barnsiersa
Technical User
Hi all,
I am at the end of my tether and really need any help / insights / advice that anyone is willing to share. Essentially I am trying to configure a Cisco Easy VPN server to provide IPSEC remote access for teleworkers. I am now officially confused with the number of posts that I have researched and tested and seen fail.
Error when trying to connect is: Error code 412
VPN Client: Cisco Systems VPN Client Version 5.0.07.0440
My config is included:
Building configuration...
Current configuration : 8129 bytes
!
! Last configuration change at 15:01:02 Sydney Wed Aug 17 2011
! NVRAM config last updated at 18:05:07 Sydney Tue Aug 9 2011 by admin
! NVRAM config last updated at 18:05:07 Sydney Tue Aug 9 2011 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service pt-vty-logging
service sequence-numbers
!
hostname au-syd-rtr-01
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
no logging rate-limit
logging console critical
no logging monitor
enable password 7 115C09171E1C0C54542138
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone Sydney 10 0
clock summer-time Sydney recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
errdisable recovery cause bpduguard
errdisable recovery cause rootguard
errdisable recovery cause link-flap
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
!
!
ip cef
ip name-server 160.222.46.3
login block-for 300 attempts 5 within 90
login delay 2
login on-failure log
login on-success log
no ipv6 cef
!
!
license udi pid CISCO887W-GN-A-K9 sn FHK14217543
!
!
archive
log config
record rc
logging enable
logging size 500
notify syslog contenttype plaintext
hidekeys
username admin privilege 15 password 7 13500700020203727B2F3B
!
!
!
!
!
crypto logging session
crypto isakmp nat keepalive 15
crypto isakmp profile ciscocp-ike-profile-1
match identity group austcor_1
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
!
crypto ipsec profile CiscoCP_Profile1
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback10
description Bypass NAT for IPsec
ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip route-cache same-interface
ip route-cache policy
!
interface Null0
no ip unreachables
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
switchport mode trunk
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport mode trunk
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback10
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
shutdown
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
no ip address
!
interface Vlan9
ip address 160.222.46.150 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip access-group ACL_DIALER_IN in
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname x.x.x.x
ppp chap password x.x.x.x
ppp pap sent-username x.x.x.x
ppp ipcp dns request
!
ip local pool CLI_VPN_POOL 160.222.44.100 160.222.44.200
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip nat inside source static 160.222.46.3 interface Dialer0
ip nat inside source static tcp 160.222.46.3 3001 interface Dialer0 3001
ip nat inside source static tcp 160.222.46.75 3002 interface Dialer0 3002
ip nat inside source static tcp 160.222.46.12 3003 interface Dialer0 3003
ip nat inside source static tcp 160.222.46.63 3004 interface Dialer0 3004
ip nat inside source route-map RMP_DIALER_OVERLOAD interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip route 10.0.0.0 255.0.0.0 Null0
ip route 160.222.44.0 255.255.255.0 Dialer0 name CLI_VPN_POOL
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
ip access-list standard ACL_SNMP
permit 160.222.46.0 0.0.0.255
permit 160.222.44.0 0.0.0.255
ip access-list standard ACL_VTY04_IN
permit 160.222.46.0 0.0.0.255
permit 160.222.44.0 0.0.0.255
!
