client not connecting to VPN on 871w

[Pra3tor1an]

I've configured a VPN server on my 871w using IPSec over UDP. I've done this using the SDM. When I try to open a connection using the latest client (5.0),

I get these messages in the log:

Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6000
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 15:17:54.811 08/26/07 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

2 15:17:54.811 08/26/07 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

The only answers I can get so far from my research is that:

1) The group name/password are wrong, which I know is not possible.
2) I need to forward (UDP) ports 500 and 4500 on the 871w firewall.

If it's the port forwarding I need, how can I forward these ports for a network range, instead of just one static host IP? Thanks in advance.

 

[burtsbees]

Please post a sh run from the 871.

Burt

 

[plshlpme]

is this 871 your gateway router? if so you dont need to forward those ports.. you just need to make sure your not blocking them. but as burt says.. we need to see some config to help.

 

[burtsbees]

What encryption are you using? If you are using Diffie-Hellman group 5, the key is larger---I think with Cisco VPN client, the 871W must be configured to use group 2.
If this is not the issue, please post a debug crypto isakmp and a debug crypto ipsec.
Burt

 

[Pra3tor1an]

Hi, and thanks for your quick responses. The router is behind the ISP's router, which is the gateway. I've already set up forwarding to our web server by opening ports 80 and 8080. I'm new to setting up VPN on Cisco, so I'm not sure about the encryption. Anyway, the config is below, most of which was configured using the SDM. Some things are changed for security reasons:


Building configuration...

Current configuration : 7670 bytes
!
! Last configuration change at 09:16:51 PCTime Mon Aug 27 2007 by administrator
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CISCO871W-SMS-NC
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$vHVp$ITwchNzpM0JEkvlEydaDK/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.69.1 192.168.69.99
!
ip dhcp pool sdm-pool1
import all
network 192.168.69.0 255.255.255.0
dns-server 66.0.214.14 207.230.75.34
default-router 192.168.69.1
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name SMS-NC
ip name-server 66.0.214.14
ip name-server 207.230.75.34
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2202461748
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2202461748
revocation-check none
rsakeypair TP-self-signed-2202461748
!
!
crypto pki certificate chain TP-self-signed-2202461748
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323032 34363137 3438301E 170D3032 30333031 30303039
32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32303234
36313734 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BFEA 8810141E AAD55C39 860DBCCD ED1930F9 65726CB3 7019B167 2C57BC5C
6932B665 8EAFFF44 5409B2E5 AFBEDFD6 F4DC251F C3A82A72 96FACCCF E6131144
2A134A22 F8B6F4C0 47C1E77F 681102A9 EB317980 22475EE1 31946AFD D781C9A6
EB708BF2 2C60DEE8 75AC8982 298F72BB BC64DEF2 5F662024 BFFDE9DF BD8A29DC
FAF70203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17434953 434F3837 31572D53 4D532D4E 432E534D 532D4E43
301F0603 551D2304 18301680 1410CA7A D736D6F3 0A97636D 50603ECC BE2EBDB6
58301D06 03551D0E 04160414 10CA7AD7 36D6F30A 97636D50 603ECCBE 2EBDB658
300D0609 2A864886 F70D0101 04050003 81810048 57A2D726 FA7198A3 D460D885
DB88134E 1888FFE4 A68E505F A79C19DC C8E75FA3 35369FAA 2795467A 09D54924
1F37D640 BF8CF585 07423591 0F68D16F C380E166 576755A7 4F82E136 E9EE696A
144CB279 73BE9615 0D8526D0 D11E5F15 84394025 9E86CFBA B9D7E610 616A100B
CA2C2A68 F6E5D803 B7464756 03A6B56A 45A005
quit
username xxxxxxxxx privilege 15 view root password 7 0231244903091D321F
username administrator privilege 15 view root secret 5 $1$8A2B$547Dx3fGnYalle4QH1vrX/
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group SMSNCVNP
key sysm@1nt
pool SDM_POOL_1
crypto isakmp profile sdm-ike-profile-1
match identity group SMSNCVNP
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 209.168.233.xxx 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
ip address 192.168.70.1 255.255.255.0
!
broadcast-key change 900
!
!
encryption mode ciphers tkip
!
ssid SMS-CHARLOTTE
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 051B551D70411D1D4A1700425B0817
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.69.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 192.168.69.75 192.168.69.200
ip classless
ip route 0.0.0.0 0.0.0.0 209.168.233.113
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.10 80 209.168.233.114 80 extendable
ip nat inside source static tcp 192.168.69.10 8080 209.168.233.114 8080 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.69.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 209.168.233.112 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 207.230.75.34 eq domain host 209.168.233.114
access-list 101 permit udp host 66.0.214.14 eq domain host 209.168.233.114
access-list 101 deny ip 192.168.69.0 0.0.0.255 any
access-list 101 permit icmp any host 209.168.233.114 echo-reply
access-list 101 permit icmp any host 209.168.233.114 time-exceeded
access-list 101 permit icmp any host 209.168.233.114 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 permit ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[burtsbees]

I this a typo, and perhaps you could be putting something else in the client software to authenticate???

crypto isakmp client configuration group SMSNCVNP

Should it be SMSNCVPN ? If so, then the config has it vnp, instead of vpn.
You are using the proper Diffie-Helmann group, so no problems there.

Burt

 

[Pra3tor1an]

Yes, I had a senior moment when trying to log in before my original post. I did have the group name entered incorrectly the first time. I have since regofigured it anyway. I also opened up UDP ports 500 and 4500 in order to avoid any problems with the incoming connections. I did this using the ACL list:

access-list 101 permit udp any eq isakmp host 209.168.xxx.xxx log
access-list 101 permit udp any eq non500-isakmp host 209.168.xxx.xxx log

I have also enabled logging. Thanks again for your help.

 

[zeroinfin]

First off remember your going across NAT or PAT and you need to adjust your client accordingly. It is a setting in the VPN Client for that connect. If I remember right 2 tab.

Config looks fine a little to much SDM configuration but other wise your fine there.

Zeroinfin

 

[zeroinfin]

Wait a sec where is your ident NAT or NAT 0 statement. Sorry thought you were using the client. Your missing a NAT 0 statement telling the router not to NAT traffic that comes from your source to that destination.

 

[Pra3tor1an]

Hi, zeroinfin:

Thanks for your interest. Would you please explain your last a little more for this noob? Do you mean traffic that travels within the established tunnel?

 

[burtsbees]

Oh man---are you with SMS in Charlotte? I'm SMS in St. Louis! I work with Cody---you probably can figure out my name is not Burt...

Burt

 

[Pra3tor1an]

Yes, and my parents didn't punish me by naming me Pra3tor1an I am new to the Charlotte office. Guess parts of the config are a little too public. Anyway, it's nice to have the router up and fully functional, with everyone's assistance. If you want to chat about Cisco (I could use the help) or whatever, give us a call and ask for the new IT guy. I'm not sure how to send a private message (if at all possible) on this forum.

 

[burtsbees]

Will do. And don't let Travis influence you---he's a bad apple...ha ha. Just kidding.

Burt

 

[plshlpme]

so is this working for you now?

 

[Pra3tor1an]

Yes it is, pls. My users are able to VPN in after some corrections to my typos and adding the UDP protocols to the ACL list. Thanks, everyone for your help.