dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
16
share rss forum feed


OVERKILL

join:2010-04-05
Peterborough, ON
reply to tamz273

Re: [Config] IPSec VPN with Cisco 877

Change:

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 

to:
crypto isakmp policy 1
 encry 3des
 authentication pre-share
 group 2
 lifetime 3600
 

And

no crypto isakmp key ******** address 0.0.0.0 0.0.0.0
 

That is for site-to-site VPN's.

And
crypto isakmp client configuration group AOS
 key ********
 dns 192.168.1.4
 pool VPNPool
 acl AOS_split_tunnel
 netmask 255.255.255.0
 

The "netmask" part isn't needed.

And
crypto isakmp profile AOS_isakmp_profile
 match identity group AOS
 isakmp authorization list default
 client configuration address respond
 virtual-template 1
 

to:

crypto isakmp profile AOS_isakmp_profile
 match identity group AOS
 client authentication list AOSVPNGroup
 isakmp authorization list AOSVPNGroup
 client configuration address respond 
 virtual-template 1
 

And:
crypto ipsec transform-set AOS_encryption esp-aes 256 esp-sha-hmac
 

To:
crypto ipsec transform-set AOS_encryption esp-3des esp-sha-hmac
 

See if that works.

*I'm not touching your ACL for now, let's see if that lets the clients connect.


tamz273

@89.148.0.x
Hey, thanks for the quick reply! I made the proposed changes with still no luck. Posted my whole config below, as opposed to just the crypto part. Also posted the term mon logs.

Building configuration...
 
Current configuration : 6217 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname AOSWan
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 ***************************
!
aaa new-model
!
!
aaa authentication login default enable
aaa authentication login AOSVPNGroup local
aaa authorization network AOSVPNGroup local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3217726297
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3217726297
 revocation-check none
 rsakeypair TP-self-signed-3217726297
!
!
crypto pki certificate chain TP-self-signed-3217726297
 certificate self-signed 01
  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323137 37323632 3937301E 170D3132 30313039 31323135
  35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32313737
  32363239 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D529 2268B7FF 46D198F0 0866E832 288BB583 D85E6909 E63297B3 97B2A97C
  D654FED9 E5C6433F 5F4E002D 1901F509 4A693A05 602B9EDA 522C61DC 69B48ACF
  44E3EEF6 0BD8AF73 30F16795 4278C84A 34B93397 9F389E66 8A9DAB9F C9867351
  5090E51F 8CD2D237 59E599F8 4F79C5AE 17BE36C8 C776D32D 3DCCAEF7 FBA75E0B
  0B1D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
  551D1104 0A300882 06414F53 57616E30 1F060355 1D230418 30168014 4641B8DD
  43E1A31B 82565FFA AE23199E D82FEDA8 301D0603 551D0E04 16041446 41B8DD43
  E1A31B82 565FFAAE 23199ED8 2FEDA830 0D06092A 864886F7 0D010104 05000381
  81002DA9 C8419220 F2925834 A9000A9E BD20B0DB F92ADF0E 8EADEC2E B92498A1
  90EE20B1 7676401E B08A66A0 51CDABF5 D567EB98 09706CC7 13C89056 333AF325
  861266F5 C46D04CF 52C23FBC 9048562A F5F583BB 6F07D96D 280AC807 0E1074E1
  36186BD8 D715EE51 57BE1DE8 8E4A67C2 0E7AC917 3C0736CB F8977013 9757F0DA FCE1
        quit
dot11 syslog
no ip source-route
!
!
ip cef
no ip bootp server
ip name-server 192.168.1.4
!
!
!
!
username admin privilege 15 secret 5 ********************************
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp client configuration group AOS
 key **************
 dns 192.168.1.4
 pool VPNPool
crypto isakmp profile AOS_isakmp_profile
   match identity group AOS
   client authentication list AOSVPNGroup
   isakmp authorization list AOSVPNGroup
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set AOS_encryption esp-3des esp-sha-hmac
!
crypto ipsec profile AOS_ipsec_profile
 set transform-set AOS_encryption
 set isakmp-profile AOS_isakmp_profile
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 ip flow ingress
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Vlan100
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AOS_ipsec_profile
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan100
 description Uplink to AOSCore
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname **********
 ppp chap password 7 *************
 ppp pap sent-username ********* password 7 ************
!
ip local pool VPNPool 192.168.30.1 192.168.30.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.0.0 192.168.1.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
!
ip access-list extended AOS_split_tunnel
 remark Defines which local (office) networks a remote VPN client will route to
 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
no cdp run
 
!
!
!
 
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
 

000660: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000661: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000662: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000663: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000664: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000665: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000666: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000667: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000668: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):Xauth authentication by pre-shared key offered but does not match policy!
000669: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000670: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):Hash algorithm offered does not match policy!
000671: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000672: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000673: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000674: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000675: *Jan 10 05:17:25.483 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 0
000676: *Jan 10 05:17:25.487 PCTime: ISAKMP:(0):no offers accepted!
000677: *Jan 10 05:17:25.487 PCTime: ISAKMP:(0): phase 1 SA policy not acceptable! (local ******** remote **********)
000678: *Jan 10 05:17:25.487 PCTime: ISAKMP:(0): Failed to construct AG informational message.
000679: *Jan 10 05:17:25.487 PCTime: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer ***********)
000680: *Jan 10 05:17:25.487 PCTime: ISAKMP:(0): group size changed! Should be 0, is 128
000681: *Jan 10 05:17:25.487 PCTime: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
000682: *Jan 10 05:17:25.487 PCTime: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer ************)
AOSWan#
 
 

Thanks again for all the help.


OVERKILL

join:2010-04-05
Peterborough, ON
Create a loopback interface:

int loopback0
 

And change:

interface Virtual-Template1 type tunnel
 ip unnumbered Vlan100
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AOS_ipsec_profile
 

to:

interface Virtual-Template1 type tunnel
 ip unnumbered loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AOS_ipsec_profile
 

And what do you have going on here? Are you using VLAN1?

ip access-list extended AOS_split_tunnel
 remark Defines which local (office) networks a remote VPN client will route to
 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
 

Add:

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
 

and change this section to:

crypto isakmp client configuration group AOS
 key **************
 dns 192.168.1.4
 pool VPNPool
 acl 100
 

Also, can you do an "sh ver" ?