VPN Help - Cisco 877

[xxstrobe]

Hi All,

I am having problems with VPn on ths 877 router. I have set up the VPN on the server. When I try to connect froma client PC from a remote site the authentication process starts, then asks me for username and password, but eventually sticks on "negotiating security policies". Does anybody have any ideas?

 

[GM2005]

You will need to post the debug - Removing anything private - to show where the problem is. debug crypto ipsec and debug crypto isakmp output should do the trick.

What do the logs from the client say?

 

[octavian10]

Post the routers running-config also.

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

 

[xxstrobe]

Will post as soon as I am back on site.

A quick question in the mean time. What ip range should I use for the VPN pool range? Internally, the server issues addresses in 10.10.10.1 - 10.10.10.254. Should my VPN ip pool range be within this? Or on a completely different subnet? e.g. should I use something like 192.168.1.1 - 192.168.1.20?

Thanks,

Rob

 

[octavian10]

VPN pool needs to be on a diffrent subnet ie. 192.168.1.1 - 192.168.1.20.

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

 

[xxstrobe]

Running config is as follows! Any help much appreciated.

!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$zvZr$i35i88grPYj56gki77.tS1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 10.10.10.5
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4247156594
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4247156594
revocation-check none
rsakeypair TP-self-signed-4247156594
!
!
crypto pki certificate chain TP-self-signed-4247156594
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323437 31353635 3934301E 170D3036 31323031 30303131
34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32343731
35363539 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D121 3CDACCBA A14315C3 903EFB73 015680BA 086E895B 588AE35D E71876CF
CAC510CF FBE0C8B8 9337FCEE 8A7881E0 5D36321F 6AE149B9 A819F681 43E2DEE8
A6B1190C 941A13FA 40EE4921 83EFC9D6 149970CB FBAF5AD4 1C5922CD 51215269
304201AF 54990F2F 2065710D D571527E E91236F5 B7544158 9BDBA885 64BDE81A
96D10203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1484E3F9 DF8AD2C5 14E8E931 78A58C0F CC879DDF
09301D06 03551D0E 04160414 84E3F9DF 8AD2C514 E8E93178 A58C0FCC 879DDF09
300D0609 2A864886 F70D0101 04050003 81810020 C6EBA32A 2C10A484 EE60E60C
87809788 4516BBEC 70527A55 4F869E9F 1F4BCFB9 ED0C899F 87FF0DCB 2EFEE912
A57AFB34 1CD0F28F 23596024 B9652A1F 52B538F7 760DB70D CA0C69AD B60E5FF8
25A2FFFA 9668039C 3D79BA20 2B26D7F4 967C8E84 3DBDEF5C B1320EB6 3D2CB347
5A04E191 0ABC6563 B7AEFB0F F7B536D7 447F52
quit
username mghconsulting privilege 15 secret 5 WOAH.
username mghvpn privilege 10 secret 5 WOAH.
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group MGHConsultingLTD
key WOAH
dns 10.10.10.5
wins 10.10.10.5
domain DOMAINNAME
pool SDM_POOL_1
save-password
max-users 9
banner ^CCHECK IT OUT NOW => => LOGGING IN ^C
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_6
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address 217.37.142.241 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname HOSTNAME
ppp chap password 7 PASSWORD
ppp pap sent-username USER password PASS
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.1.1 192.168.1.10
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 217.37.142.240 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 217.37.142.241 eq non500-isakmp
access-list 101 permit udp any host 217.37.142.241 eq isakmp
access-list 101 permit esp any host 217.37.142.241
access-list 101 permit ahp any host 217.37.142.241
access-list 101 permit ip host 192.168.1.1 any
access-list 101 permit ip host 192.168.1.2 any
access-list 101 permit ip host 192.168.1.3 any
access-list 101 permit ip host 192.168.1.4 any
access-list 101 permit ip host 192.168.1.5 any
access-list 101 permit ip host 192.168.1.6 any
access-list 101 permit ip host 192.168.1.7 any
access-list 101 permit ip host 192.168.1.8 any
access-list 101 permit ip host 192.168.1.9 any
access-list 101 permit ip host 192.168.1.10 any
access-list 101 permit ip host 192.168.1.11 any
access-list 101 permit ip host 192.168.1.12 any
access-list 101 permit ip host 192.168.1.13 any
access-list 101 permit ip host 192.168.1.14 any
access-list 101 permit ip host 192.168.1.15 any
access-list 101 permit ip host 192.168.1.16 any
access-list 101 permit ip host 192.168.1.17 any
access-list 101 permit ip host 192.168.1.18 any
access-list 101 permit ip host 192.168.1.19 any
access-list 101 permit ip host 192.168.1.20 any
access-list 101 permit ip host 192.168.1.1 10.10.10.0 0.0.0.255
access-list 101 permit ip host 192.168.1.2 10.10.10.0 0.0.0.255
access-list 101 permit ip host 192.168.1.3 10.10.10.0 0.0.0.255
access-list 101 permit ip host 192.168.1.4 10.10.10.0 0.0.0.255
access-list 101 permit ip host 192.168.1.5 10.10.10.0 0.0.0.255
access-list 101 permit ip host 192.168.1.6 10.10.10.0 0.0.0.255
access-list 101 permit ip host 192.168.1.7 10.10.10.0 0.0.0.255
access-list 101 permit ip host 192.168.1.8 10.10.10.0 0.0.0.255
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip any host 192.168.1.1
access-list 102 deny ip any host 192.168.1.2
access-list 102 deny ip any host 192.168.1.3
access-list 102 deny ip any host 192.168.1.4
access-list 102 deny ip any host 192.168.1.5
access-list 102 deny ip any host 192.168.1.6
access-list 102 deny ip any host 192.168.1.7
access-list 102 deny ip any host 192.168.1.8
access-list 102 deny ip any host 192.168.1.9
access-list 102 deny ip any host 192.168.1.10
access-list 102 deny ip any host 192.168.1.11
access-list 102 deny ip any host 192.168.1.12
access-list 102 deny ip any host 192.168.1.13
access-list 102 deny ip any host 192.168.1.14
access-list 102 deny ip any host 192.168.1.15
access-list 102 deny ip any host 192.168.1.16
access-list 102 deny ip any host 192.168.1.17
access-list 102 deny ip any host 192.168.1.18
access-list 102 deny ip any host 192.168.1.19
access-list 102 deny ip any host 192.168.1.20
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.1
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.2
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.3
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.4
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.5
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.6
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.7
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.8
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.9
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.10
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.11
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.12
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.13
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.14
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.15
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.16
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.17
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.18
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.19
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 192.168.1.20
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.64
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.65
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.66
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.67
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.68
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.69
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.70
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.71
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.72
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.73
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.74
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.75
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.76
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.77
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.78
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.79
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.80
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.81
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.82
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.83
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.84
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.85
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.86
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.87
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.88
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.89
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.90
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.91
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.92
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.93
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.94
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.95
access-list 102 deny ip 10.10.10.0 0.0.0.255 host 10.10.10.96
access-list 102 deny ip any host 10.10.10.100
access-list 102 deny ip any host 10.10.10.101
access-list 102 deny ip any host 10.10.10.102
access-list 102 deny ip any host 10.10.10.103
access-list 102 deny ip any host 10.10.10.104
access-list 102 deny ip any host 10.10.10.105
access-list 102 deny ip any host 10.10.10.106
access-list 102 deny ip any host 10.10.10.107
access-list 102 deny ip any host 10.10.10.108
access-list 102 deny ip any host 10.10.10.109
access-list 102 deny ip any host 10.10.10.110
access-list 102 deny ip any host 10.10.10.111
access-list 102 deny ip any host 10.10.10.112
access-list 102 deny ip any host 10.10.10.113
access-list 102 deny ip any host 10.10.10.114
access-list 102 deny ip any host 10.10.10.115
access-list 102 deny ip any host 10.10.10.116
access-list 102 deny ip any host 10.10.10.117
access-list 102 deny ip any host 10.10.10.118
access-list 102 deny ip any host 10.10.10.119
access-list 102 deny ip any host 10.10.10.120
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[burtsbees]

