 AG_INIT_EXCH 1 0
...
So different, but still not connecting.

Back to square one.]]> http://www.dslreports.com/forum/remark,20777226 Fri, 11 Jul 2008 18:56:17 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20775809 anon : So after this was reviewed by everyone in our company who know even a smidge about Cisco's we decided to test from a different network. This time it worked without issue.

I'm not sure why this isn't working from our DSL test lab; we have other connections that work without trouble from there. If anyone has any theories I would love to know. I am no longer seeking a solution at this point though.

Thank you all for your assistance.]]> http://www.dslreports.com/forum/remark,20775809 Fri, 11 Jul 2008 13:57:13 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20774912 anon : I'm confused about what you are asking. Are you wondering if I can ping the outside of the router from the client? I can do that. There isn't really any way to ping in the other direction because the computer is on the inside of a network.]]> http://www.dslreports.com/forum/remark,20774912 Fri, 11 Jul 2008 11:29:38 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20773718 kubaff :
It looks as though the first phase (ISAKMP) of the security association isn't even coming up

Can you ping from the client to the remote side then ran the command again ?]]> http://www.dslreports.com/forum/remark,20773718 Fri, 11 Jul 2008 05:40:02 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20770033 anon : There didn't end up being any related data about this connection in sh crypto ipsec sa]]> http://www.dslreports.com/forum/remark,20770033 Thu, 10 Jul 2008 13:24:23 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20769974 anon : This is the pertinent line in sh crypto isakmp sa:

The ACLs for the VPN I think are correct. The ACL match addresses you are referring to are all for the store to store VPNs, which don't have a problem. We have ACL 199 for crypto isakmp client:
]]> http://www.dslreports.com/forum/remark,20769974 Thu, 10 Jul 2008 13:15:09 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20769631 zno : ACLs 103-107 & 111 are being applied to VPN tunnels. it doesn't matter whether you apply these to the serial interface or not. these ACLs control what gets in and out of your VPN tunnels. check your VPN ACLs if you haven't already done so.]]> http://www.dslreports.com/forum/remark,20769631 Thu, 10 Jul 2008 12:13:41 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20768195 kubaff : please post the following

1. show crypto isakmp sa
2. show crypto ipsec sa

this will help narrow down on where the mismatch is occuring]]> http://www.dslreports.com/forum/remark,20768195 Thu, 10 Jul 2008 02:42:54 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20766409 anon : I tried setting policy three to use md5 hash with no luck. I think this one uses the standard SHA because it is a VPN Client rather than a store to store VPN between routers like all the others.

Here is the pertinent state change in a router nearly identical to the one I am having a problem with.


On this one the policy three is identical to the problem router. Here is the same section from the log on the bad router:


I think this is mhere is it supposed to match, but no luck. Like I said, these routers are nearly identical, right down to the fact that they both have miltiple remotes and are attached to T1 lines. I just can't figure out what the difference is. I can post the other if anyone cares to look.

As to the ACL, it is not currently enabled on the Serial0.1 interface, maybe I'm misunderstanding what you are saying. Please let me know if there is something I am missing.
]]> http://www.dslreports.com/forum/remark,20766409 Wed, 09 Jul 2008 19:27:36 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20763529 zno : i'm purely speculating here since i don't know your entire setup...

how about adding "hash md5" to the crypto policy 3? just to be consistent with your transform sets.
also from the debug, line 816 seems to indicate that you have mismatching hash.

if this still doesn't fix your prob, check ACLs and see if you have any matching traffic while a client is trying to connect.
--
got anti-virus and firewall?]]> http://www.dslreports.com/forum/remark,20763529 Wed, 09 Jul 2008 10:48:50 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20763436 anon : The other tunnels are Cisco to Cisco connections, those all work. The PC we are using to test the tunnel is behind a NAT, but it is able to form a VPN client tunnel to several other sites.

It does seem like the logs indicate a mismatch, but strangely this is the same setup for all of our sites:

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

Thanks,
Conn]]> http://www.dslreports.com/forum/remark,20763436 Wed, 09 Jul 2008 10:30:55 EDT Re: [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20763092 kubaff : Looks like you have several VPN tunnels. Which one in particular are you trying to connect to ?

There seems to be a ISAKMP policy mismatch between the VPN server and client based on the logs.

I would verify the ACCESS-LIST on each ISAKMP policy to make sure no NAT is happenin within the VPN tunnel.

Does each peer still have the same initial OUTSIDE IP ?]]> http://www.dslreports.com/forum/remark,20763092 Wed, 09 Jul 2008 09:13:55 EDT [Config] Client VPN problems on Cisco 1720 http://www.dslreports.com/forum/remark,20760708 anon : I've been working on this for several days now and feel I'm not any closer to a solution. I have a site which has been running a client VPN for years without trouble suddenly can no longer function. They hadn't tried it in a while, but soon before they reported it we did add a new NAT overload and they had been upgraded to IOS 12.4 19 (they since have been brought back down again.

Any help would be appreciated. Here is the config (edited for IPs keys and passwords), the version, and the log (edited for IPs)

Please let me know if there is anything else that might assist in your assistance.

Thank you,
Conn]]> http://www.dslreports.com/forum/remark,20760708 Tue, 08 Jul 2008 19:16:41 EDT