Problem with C2S VPN
Hello all,
im trying to set up a client 2 site VPN
i made the certificates and all seems to be ok.
But when ill try to connect ill get an IKE error.
Server
8.4.2008 16.46.27 ***Receive Main Mode message from "Client"
8.4.2008 16.46.27 I-COOKIE=6A90A46A7BFC1D30,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=-1519469044
8.4.2008 16.46.27 Start IKE-SA A300A180 - Responder,src="Bordermanager",dst="Client",TotSA=1
8.4.2008 16.46.27 AUTH ALG IS 3
8.4.2008 16.46.27 IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
8.4.2008 16.46.27 ****DH private exponent size is 1016****
8.4.2008 16.46.27 Local server's interfaces : 160.98.12.215
8.4.2008 16.46.27 Local server's interfaces : "Bordermanager"
8.4.2008 16.46.27 Recieved Supported Vendor id Novell Border Manager VPN 4.0 client - Protected Net from "Client"
8.4.2008 16.46.27 Recieved Supported Vendor id draft-ietf-ipsec-nat-t-ike-03 from "Client"
8.4.2008 16.46.27 ***Send Main Mode message to "Client"
8.4.2008 16.46.27 I-COOKIE=6A90A46A7BFC1D30,R-COOKIE=FBD1F71E3DD24D13,MsgID=0,1stPL=SA-PAYLOAD,state=-1519469044
8.4.2008 16.46.27 ***Receive Main Mode message from "Client"
8.4.2008 16.46.27 I-COOKIE=6A90A46A7BFC1D30,R-COOKIE=FBD1F71E3DD24D13,MsgID=0,1stPL=KEY-PAYLOAD,state=-1519468992
8.4.2008 16.46.27 No NAT detected
8.4.2008 16.46.27 info: sending certificate request payload is disabled
8.4.2008 16.46.27 ***Send Main Mode message to "Client"
8.4.2008 16.46.27 I-COOKIE=6A90A46A7BFC1D30,R-COOKIE=FBD1F71E3DD24D13,MsgID=0,1stPL=KEY-PAYLOAD,state=-1519468992
8.4.2008 16.46.28 ***Receive Main Mode message from "Client"
8.4.2008 16.46.28 I-COOKIE=6A90A46A7BFC1D30,R-COOKIE=FBD1F71E3DD24D13,MsgID=0,1stPL=ID-PAYLOAD,state=-1519468980
8.4.2008 16.46.28 Recieved MM ID payload type 3 protocol 0 portnum 0 length 28
8.4.2008 16.46.28 Recieved notify message type 24578 from "Client"
8.4.2008 16.46.28 Recieved INITIAL_CONTACT notify deleting all old SA's with "Client" address
8.4.2008 16.46.28 sending notify message type 65519 to "Client"
8.4.2008 16.46.28 ***Send Unacknowledge Informational message to "Client"
8.4.2008 16.46.28 I-COOKIE=6A90A46A7BFC1D30,R-COOKIE=FBD1F71E3DD24D13,MsgID=E30B49FB,1stPL=HASH-PAYLOAD,state=-1519468932
8.4.2008 16.46.28 Failed to create IKE-SA - ACL Check Failed , dst = "Client"
8.4.2008 16.46.28 IKE-SA A300A180 is Deleted,I-COOKIE=6A90A46A,R-COOKIE=FBD1F71E,dst="Client"
8.4.2008 16.46.28 State:2 Cond:4 TimerEvent:1
8.4.2008 16.46.28 lifetime :28800 sec Rekey Time :0 sec
8.4.2008 16.46.28 Created at :0 sec Remaining life time :-9592119 sec Current time 9620919
8.4.2008 16.46.28 The client "Client" removed from vpninf
8.4.2008 16.46.28 Freeing IKE SA
Client
04-08-2008 04:46:25 PM Created thread for SendKeepAlivePacketProcess
04-08-2008 04:46:25 PM Loaded: 1 private key(s).
