Announcement

Collapse
No announcement yet.

Cisco VPN clients unable to connect to 3725 VPN server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco VPN clients unable to connect to 3725 VPN server

    I have a 3725 router that is acting as a VPN server as well as a performing NAT for the internal network. The VPN is setup to connect to another remote network and to allow clients to connect securely to the router and access the local network

    The problem is the client is prompted for the user name and password but it won't establish the connection so I'm not sure what's missing. Any help would be greatly appreciated.

    The only error I get is:
    Jan 18 18:21:06.319: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 172.16.2.4

    Code:
    !
    ! Last configuration change at 13:30:31 PCTime Fri Jan 18 2008 by rsreese
    ! NVRAM config last updated at 13:30:34 PCTime Fri Jan 18 2008 by rsreese
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname 3725router
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret 
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    aaa authorization exec default local 
    aaa authorization network default local 
    !
    aaa session-id common
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    no network-clock-participate slot 1 
    no network-clock-participate slot 2 
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.2.1
    ip dhcp excluded-address 172.16.3.1
    !
    ip dhcp pool VLAN2clients
       network 172.16.2.0 255.255.255.0
       default-router 172.16.2.1 
       dns-server 205.152.144.23 205.152.132.23 
    !
    ip dhcp pool VLAN3clients
       network 172.16.3.0 255.255.255.0
       default-router 172.16.3.1 
       dns-server 205.152.144.23 205.152.132.23 
    !
    !
    ip domain name neocipher.net
    ip name-server 205.152.144.23
    ip name-server 205.152.132.23
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    vpdn enable
    !
    vpdn-group 1
    ! Default L2TP VPDN group
     accept-dialin
      protocol l2tp
      virtual-template 1
     no l2tp tunnel authentication
     ip pmtu
    !
    vpdn-group L2TP_VPN
     accept-dialin
      protocol l2tp
      virtual-template 1
     no l2tp tunnel authentication
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    username <username>
    !
    !
    ip ssh authentication-retries 2
    ! 
    !
    crypto isakmp policy 3
     encr 3des
     authentication pre-share
     group 2
    !
    crypto isakmp policy 10
     hash md5
     authentication pre-share
    crypto isakmp key cisco address 10.0.0.2 no-xauth
    !
    crypto isakmp client configuration group VPN-Users
     key test00
     dns 205.152.144.23 205.152.132.23
     domain neocipher.net
     pool VPN_POOL
     acl 115
     include-local-lan
     netmask 255.255.255.0
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
     mode transport
    !
    crypto dynamic-map DYNMAP 10
     set transform-set ESP-3DES-SHA 
     match address 115
    !
    !
    crypto map CLIENTMAP client authentication list default
    crypto map CLIENTMAP isakmp authorization list default
    crypto map CLIENTMAP client configuration address respond
    crypto map CLIENTMAP 1 ipsec-isakmp 
     set peer 10.0.0.2
     set transform-set ESP-3DES-SHA 
     match address 100
    crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP 
    !
    !
    !
    !
    interface Loopback0
     ip address 1.1.1.1 255.255.255.0
    !
    interface FastEthernet0/0
     ip address dhcp client-id FastEthernet0/0 hostname 3725router
     ip nat outside
     ip virtual-reassembly
     speed 100
     full-duplex
     crypto map CLIENTMAP
    !
    interface Serial0/0
     ip address 10.0.0.1 255.255.240.0
     clock rate 2000000
     crypto map CLIENTMAP
    !
    interface FastEthernet0/1
     no ip address
     duplex auto
     speed auto
    !
    interface FastEthernet0/1.2
     encapsulation dot1Q 2
     ip address 172.16.2.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     crypto map CLIENTMAP
    !
    interface FastEthernet0/1.3
     encapsulation dot1Q 3
     ip virtual-reassembly
    !
    interface Serial0/1
     no ip address
     shutdown
     clock rate 2000000
    !
    interface Virtual-Template1
     ip unnumbered FastEthernet0/0
     peer default ip address pool PPTP-POOL
     no keepalive
     ppp encrypt mppe auto required
     ppp authentication pap chap ms-chap
    !
    ip local pool PPTP-POOL 172.16.20.25 172.16.20.35
    ip local pool VPN_POOL 192.168.0.55 192.168.0.105
    ip default-gateway 192.168.1.1
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 192.168.1.1
    ip route 172.16.10.0 255.255.255.0 10.0.0.2
    !
    !
    no ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source route-map NONAT interface FastEthernet0/0 overload
    !
    access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
    access-list 115 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255
    access-list 120 deny   ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
    access-list 120 permit ip 172.16.0.0 0.0.255.255 any
    !
    route-map NONAT permit 10
     match ip address 120
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     password 7 
     transport input ssh
    line vty 5 903
     transport input ssh
    !
    ntp clock-period 17180664
    ntp server 129.6.15.29 source FastEthernet0/0 prefer
    !
    end
    Last edited by Dumber; 21st July 2010, 09:41.