Try this as a banner page...
banner motd *
_________-----_____
_____------ __ ----_
___---- ___------ \
----________ ---- \
-----__ | _____)
__- / \
_______----- ___-- \ /)\
------_______ ---____ \__/ /
-----__ \ -- _ /\
--__--__ \_____/ \_/\
----| / |
| |___________|
| | ((_(_)| )_)
| \_((_(_)|/(_)
\ (
\_____________)

If this does not scare you, then perhaps the FEDs knocking your door down for trying to break into my network does...*

Burt

 

[octavian10]

You have alot of stuff going on this 877, when you get this VPN working and you will, it may be slow if it is performing statefull inspection and encrypting your tunnel.
Anyway here are some things that may be the problem.
Make sure that the remote clients are configured to use the aaa authorization network sdm_vpn_group_ml_6 group because this is the one you are permitting. For some reason you have 5 other ones and if any of them are on the client the authorization will not work. Next, add this line to your access list 101, access-list 101 permit udp any host 217.37.142.241 eq 4500, it is in case your remote clients are using NAT-T and in this day and age Im sure they are. Last I am not sure what this line in acl 101 acomplishes, access-list 101 permit udp any host 217.37.142.241 eq non500-isakmp I do not know what non500-isakmp means but because your problem is during the authentication phase this may also be an issue. Research what it does, it may help to remove it. Hope this helps!

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)