04-08-2008 04:46:25 PM Loaded: 2 certificate(s), 2 public key(s).
04-08-2008 04:46:25 PM Cert data len = 1367
04-08-2008 04:46:25 PM Cert data len = 1328
04-08-2008 04:46:25 PM Read trusted root cert file C:\Novell\Vpnc\Certificates\Trusted Roots\Border2.der
04-08-2008 04:46:25 PM Start IPSEC SA 00a12340 - Initiator****totSA=1
04-08-2008 04:46:25 PM src from IPsec
04-08-2008 04:46:25 PM 00000000 00000000
04-08-2008 04:46:25 PM dst from IPsec
04-08-2008 04:46:25 PM 00000000 91fdc084
04-08-2008 04:46:25 PM Start IKE-SA 007099a8 - Initiator,src="Client",dst="Bordermanager",TotSA=1
04-08-2008 04:46:25 PM AUTH ALG IS 3
04-08-2008 04:46:25 PM setting rsa sig 3
04-08-2008 04:46:25 PM ***Send Main Mode message to "Bordermanager"
04-08-2008 04:46:25 PM I-COOKIE=6a90a46a7bfc1d30,R-COOKIE=0000000000000000,MsgID=0,1stPL=SA-PAYLOAD,state=25754368
04-08-2008 04:46:26 PM ***Receive Main Mode message from "Bordermanager"
04-08-2008 04:46:26 PM I-COOKIE=6a90a46a7bfc1d30,R-COOKIE=fbd1f71e3dd24d13,MsgID=0,1stPL=SA-PAYLOAD,state=24705744
04-08-2008 04:46:26 PM IKE SA NEGOTIATION: Peer lifetime = 28800 My lifetime=28800
04-08-2008 04:46:26 PM Recieved Supported Vendor id draft-ietf-ipsec-nat-t-ike-03 from "Bordermanager"
04-08-2008 04:46:26 PM ***Send Main Mode message to "Bordermanager"
04-08-2008 04:46:26 PM I-COOKIE=6a90a46a7bfc1d30,R-COOKIE=fbd1f71e3dd24d13,MsgID=0,1stPL=KEY-PAYLOAD,state=24705644
04-08-2008 04:46:26 PM ***Receive Main Mode message from "Bordermanager"
04-08-2008 04:46:26 PM I-COOKIE=6a90a46a7bfc1d30,R-COOKIE=fbd1f71e3dd24d13,MsgID=0,1stPL=KEY-PAYLOAD,state=24705744
04-08-2008 04:46:26 PM No NAT detected
04-08-2008 04:46:26 PM *Sending MM id payload Type 3 - subject name :9 subject alternative name :2,3
04-08-2008 04:46:26 PM *protocol 0 portnum 0 length 28
04-08-2008 04:46:26 PM Sending INITIAL_CONTACT notify to "Bordermanager"
04-08-2008 04:46:26 PM ***Send Main Mode message to "Bordermanager"
04-08-2008 04:46:26 PM I-COOKIE=6a90a46a7bfc1d30,R-COOKIE=fbd1f71e3dd24d13,MsgID=0,1stPL=ID-PAYLOAD,state=24705644
04-08-2008 04:46:27 PM ***Receive Unacknowledge Informational message from "Bordermanager"
04-08-2008 04:46:27 PM I-COOKIE=6a90a46a7bfc1d30,R-COOKIE=fbd1f71e3dd24d13,MsgID=e30b49fb,1stPL=HASH-PAYLOAD,state=24705744
04-08-2008 04:46:27 PM Recieved notify message type -17 from "Bordermanager"
04-08-2008 04:46:27 PM Error :No matching Certifcate authentication rule in server ,check Server Configuration
04-08-2008 04:46:27 PM Notify Recvd :Deleting IKE SA and related QM SAS - Peer "Bordermanager"
04-08-2008 04:46:27 PM Exiting thread for SendKeepAlivePacketProcess
The Client got an public IP.