ip access-list extended ACL_DIALER_IN
remark IP address spoof protection, deny internal addresses
remark CCP_ACL Category=17
deny ip 160.222.46.0 0.0.0.255 any log
remark Illegal Internet source addresses
deny ip 0.0.0.0 0.255.255.255 any log
remark Host local loop back address
deny ip 127.0.0.0 0.255.255.255 any log
remark RFC 1918 private network addresses
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
remark DHCP local link address
deny ip 169.254.0.0 0.0.255.255 any log
remark multicast source addresses
deny ip 224.0.0.0 31.255.255.255 any log
remark permit decrypted VPN client packets enter internal network
permit ip 160.222.44.0 0.0.0.255 160.222.46.0 0.0.0.255
permit ahp any any
remark permit external web service traffic to internal network
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 444
permit tcp any any eq pop3
permit tcp any any eq smtp
permit tcp any any eq 22
permit tcp any any eq ident
permit udp any any eq ntp
remark packets to reach router
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit esp any any
permit gre any any
permit tcp any any eq 1723
remark permit SNMP
permit udp any any eq snmp
remark permit RDP
permit tcp any any eq 3389
permit tcp any any eq 3399
permit tcp any any eq 3397
permit tcp any any eq 3391
remark permit SQL
permit tcp any any eq 1433
permit udp any any eq 1434
remark packet-too-big reach internal network
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
permit udp any any eq domain
permit udp any eq domain any
permit tcp any any eq domain
permit tcp any eq domain any
remark rule to allow established inbound tcp connections
permit tcp any any gt 1023 established
permit tcp any any established
remark blanket permit for unclassified traffic
deny icmp any any log
deny tcp any range 0 65535 any range 0 65535 log
deny udp any range 0 65535 any range 0 65535 log
deny ip any any log
ip access-list extended ACL_DIALER_OUT
remark VPN
remark CCP_ACL Category=17
permit esp any any
permit gre any any
permit ahp any any
permit icmp any any
remark standard permit ip any any
ip access-list extended ACL_DIALER_OVERLOAD
deny ip 160.222.46.0 0.0.0.255 160.222.44.0 0.0.0.255
permit ip 160.222.46.0 0.0.0.255 any
ip access-list extended ACL_VLAN9_NO_NAT
permit ip 160.222.46.0 0.0.0.255 160.222.44.0 0.0.0.255
ip access-list extended ACL_VPN_CLIENT
permit ip 160.222.46.0 0.0.0.255 160.222.44.0 0.0.0.255
!
logging trap debugging
access-list 1 remark
access-list 1 permit 160.222.46.0 0.0.0.255
access-list 10 permit 160.222.46.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map RMP_DIALER_OVERLOAD permit 10
match ip address ACL_DIALER_OVERLOAD
!
route-map RMP_VLAN9_NO_NAT permit 10
match ip address ACL_VLAN9_NO_NAT
set ip next-hop 1.1.1.2
!
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 03514B190F0126141E020A
transport input all
!
end
I am at the end of my tether and really need any help / insights / advice that anyone is willing to share. Essentially I am trying to configure a Cisco Easy VPN server to provide IPSEC remote access for teleworkers. I am now officially confused with the number of posts that I have researched and tested and seen fail.
Error when trying to connect is: Error code 412
VPN Client: Cisco Systems VPN Client Version 5.0.07.0440
My config is included:
Building configuration...
Current configuration : 8129 bytes
!
! Last configuration change at 15:01:02 Sydney Wed Aug 17 2011
! NVRAM config last updated at 18:05:07 Sydney Tue Aug 9 2011 by admin
! NVRAM config last updated at 18:05:07 Sydney Tue Aug 9 2011 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service pt-vty-logging
service sequence-numbers
!
hostname au-syd-rtr-01
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
no logging rate-limit
logging console critical
no logging monitor
enable password 7 115C09171E1C0C54542138
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone Sydney 10 0
clock summer-time Sydney recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
errdisable recovery cause bpduguard
errdisable recovery cause rootguard
errdisable recovery cause link-flap
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
!
!
ip cef
ip name-server 160.222.46.3
login block-for 300 attempts 5 within 90
login delay 2
login on-failure log
login on-success log
no ipv6 cef
!
!
license udi pid CISCO887W-GN-A-K9 sn FHK14217543
!
!
archive
log config
record rc
logging enable
logging size 500
notify syslog contenttype plaintext
hidekeys
username admin privilege 15 password 7 13500700020203727B2F3B
!
!
!
!
