Cisco VPN 1720 Problem

[mwtloke]

Hi,

Greetings! I have a unit of Cisco 1720 router with 3DES/FW 12.2(T) featureset with hardware encryption engine.
I'm trying to set up
i) IPSEC tunnel in btween this router and another cisco router using preshared key authentication
ii) Cisco VPN client (3.63) with Cisco 1720 using preshared key authentication and xauth local
I've managed to set up the site to site tunnel but VPN client still failed to connect.
The error messages are :
Dec 11 06:20:08.629: ISAKMP (0:0): received packet from 203.116.120.116 (N) NEW
SA
.Dec 11 06:20:08.629: ISAKMP: local port 500, remote port 500
.Dec 11 06:20:08.629: ISAKMP: Created a peer node for 203.116.120.116
.Dec 11 06:20:08.629: ISAKMP (0:119): Setting client config settings 81942FE4
.Dec 11 06:20:08.629: ISAKMP (0:119): (Re)Setting client xauth list localuser an
d state
.Dec 11 06:20:08.629: ISAKMP: Locking CONFIG struct 0x81942FE4 from crypto_ikmp_
config_initialize_sa, count 1
.Dec 11 06:20:08.633: ISAKMP (0:119): processing SA payload. message ID = 0
.Dec 11 06:20:08.633: ISAKMP (0:119): processing ID payload. message ID = 0
.Dec 11 06:20:08.633: ISAKMP (0:119): processing vendor id payload
.Dec 11 06:20:08.633: ISAKMP (0:119): vendor ID seems Unity/DPD but bad major
.Dec 11 06:20:08.633: ISAKMP (0:119): vendor ID is XAUTH
.Dec 11 06:20:08.633: ISAKMP (0:119): processing vendor id payload
.Dec 11 06:20:08.633: ISAKMP (0:119): vendor ID is DPD
.Dec 11 06:20:08.633: ISAKMP (0:119): processing vendor id payload
.Dec 11 06:20:08.633: ISAKMP (0:119): vendor ID is Unity
.Dec 11 06:20:08.637: ISAKMP (0:119): Checking ISAKMP transform 1 against priori
ty 3 policy
.Dec 11 06:20:08.637: ISAKMP: encryption 3DES-CBC
.Dec 11 06:20:08.637: ISAKMP: hash SHA
.Dec 11 06:20:08.637: ISAKMP: default group 2
.Dec 11 06:20:08.637: ISAKMP: auth XAUTHInitPreShared
.Dec 11 06:20:08.637: ISAKMP: life type in seconds
.Dec 11 06:20:08.637: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
.Dec 11 06:20:08.637: ISAKMP (0:119): Xauth authentication by pre-shared key off
ered but does not match policy!

The last line of the log indicates xauth authentication by pre-shared key offerred dose not match policy. However I have defined a specific crypto policy using pre-shared key authenticaion.
I have tried a few days to resolve the problem but to no avail. Your help will be greatly appreciated.
Thanks

 

[CiscoGod]

Can you please upload your config, so I can take a look at it, please strip out any internal and external private info first. I have a 1720 on my desktop configured for the exact setup working flawlesly.

Cisco_God

 

[mwtloke]

Hi,

Here is the config file ( for security reasons, IP addresses have been replaced and some of sensitive data are markes as xxxx )
For VPN client (3.6.3), I'm using group cisco with key 1234. I have also defined a local user in the router for authentication using xauth.
Greatly appreciate your insight.
Thanks.