It seems to be a server problem, but all i found is a fix to an server 2 server VPN.
any Idear
thx
Tribion
In article <[email protected]>, Tribion 72
wrote:
> 8.4.2008 16.46.28 Failed to create IKE-SA - ACL Check Failed , dst =
>
I think there's your problem.
The ACL check failed message is saying that your access has been
denied. What did you set up in the authentication rules?
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***
Similar Messages
-
Problem with Cisco VPN since upgrade to Snow Leopard
Since upgrading to Snow Leopard a couple of hours ago I can no longer open up my CiscoVPN application (version 4.9.01) which I use to connect to my network at work. When I try now I just get an "Error 51: message"
*Error 51: Unable to communicate with the VPN subsystem.*
Please make sure that you have at least one network interface that is currently active and has an IP address and start this application again.
I can still connect to the network if I use Parallels and use the Windows VPN client - but that's not really the point! I've tried the popular suggestion for Error 51 errors in the past (typing "sudo SystemStarter restart CiscoVPN" via Terminal) which doesn't work.
Any ideas or help appreciated.
AcculessI was able to get it working without re-downloading the client (4.9.0.1.0080 was already installed). I noticed that System/Library/StartupItems/CiscoVPN had been removed during the upgrade to snow leopard, so I pulled it back off of a Time Machine backup. Restoring that directory and doing a 'sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart' seemed to fix things up.
-
Problem with Cisco VPN client and HP elitebook 2530p windows 7 64-bit
Hi there
I have a HP Elitebook 2530p which i upgraded to windows 7 64-bit. I installed the Cisco VPN client application (ver. 5.0.07.0290 and also 64-bit) and the HP connection manager to connect to the internet through a modem Qualcomm gobi 1000 (that is inside the laptop). When I connect to the VPN, it connects (I write the username and password) but there is no traffic inside de virtual adapter for my servers. When I connect to the internet through wire or wireless internet, I connect de VPN client and there is no problem to establish communication to my servers.
I tried everything, also change the driver and an earlier version of the HP connection manager application. I also talked to HP and they told me that there was a report with this kind of problem and it was delivered to Cisco. I don’t know where is the problem.
Could anyone help me?
Thanks to all.You can try to update Deterministic Network Enhancer to the below listed release which supports
WWAN Drivers.
http://www.citrix.com/lang/English/lp/lp_1680845.asp.
DNE now supports WWAN devices in Win7. Before downloading the latest version of DNEUpdate from the links below, be sure you have the latest
drivers for your network adapters by downloading them from the vendors websites.
For 64-bit: ftp://files.citrix.com/dneupdate64.msi
Hope that helps. -
Problems with PPTP VPN server authentication - Could not retrieve key agent account information
Errr so far switching to a mac based server has been a mess. I have had it with permission issues!!
Here is my latest problem. After rebuilding the server several times my VPN clients can't connect. Every other time it has been fine but for some reason its just not working. I did recreate the vpn from a back up. I am not sure if that has anything to do with it. Anyway below is the error I am getting. Anyone have any idea what is causing it? You have all already been so helpful. Thank you very much!
DSAuth plugin: Could not retrieve key agent account information.
DSAuth plugin: MPPE key required, but its retrieval failed.
CHAP peer authentication failed for joelThank you for your help John. Before I could even employ your suggestion the server crashed. I don't understand why I am constantly dealing with these issues. I cloned the install to a new HDD and then did a reinstall. That fixed VPN, so far so good. But talk to me next week, something else will happen I'm sure.
-
Problem with AnyConnect VPN on ASA 5505
Hello everyone,
We're troubleshooting an issue where a client cannot pass any traffic across an AnyConnect VPN with an ASA5505 as the endpoint. The client receives and IP address in the 172.16.0.1/24 range and the ASA creates a static route to the 10.0.0.0/24 internal network but we cannot ping or connect to any internal IP address. The connection appears to fully build and pass traffic (based on the byte counts which increase) but we can't talk to the main network.