!
crypto logging session
crypto isakmp nat keepalive 15
crypto isakmp profile ciscocp-ike-profile-1
match identity group austcor_1
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
!
crypto ipsec profile CiscoCP_Profile1
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback10
description Bypass NAT for IPsec
ip address 1.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip route-cache same-interface
ip route-cache policy
!
interface Null0
no ip unreachables
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
switchport mode trunk
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport mode trunk
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback10
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
shutdown
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Vlan1
no ip address
!
interface Vlan9
ip address 160.222.46.150 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip access-group ACL_DIALER_IN in
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname x.x.x.x
ppp chap password x.x.x.x
ppp pap sent-username x.x.x.x
ppp ipcp dns request
!
ip local pool CLI_VPN_POOL 160.222.44.100 160.222.44.200
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip nat inside source static 160.222.46.3 interface Dialer0
ip nat inside source static tcp 160.222.46.3 3001 interface Dialer0 3001
ip nat inside source static tcp 160.222.46.75 3002 interface Dialer0 3002
ip nat inside source static tcp 160.222.46.12 3003 interface Dialer0 3003
ip nat inside source static tcp 160.222.46.63 3004 interface Dialer0 3004
ip nat inside source route-map RMP_DIALER_OVERLOAD interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip route 10.0.0.0 255.0.0.0 Null0
ip route 160.222.44.0 255.255.255.0 Dialer0 name CLI_VPN_POOL
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
!
ip access-list standard ACL_SNMP
permit 160.222.46.0 0.0.0.255
permit 160.222.44.0 0.0.0.255
ip access-list standard ACL_VTY04_IN
permit 160.222.46.0 0.0.0.255
permit 160.222.44.0 0.0.0.255
!
ip access-list extended ACL_DIALER_IN
remark IP address spoof protection, deny internal addresses
remark CCP_ACL Category=17
deny ip 160.222.46.0 0.0.0.255 any log
remark Illegal Internet source addresses
deny ip 0.0.0.0 0.255.255.255 any log
remark Host local loop back address
deny ip 127.0.0.0 0.255.255.255 any log
remark RFC 1918 private network addresses
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
remark DHCP local link address
deny ip 169.254.0.0 0.0.255.255 any log
remark multicast source addresses
deny ip 224.0.0.0 31.255.255.255 any log
remark permit decrypted VPN client packets enter internal network
permit ip 160.222.44.0 0.0.0.255 160.222.46.0 0.0.0.255
permit ahp any any
remark permit external web service traffic to internal network
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 444
permit tcp any any eq pop3
permit tcp any any eq smtp
permit tcp any any eq 22
permit tcp any any eq ident
permit udp any any eq ntp
remark packets to reach router
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit esp any any
permit gre any any
permit tcp any any eq 1723
remark permit SNMP
permit udp any any eq snmp
remark permit RDP
permit tcp any any eq 3389
permit tcp any any eq 3399
permit tcp any any eq 3397
permit tcp any any eq 3391
remark permit SQL
permit tcp any any eq 1433
permit udp any any eq 1434
remark packet-too-big reach internal network
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
permit udp any any eq domain
permit udp any eq domain any
permit tcp any any eq domain
permit tcp any eq domain any
remark rule to allow established inbound tcp connections
permit tcp any any gt 1023 established
permit tcp any any established
remark blanket permit for unclassified traffic
deny icmp any any log
deny tcp any range 0 65535 any range 0 65535 log
deny udp any range 0 65535 any range 0 65535 log
deny ip any any log
ip access-list extended ACL_DIALER_OUT
remark VPN
remark CCP_ACL Category=17
permit esp any any
permit gre any any
permit ahp any any
permit icmp any any
remark standard permit ip any any
ip access-list extended ACL_DIALER_OVERLOAD
deny ip 160.222.46.0 0.0.0.255 160.222.44.0 0.0.0.255
permit ip 160.222.46.0 0.0.0.255 any
ip access-list extended ACL_VLAN9_NO_NAT
permit ip 160.222.46.0 0.0.0.255 160.222.44.0 0.0.0.255
ip access-list extended ACL_VPN_CLIENT
permit ip 160.222.46.0 0.0.0.255 160.222.44.0 0.0.0.255
!
logging trap debugging
access-list 1 remark
access-list 1 permit 160.222.46.0 0.0.0.255
access-list 10 permit 160.222.46.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map RMP_DIALER_OVERLOAD permit 10
match ip address ACL_DIALER_OVERLOAD
!
route-map RMP_VLAN9_NO_NAT permit 10
match ip address ACL_VLAN9_NO_NAT
set ip next-hop 1.1.1.2
!
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 03514B190F0126141E020A
transport input all
!
end