  • #2
    Re: Cisco VPN clients unable to connect to 3725 VPN server

    Check this out:
    http://www.cisco.com/warp/public/707/17.html
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Cisco VPN clients unable to connect to 3725 VPN server

      Thank you. I have seen that one. I can get two routers to connect securely I just can't VPN clients to connect and then access the internal networks. I believe part of my problem is the NAT interface.

      Comment


      • #4
        Re: Cisco VPN clients unable to connect to 3725 VPN server

        Phase II of you're VPN connection is failing.
        The VPN Client and the VPN Server can't agree about the encryption.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Cisco VPN clients unable to connect to 3725 VPN server

          After I removed the "match address 115" line I am able to create a session internally and externally, but there is a problem.

          I am unable to connect to anything internally, I can't reach anything on the 172.16.X.X. Pings fail. Am I missing a route or ACL to allow the VPN clients to connect to the internal resources? This has been my problem for some time now that why I have been trying everything to make this work.

          Comment


          • #6
            Re: Cisco VPN clients unable to connect to 3725 VPN server

            Well it's almost bedtime right now but;
            Check you're routing table with sh ip route. You can see if the router knows a way to find both networks.
            Check a traceroute from a client.
            Check the clients gateway to see if it match with the router.

            So the first step, checkout you're routing.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Cisco VPN clients unable to connect to 3725 VPN server

              I believe the router knows about everything.

              Code:
              Gateway of last resort is 192.168.1.1 to network 0.0.0.0
              
                   1.0.0.0/24 is subnetted, 1 subnets
              C       1.1.1.0 is directly connected, Loopback0
                   172.16.0.0/24 is subnetted, 2 subnets
              S       172.16.10.0 [1/0] via 10.0.0.2
              C       172.16.2.0 is directly connected, FastEthernet0/1.2
                   10.0.0.0/20 is subnetted, 1 subnets
              C       10.0.0.0 is directly connected, Serial0/0
              C    192.168.1.0/24 is directly connected, FastEthernet0/0
              S*   0.0.0.0/0 [1/0] via 192.168.1.1
              It doesn't look like the VPN client is getting GATEWAY information. Is this because split VPN is enabled due to ACL 115?
              Code:
              Ethernet adapter Local Area Connection 2:
              
                 Connection-specific DNS Suffix  . : neocipher.net
                 Description . . . . . . . . . . . : Cisco Systems VPN Adapter
                 Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
                 DHCP Enabled. . . . . . . . . . . : No
                 Autoconfiguration Enabled . . . . : Yes
                 IPv4 Address. . . . . . . . . . . : 192.168.0.67(Preferred)
                 Subnet Mask . . . . . . . . . . . : 255.255.255.0
                 Default Gateway . . . . . . . . . :
                 DNS Servers . . . . . . . . . . . : 205.152.144.23
                                                     205.152.132.23
                 NetBIOS over Tcpip. . . . . . . . : Enabled
              When tracing to one of the internal hosts it looks like it's trying to go out, is this because of the split VPN acl 115?
              Code:
              C:\Users\user>tracert 172.16.2.2
              
              Tracing route to 172.16.2.2 over a maximum of 30 hops
              
                1    <1 ms    <1 ms    <1 ms  192.168.1.1
                2     8 ms     7 ms     7 ms  border1-fe2-0-0.sj.jax.superconnect.net [68.156.
              60.1]
                3    11 ms    11 ms    11 ms  68.152.181.145
                4    29 ms    19 ms    40 ms  ixc00jax-ge-1-0-6.bellsouth.net [205.152.187.81]
              
                5    24 ms    19 ms    19 ms  axr00asm-so-2-0-0.bellsouth.net [65.83.239.74]
                6    23 ms    19 ms    19 ms  205.152.152.17
                7    24 ms    19 ms    19 ms  205.152.152.10
                8     *        *        *     Request timed out.
                9     *        *        *     Request timed out.
               10     *        *        *     Request timed out.

              Comment


              • #8
                Re: Cisco VPN clients unable to connect to 3725 VPN server

                I'm not a Cisco specialist but you're using " ip local pool"
                You should use a DHCP pool instead.

                That you don't have a gateway is a problem that you can't access you're interal resources.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Cisco VPN clients unable to connect to 3725 VPN server

                  For the VPN clients the pool is specified in here:

                  crypto isakmp client configuration group VPN-Users

                  That's the only way I've figured it out.

                  I've learned that if I remove the ACL 115 then the clients will get a gateway but they are still unable to connect to the internal network.

                  Comment


                  • #10
                    Re: Cisco VPN clients unable to connect to 3725 VPN server

                    I was able access the windows shares by disabling the filewall on the computer that I was trying to access. I'll have to adjust the firewall accordingly.

                    I can only access them via IP address though. Is there a way to resolve the names without setting up a DNS server?

                    Comment

                    Working...
                    X