Does anyone have any ideas as to what I can check?
Thanks!
RyanAnyConnect client should not be in the same subnet as the internal hosts. It needs to be unique subnet within your environment, so you were on the right path initially.
If you can share your config, that would be easier for us to check.
In the meantime, a few things to check:
1) Have you configured split tunnel policy?
2) Do you have NAT exemption configured?
3) Any VPN filter configured that might be blocking the traffic?
4) Does the internal network know how to route back to the VPN Pool subnet (ie: via the ASA)
5) Lastly, do you have "inspect icmp" configured? -
Problems with Cisco VPN & UMTS
Hello!
Just got a new MacBook Pro 2,0 and am busy setting it up for mobile access to our corporate network.
I´m using Cisco VPN Client 4.9.00 (0050).
When I am using my wireless router at home (over a DSL line) everything works fine, but when I am connected over a SonyEricsson K608 UMTS/3G phone, the client does not seem to be able to connect:
Error log is as follows:
1 16:30:34.115 05/28/2006 Sev=Info/4 CM/0x43100002
Begin connection process
2 16:30:34.116 05/28/2006 Sev=Info/4 CM/0x43100004
Establish secure connection using Ethernet
3 16:30:34.116 05/28/2006 Sev=Info/4 CM/0x43100024
Attempt connection with server "xxx.xxx.xxx.xxx"
4 16:30:34.117 05/28/2006 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (500).
5 16:30:34.117 05/28/2006 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (4500).
6 16:30:34.117 05/28/2006 Sev=Info/6 IKE/0x4300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx.
7 16:30:34.618 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
8 16:30:35.219 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
9 16:30:35.820 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
10 16:30:36.422 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
11 16:30:37.023 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
12 16:30:37.624 05/28/2006 Sev=Warning/2 CVPND/0x83400018
Output size mismatch. Actual: 0, Expected: 237. (DRVIFACE:1319)
13 16:30:37.624 05/28/2006 Sev=Info/4 IKE/0x43000075
Unable to acquire local IP address after 5 attempts (over 5 seconds), probably due to network socket failure.
14 16:30:37.624 05/28/2006 Sev=Warning/2 IKE/0xC300009A
Failed to set up connection data
Has anybody heard of something like that?
I tried the same on a G4 iBook with the same configuration, and everything works fine there.
Bye, Frido.If you have a data plan on your phone, make sure it is VPN capable. T-mobile has this option. There is something with the routing and proxies that they use.
Most cell providers will also block most ports other than say 80 and other ports they specifically use. -
Still having problems with VPN access
Hello!
I am having problems with my VPN clients getting access to the networks over a MPLS infrastruture. I can reach these resources form my Core network (172.17.1.0/24) and my Wifi (172.17.100.0/24) but not from my VPN network (172.17.200.0/24). From the VPN I can reach the Wifi network (which is behind a router) and the rule that allows that also allows access to the other networks but for some reason it is not working.
When I ping inside the core network from VPN I can connect and get responses. When I ping to the Wifi network, I can get responses and connect to resources there. A tracert to the wifi network shows it hitting the core switch (a 3750 stack) @ 172.17.1.1, then the Wifi router (172.17.1.3) and then the host. A tracert to a resource on the MPLS network from the VPN shows a single entry (the destination host) and then 29 time outs but will not ping that resource nor connect.
I've posted all the info I can think of below. Any help appreciated.
*** Here is a tracert from a core network machine to the resource we need on the MPLS:
C:\Windows\system32>tracert 10.2.0.125
Tracing route to **************** [10.2.0.125]
over a maximum of 30 hops:
1 1 ms <1 ms <1 ms 172.17.1.1
2 1 ms <1 ms <1 ms 172.17.1.10
3 5 ms 5 ms 5 ms 192.168.0.13
4 31 ms 30 ms 31 ms 192.168.0.5
5 29 ms 30 ms 29 ms 192.168.0.6
6 29 ms 29 ms 29 ms 192.168.20.4
7 29 ms 29 ms 29 ms RV-TPA-CRMPROD [10.2.0.125]
Trace complete.