version 12.2
service config
service timestamps debug datetime msec
service timestamps log datetime show-timezone
service password-encryption
!
hostname router
!
logging buffered 16384 debugging
logging rate-limit console 10 except emergencies
logging console critical
aaa new-model
!
!
aaa authentication login default local
aaa authentication login nopass none
aaa authentication login localuser local
aaa authentication login linepass line
aaa authentication login xauth_list group radius
aaa authentication login userauthen local
aaa session-id common
enable secret 5 xxxx
enable password 7 xxxx
!
username xxxx password 7 xxxx
username xxxx privilege 15 password 7 xxxx
username xxxx password 7 xxxx
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip rcmd remote-username xxxx
ip rcmd source-interface Loopback0
!
!
ip tftp source-interface Loopback0
ip domain-name xxxx
!
ip audit notify log
ip audit po max-events 100
ip accounting-threshold 16384
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 30
encr 3des
authentication pre-share
group 2
crypto isakmp key 1234 address 200.100.100.100 no-xauth
crypto isakmp key 1234 address 190.100.100.100 no-xauth
!
crypto isakmp client configuration group cisco
key 1234
pool ourpool
!
crypto ipsec security-association lifetime kilobytes 100000
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpnsites esp-3des esp-sha-hmac
.
crypto dynamic-map dynmap 10
set transform-set vpnsites
!
!
crypto map vpnsitesmap client authentication list localuser
crypto map vpnsitesmap client configuration address respond
crypto map vpnsitesmap 5 ipsec-isakmp dynamic dynmap
crypto map vpnsitesmap 10 ipsec-isakmp
description Primary VPN Tunnel
set peer 200.100.100.100
set transform-set vpnsites
set pfs group2
match address hamgre1
crypto map vpnsitesmap 20 ipsec-isakmp
description Backup VPN Tunnel
set peer 190.100.100.100
set transform-set vpnsites
set pfs group2
match address hamgre2
!
!
interface Loopback0
ip address 172.30.23.5 255.255.255.255
!
interface Tunnel0
description Primary Tunnel to Main
bandwidth 512
ip address 172.19.170.46 255.255.255.252
ip mtu 1420
delay 2000
tunnel source 180.100.100.100
tunnel destination 200.100.100.100
crypto map vpnsitesmap
!
interface Tunnel1
description Backup Tunnel
bandwidth 512
ip address 172.19.171.46 255.255.255.252
ip mtu 1420
delay 3000
tunnel source 180.100.100.100
tunnel destination 190.100.100.100
crypto map vpnsitesmap
!
interface Ethernet0
description Singapore Internet Connection
ip address 180.100.100.100 255.255.255.224
ip access-group extinacl in
ip access-group extoutacl out
ip accounting output-packets
ip accounting access-violations
no ip mroute-cache
half-duplex
no cdp enable
crypto map vpnsitesmap
!
interface FastEthernet0
description Singapore Internal Network
ip address 10.190.0.12 255.255.240.0
ip accounting output-packets
ip accounting access-violations
no ip mroute-cache
speed auto
half-duplex
no cdp enable
!
router eigrp 1220
network 10.190.0.0 0.0.255.255
network 172.19.170.44 0.0.0.3
network 172.19.171.44 0.0.0.3
network 172.30.0.0
no auto-summary
eigrp log-neighbor-changes
!
ip local pool ourpool 10.190.5.1 10.190.5.2
ip classless
ip route 0.0.0.0 0.0.0.0 180.100.100.99
ip route 190.100.100.100 255.255.255.255 180.100.100.99
ip route 200.100.100.100 255.255.255.255 180.100.100.99
no ip http server
ip pim bidir-enable
!
!
ip access-list extended extinacl
permit udp any host 180.100.100.100 eq isakmp
permit esp any host 180.100.100.100
permit icmp any 180.100.100.0 0.0.0.31 administratively-prohibited
permit icmp any 180.100.100.0 0.0.0.31 echo-reply
permit icmp any 180.100.100.0 0.0.0.31 packet-too-big
permit icmp any 180.100.100.0 0.0.0.31 unreachable
deny ip 10.190.0.0 0.0.255.255 any
permit icmp any host 180.100.100.100 echo
permit tcp any host 180.100.100.100 eq 22
permit tcp any host 180.100.100.100 gt 1023
permit udp any host 180.100.100.100 gt 1023
permit udp 158.43.0.0 0.0.255.255 eq ntp host 180.100.100.100
permit gre host 200.100.100.100 host 180.100.100.100
permit gre host 190.100.100.100 host 180.100.100.100
permit udp 195.66.241.0 0.0.0.255 eq ntp host 180.100.100.100
deny udp host 180.100.100.15 any
deny udp host 180.100.100.17 any
deny ip any any log
ip access-list extended extoutacl
permit ip host 180.100.100.100 any
permit ip 10.190.0.0 0.0.255.255 any
permit ip 192.0.2.0 0.0.0.255 any
deny ip host 180.100.100.255 any
deny ip any any log
ip access-list extended hamgre1
permit gre host 180.100.100.100 host 200.100.100.100
ip access-list extended hamgre2
permit gre host 180.100.100.100 host 190.100.100.100
!
!
snmp-server community public RO
snmp-server community VPN747 RO 10
snmp-server community mngt RW 3
snmp-server trap-source Loopback0
snmp-server location Singapore Firewall
snmp-server contact xxxx
snmp-server host 161.89.20.3 mngt
snmp-server host 161.89.20.30 mngt
snmp-server host 161.89.20.4 mngt
radius-server host 10.190.10.30 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key 7 xxxx
banner login ^CCC No Unauthorised Access Allowed ^C
!
line con 0
exec-timeout 0 0
login authentication nopass
transport preferred none
line aux 0
line vty 0 4
exec-timeout 20 0
password 7 xxxx
login authentication localuser
transport preferred none
transport input telnet ssh
!
ntp clock-period 17180052
ntp server 158.43.128.33
ntp server 158.43.128.66
ntp server 158.43.192.66
ntp server 209.28.72.2
ntp server 207.209.174.162
ntp server 207.209.174.160
ntp server 195.66.241.3
end

 

[CiscoGod]

MWTLOKE,

Okay I see a few problems already, you are not authenticating the group in your aaa authorization, which is causing your issue. Put these commands in your config:

1)
aaa authorization network groupauthor local

2) Delete: crypto isakmp policy 30
You arleady have a isakmp policy in place which is policy # 3.

3) This works in conjunction with change # 1 add:
crypto map vpnsitesmap isakmp authorization list groupauthor

4) Change command: crypto map vpnsitesmap 5 ipsec-isakmp dynamic dynmap
to:
crypto map vpnsitesmap 25 ipsec-isakmp dynamic dynmap

5) **Important** You IP LOCAL POOL is using a range of ip addresses that is in the same subnet as your FastEthernet 0, which is causing a routing issue on where to route your VPN Client's ip packet. Use a range like : 10.190.16.1-10.190.16.50 This has not been an issue yet, but will when you authorize your group to bring up your ipsec tunnel.




Dynamic maps should always be that last statement in your crypto map to catch all vpn clients that do not meet the set ip peer statements.

Effectively what is happening, is that your client is coming and completing phase 1 then going to ISAKMP to authenticate the vpn client but does not know how, since the aaa authorization group was not in the config. Also due to the order fo the Cryp Map it tried to use maps 10 and 20 which fails, that is why dynamic maps are always the last statement because you do not know the address of the initiator of the IPSec tunnel. You will also need to account for your new vpn client subnet in your accesslist to allow udp iskmp and esp thru to that subnet.

Hope that works, if not let me know.

Cisco_God