dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
214
share rss forum feed


OVERKILL

join:2010-04-05
Peterborough, ON
reply to tamz273

Re: [Config] IPSec VPN with Cisco 877

said by tamz273 :

Wont get back to the office for another 12 hours, so I cant implement the changes until then. As for a sh ver, I believe im running 12.3. I think I read somewhere that the minimum rev to knock up IPSec tunnels is 12.2? Ill have that back in a few hours too.

Also, I was using Vlan1 when initially configuring this router, changed to Vlan100 but forgot to change the remark in the ACL.

Im also starting to wonder if it could be some misconfiguration on the Clients side? I tried the cisco VPN client, and also an iPad. Both returning same term mon output. Anything special that needs to be configured on the Cisco VPN Client other than a regular "new connection"?

Will do the changes and get back to you. Thanks again, much appreciate it!

Regarding the clients, the config I gave you above is the "default" config, so as long as you didn't change anything on them, they should work once the router is setup correctly.

If you are no longer using VLAN1, please remove the route and ACL from the config.


tamz273

@batelco.com.bh
Good news is the term mon output has changed, I no longer am getting a Xauth mismatch. Also, the client doesnt "disconnect". It keeps trying to connect until I cancel the connect. Ive made the changes you proposed, but kept all the IPs previously assigned to VLAN1, as they are not assigned to VLAN100. I simply changed the vlan tag to 100 instead of 1.

Here is the new term mon output when I try to connect:
 
000921: *Jan 11 03:28:06.982 PCTime: %CRYPTO-4-IKMP_NO_SA: IKE message from xx.xx.xx.xx has no SA and is not an initialization offer
000922: *Jan 11 03:28:09.106 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000923: *Jan 11 03:28:09.106 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000924: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000925: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000926: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000927: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000928: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000929: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000930: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000931: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000932: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000933: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000934: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000935: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000936: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
000937: *Jan 11 03:28:09.110 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
000938: *Jan 11 03:29:09.166 PCTime: ISAKMP:(2004):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer xx.xx.xx.xx)
000939: *Jan 11 03:29:09.166 PCTime: ISAKMP:(2004):deleting SA reason "Death by retransmission P1" state (R) AG_INIT_EXCH (peer xx.xx.xx.xx)
000940: *Jan 11 03:31:01.536 PCTime: %CRYPTO-4-IKMP_NO_SA: IKE message from xx.xx.xx.xx has no SA and is not an initialization offer
 
 

As for the sh ver, here it is:

AOSWan#sh ver
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Fri 04-Mar-11 07:45 by prod_rel_team
 
ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
 
AOSWan uptime is 1 day, 20 hours, 6 minutes
System returned to ROM by reload at 07:15:42 PCTime Mon Jan 9 2012
System image file is "flash:c870-advsecurityk9-mz.124-24.T5.bin"
Last reload reason: Reload Command
 
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
 
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
 
If you require further assistance please contact us by sending email to
export@cisco.com.
 
Cisco 877 (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FGL15242397
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
 
Configuration register is 0x2102
 
AOSWan#
 

Ive attached the new config. Based on the output from the debug, it seems like the client is trying to connect with a different encryption algorithm? Im not too sure what its trying to connect using, but I was getting the same error when using AES vs 3des.

Thanks again for the help!

 
AOSWan#sh run
Building configuration...
 
Current configuration : 6340 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname AOSWan
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$Vbh9$wTX/PEcoYRcQZw9A8VILV.
!
aaa new-model
!
!
aaa authentication login default enable
aaa authentication login AOSVPNGroup local
aaa authorization network AOSVPNGroup local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3217726297
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3217726297
 revocation-check none
 rsakeypair TP-self-signed-3217726297
!
!
crypto pki certificate chain TP-self-signed-3217726297
 certificate self-signed 01
  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323137 37323632 3937301E 170D3132 30313039 31323135
  35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32313737
  32363239 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D529 2268B7FF 46D198F0 0866E832 288BB583 D85E6909 E63297B3 97B2A97C
  D654FED9 E5C6433F 5F4E002D 1901F509 4A693A05 602B9EDA 522C61DC 69B48ACF
  44E3EEF6 0BD8AF73 30F16795 4278C84A 34B93397 9F389E66 8A9DAB9F C9867351
  5090E51F 8CD2D237 59E599F8 4F79C5AE 17BE36C8 C776D32D 3DCCAEF7 FBA75E0B
  0B1D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
  551D1104 0A300882 06414F53 57616E30 1F060355 1D230418 30168014 4641B8DD
  43E1A31B 82565FFA AE23199E D82FEDA8 301D0603 551D0E04 16041446 41B8DD43
  E1A31B82 565FFAAE 23199ED8 2FEDA830 0D06092A 864886F7 0D010104 05000381
  81002DA9 C8419220 F2925834 A9000A9E BD20B0DB F92ADF0E 8EADEC2E B92498A1
  90EE20B1 7676401E B08A66A0 51CDABF5 D567EB98 09706CC7 13C89056 333AF325
  861266F5 C46D04CF 52C23FBC 9048562A F5F583BB 6F07D96D 280AC807 0E1074E1
  36186BD8 D715EE51 57BE1DE8 8E4A67C2 0E7AC917 3C0736CB F8977013 9757F0DA FCE1
        quit
dot11 syslog
no ip source-route
!
!
ip cef
no ip bootp server
ip name-server 192.168.1.4
!
!
!
!
username admin privilege 15 secret 5 *********
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp client configuration group AOS
 key *********************
 dns 192.168.1.4
 pool VPNPool
 acl 100
crypto isakmp profile AOS_isakmp_profile
   match identity group AOS
   client authentication list AOSVPNGroup
   isakmp authorization list AOSVPNGroup
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set AOS_encryption esp-3des esp-sha-hmac
!
crypto ipsec profile AOS_ipsec_profile
 set transform-set AOS_encryption
 set isakmp-profile AOS_isakmp_profile
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface Loopback0
 no ip address
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 ip flow ingress
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 switchport access vlan 100
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AOS_ipsec_profile
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan100
 description Uplink to AOSCore
 ip address 192.168.1.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ***********
 ppp chap password 7 *****************
 ppp pap sent-username aylaint password 7 **************
!
ip local pool VPNPool 172.21.10.10 172.21.10.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.0.0 192.168.1.1
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.4 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.254 80 interface Dialer0 80
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.21.10.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
 