172.17.1.10 is the mpls router.
**** Here is the routing table (sh ip route) from the 3750 @ 172.17.1.1
Gateway of last resort is 172.17.1.2 to network 0.0.0.0
S 192.168.30.0/24 [1/0] via 172.17.1.10
172.17.0.0/24 is subnetted, 3 subnets
S 172.17.200.0 [1/0] via 172.17.1.2
C 172.17.1.0 is directly connected, Vlan20
S 172.17.100.0 [1/0] via 172.17.1.3
172.18.0.0/24 is subnetted, 1 subnets
S 172.18.1.0 [1/0] via 172.17.1.10
S 192.168.11.0/24 [1/0] via 172.17.1.10
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
S 10.2.0.0/24 [1/0] via 172.17.1.10
S 10.10.10.0/24 [1/0] via 172.17.1.10
S 10.20.0.0/24 [1/0] via 172.17.1.10
S 10.3.0.128/25 [1/0] via 172.17.1.10
S 192.168.1.0/24 [1/0] via 172.17.1.10
S* 0.0.0.0/0 [1/0] via 172.17.1.2
*** Here is the firewall config (5510):
ASA Version 8.4(1)
hostname RVGW
domain-name ************
enable password b5aqRk/6.KRmypWW encrypted
passwd 1ems91jznlfZHhfU encrypted
names
interface Ethernet0/0
nameif Outside
security-level 10
ip address 5.29.79.10 255.255.255.248
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.17.1.2 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 172.19.1.1 255.255.255.0
management-only
banner login RedV GW
ftp mode passive
dns server-group DefaultDNS
domain-name RedVector.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WiFi
subnet 172.17.100.0 255.255.255.0
description WiFi
object network inside-net
subnet 172.17.1.0 255.255.255.0
object network NOSPAM
host 172.17.1.60
object network BH2
host 172.17.1.60
object network EX2
host 172.17.1.61
description Internal Exchange / Outbound SMTP
object network Mail2
host 5.29.79.11
description Ext EX2
object network NETWORK_OBJ_172.17.1.240_28
subnet 172.17.1.240 255.255.255.240
object network NETWORK_OBJ_172.17.200.0_24
subnet 172.17.200.0 255.255.255.0
object network VPN-CLIENT
subnet 172.17.200.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_1
network-object object BH2
network-object object NOSPAM
object-group network VPN-CLIENT-PAT-SOURCE
description VPN-CLIENT-PAT-SOURCE
network-object object VPN-CLIENT
object-group network LAN-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.2.0.0 255.255.255.0
network-object 10.3.0.0 255.255.255.0
network-object 172.17.100.0 255.255.255.0
network-object 172.18.1.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
object-group network VPN-POOL
network-object 172.17.200.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq smtp
access-list Outside_access_in extended permit tcp any object BH2 object-group DM_INLINE_TCP_1
access-list global_mpc extended permit ip any any
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination Inside 172.17.1.52 9996
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN 172.17.1.240-172.17.1.250 mask 255.255.255.0
ip local pool VPN2 172.17.200.100-172.17.200.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static EX2 Mail2
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_172.17.200.0_24 NETWORK_OBJ_172.17.200.0_24
nat (Inside,Outside) source static inside-net inside-net destination static NETWORK_OBJ_172.17.1.240_28 NETWORK_OBJ_172.17.1.240_28
nat (Inside,Outside) source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL VPN-POOL
object network inside-net
nat (Inside,Outside) dynamic interface
object network NOSPAM
nat (Inside,Outside) static 5.29.79.12
nat (Outside,Outside) after-auto source dynamic VPN-CLIENT-PAT-SOURCE interface
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 5.29.79.9 1
route Inside 10.2.0.0 255.255.255.0 172.17.1.1 1
route Inside 10.3.0.0 255.255.255.128 172.17.1.1 1
route Inside 10.10.10.0 255.255.255.0 172.17.1.1 1
route Inside 172.17.100.0 255.255.255.0 172.17.1.3 1
route Inside 172.18.1.0 255.255.255.0 172.17.1.1 1
route Inside 192.168.1.0 255.255.255.0 172.17.1.1 1
route Inside 192.168.11.0 255.255.255.0 172.17.1.1 1
route Inside 192.168.30.0 255.255.255.0 172.17.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RedVec protocol ldap
aaa-server RedVec (Inside) host 172.17.1.41
ldap-base-dn DC=adrs1,DC=net
ldap-group-base-dn DC=adrs,DC=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Hanna\, Roger,OU=Humans,OU=WPLAdministrator,DC=adrs1,DC=net
server-type microsoft
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.17.1.0 255.255.255.0 Inside
http 24.32.208.223 255.255.255.255 Outside
snmp-server host Inside 172.17.1.52 community *****
snmp-server location Server Room 3010
snmp-server contact Roger Hanna
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.17.1.0 255.255.255.0 Inside
telnet timeout 5
ssh 172.17.1.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
dhcpd address 172.17.1.100-172.17.1.200 Inside
dhcpd dns 172.17.1.41 172.17.1.42 interface Inside
dhcpd lease 100000 interface Inside
dhcpd domain adrs1.net interface Inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy RedV internal
group-policy RedV attributes
wins-server value 172.17.1.41
dns-server value 172.17.1.41 172.17.1.42
vpn-tunnel-protocol ikev1
default-domain value ADRS1.NET
group-policy RedV_1 internal
group-policy RedV_1 attributes
wins-server value 172.17.1.41
dns-server value 172.17.1.41 172.17.1.42
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
default-domain value adrs1.net
username rparker password FnbvAdOZxk4r40E5 encrypted privilege 15
username rparker attributes
vpn-group-policy RedV
username mhale password 2reWKpsLC5em3o1P encrypted privilege 0
username mhale attributes
vpn-group-policy RedV
username dcoletto password g53yRiEqpcYkSyYS encrypted privilege 0
username dcoletto attributes
vpn-group-policy RedV
username rhanna password Pd3E3vqnGmV84Ds2 encrypted privilege 15
username rhanna attributes
vpn-group-policy RedV
tunnel-group RedV type remote-access
tunnel-group RedV general-attributes
address-pool VPN2
authentication-server-group RedVec
default-group-policy RedV
tunnel-group RedV ipsec-attributes
ikev1 pre-shared-key *****
class-map global-class
match access-list global_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class global-class
flow-export event-type all destination 172.17.1.52
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:202ad58ba009fb24cbd119ed6d7237a9Hi Roger,
I bet you already checked it, but does the MPLS end router has route to VPN client subnet 172.17.200.x (or default) pointing to core rtr)?
Also, if the MPLS link has any /30 subnet assigned, you may need to include that as well in Object group LAN-NETWORKS.
Thx
MS -
VPN problems with SLS 10.6.2 using L2TP
Hi folks,
I see I'm not the only one having problems with getting VPN to work.
Well, I've gotten PPTP to work just fine but I do need to get L2TP to work as well.
The strange thing is that when I try using L2TP the log is completely silent.
I'm running Snow Leopard Server 10.6.2 with the built-in firewall.
I've tried turning of the firewall but still no log-entries...
I've double checked that all the ports are open, I've tried changing the VPN IP series.
I've tried to enable both DHCP and NAT... still nothing seems to do the trick.