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
 
 


tamz273

@batelco.com.bh
reply to OVERKILL
Another update:
I was able to connect from my iPad using a 3G connection. It prompted me for a user/pass, and once I entered that I got a connection to the VPN with an IP from the IP pool. I cant reach anything on the 192.168.1.x network, but I havent looked at my routing tables yet.

I still cant seem to get anywhere with my Laptop using Cisco VPN Client.

Below is the term mon output when I connect from my iPad:
AOSWan#
001026: *Jan 11 03:43:28.955 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
001027: *Jan 11 03:43:28.955 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
001028: *Jan 11 03:43:28.955 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
001029: *Jan 11 03:43:28.959 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
001030: *Jan 11 03:43:28.959 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
001031: *Jan 11 03:43:28.959 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
001032: *Jan 11 03:43:28.959 PCTime: ISAKMP:(0):Encryption algorithm offered does not match policy!
001033: *Jan 11 03:43:28.959 PCTime: ISAKMP:(0):atts are not acceptable. Next payload is 3
001034: *Jan 11 03:43:44.101 PCTime: ISAKMP:FSM error - Message from AAA grp/user.
 
001035: *Jan 11 03:43:44.249 PCTime: map_db_find_best did not find matching map
001036: *Jan 11 03:43:44.249 PCTime: IPSEC(ipsec_process_proposal): proxy identities not supported
001037: *Jan 11 03:43:44.249 PCTime: ISAKMP:(2008): IPSec policy invalidated proposal with error 32
001038: *Jan 11 03:43:44.249 PCTime: map_db_find_best did not find matching map
001039: *Jan 11 03:43:44.249 PCTime: IPSEC(ipsec_process_proposal): proxy identities not supported
001040: *Jan 11 03:43:44.249 PCTime: ISAKMP:(2008): IPSec policy invalidated proposal with error 32
001041: *Jan 11 03:43:44.249 PCTime: map_db_find_best did not find matching map
001042: *Jan 11 03:43:44.249 PCTime: IPSEC(ipsec_process_proposal): proxy identities not supported
001043: *Jan 11 03:43:44.249 PCTime: ISAKMP:(2008): IPSec policy invalidated proposal with error 32
001044: *Jan 11 03:43:44.249 PCTime: map_db_find_best did not find matching map
001045: *Jan 11 03:43:44.249 PCTime: IPSEC(ipsec_process_proposal): proxy identities not supported
001046: *Jan 11 03:43:44.249 PCTime: ISAKMP:(2008): IPSec policy invalidated proposal with error 32
001047: *Jan 11 03:43:44.253 PCTime: insert of map into mapdb AVL failed, map + ace pair already exists on the
mapdb
001048: *Jan 11 03:43:44.261 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to up
AOSWan#
 
 


tamz273

@batelco.com.bh
reply to OVERKILL
Alright, so one MORE update! I not CAN connect from my Cisco VPN Client! I cant reach anything though, nothing is pingable either. I cant even ping another VPN client on the same IP pool. Do I need to create a SVI for that pool in order to make it routable to everything else in the envoirnment?

When I go to stats in the VPN client, it shows 192.168.1.0/24 as a "Secured Route" Im assuming its learning that through the ACL we set?

Looking forward to hearing back!


tamz273

@batelco.com.bh
reply to OVERKILL
Sorry for the multiple posts, Im not a registered user and cant go back to edit any previous posts.

So it seems that my VPN client is redundant. I have to try multiple times to get prompted for a user/pass and establish a connection. Not sure if its my machine or my config/settings.

Anyways, once connected, if I look at the connection stats in windows, it shows 0/0 for sent/recieved, and I have no default gateway. Is there any way to push that out in the group policy on the router? Im doing some online research right now, but cant grasp anything solid. And the /? in the router doesnt point at anything to set a Default Gateway.

Thanks again for all the help!

hodgeswalt

join:2012-03-13
Ankeny, IA
reply to tamz273
I am curious. Have you dad any luck with connecting successfully?

Regards,
--walt