Any ideas?Here are my VPN settings:
vpn:Servers:com.apple.ppp.pptp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedSearchDomains = emptyarray
vpn:Servers:com.apple.ppp.pptp:DNS:OfferedServerAddresses:arrayindex:0 = "*servers external ip*"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:arrayindex:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:arrayindex:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:arrayindex:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.pptp:Radius:Servers:arrayindex:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.pptp:enabled = yes
vpn:Servers:com.apple.ppp.pptp:Interface:SubType = "PPTP"
vpn:Servers:com.apple.ppp.pptp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:arrayindex:0 = "EAP-RSA"
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorACLPlugins:arrayindex:0 = "DSACL"
vpn:Servers:com.apple.ppp.pptp:PPP:CCPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.pptp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.pptp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize128 = 1
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:arrayindex:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.pptp:PPP:MPPEKeySize40 = 0
vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorPlugins:arrayindex:0 = "DSAuth"
vpn:Servers:com.apple.ppp.pptp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.pptp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.pptp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.pptp:PPP:CCPProtocols:arrayindex:0 = "MPPE"
vpn:Servers:com.apple.ppp.pptp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:arrayindex:0 = "10.0.1.101"
vpn:Servers:com.apple.ppp.pptp:IPv4:DestAddressRanges:arrayindex:1 = "10.0.1.150"
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteAddresses:arrayindex:0 = "10.0.1.0"
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteTypes:arrayindex:0 = "Private"
vpn:Servers:com.apple.ppp.pptp:IPv4:OfferedRouteMasks:arrayindex:0 = "255.255.255.0"
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingAddress = "1.2.3.4"
vpn:Servers:com.apple.ppp.l2tp:Server:MaximumSessions = 128
vpn:Servers:com.apple.ppp.l2tp:Server:LoadBalancingEnabled = 0
vpn:Servers:com.apple.ppp.l2tp:Server:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:Server:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedSearchDomains = emptyarray
vpn:Servers:com.apple.ppp.l2tp:DNS:OfferedServerAddresses:arrayindex:0 = "*servers external ip*"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:arrayindex:0:SharedSecret = "1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:arrayindex:0:Address = "1.1.1.1"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:arrayindex:1:SharedSecret = "2"
vpn:Servers:com.apple.ppp.l2tp:Radius:Servers:arrayindex:1:Address = "2.2.2.2"
vpn:Servers:com.apple.ppp.l2tp:enabled = yes
vpn:Servers:com.apple.ppp.l2tp:Interface:SubType = "L2TP"
vpn:Servers:com.apple.ppp.l2tp:Interface:Type = "PPP"
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoFailure = 5
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdle = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:arrayindex:0 = "EAP-KRB"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorACLPlugins:arrayindex:0 = "DSACL"
vpn:Servers:com.apple.ppp.l2tp:PPP:VerboseLogging = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:IPCPCompressionVJ = 0
vpn:Servers:com.apple.ppp.l2tp:PPP:ACSPEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoInterval = 60
vpn:Servers:com.apple.ppp.l2tp:PPP:LCPEchoEnabled = 1
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:arrayindex:0 = "MSCHAP2"
vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorPlugins:arrayindex:0 = "DSAuth"
vpn:Servers:com.apple.ppp.l2tp:PPP:Logfile = "/var/log/ppp/vpnd.log"
vpn:Servers:com.apple.ppp.l2tp:PPP:DisconnectOnIdleTimer = 7200
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecretEncryption = "Keychain"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:SharedSecret = "com.apple.ppp.l2tp"
vpn:Servers:com.apple.ppp.l2tp:IPSec:AuthenticationMethod = "SharedSecret"
vpn:Servers:com.apple.ppp.l2tp:IPSec:RemoteIdentifier = ""
vpn:Servers:com.apple.ppp.l2tp:IPSec:IdentifierVerification = "None"
vpn:Servers:com.apple.ppp.l2tp:IPSec:LocalCertificate = **
vpn:Servers:com.apple.ppp.l2tp:IPv4:ConfigMethod = "Manual"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:arrayindex:0 = "10.0.1.10"
vpn:Servers:com.apple.ppp.l2tp:IPv4:DestAddressRanges:arrayindex:1 = "10.0.1.100"
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteAddresses:arrayindex:0 = "10.0.1.0"
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteTypes:arrayindex:0 = "Private"
vpn:Servers:com.apple.ppp.l2tp:IPv4:OfferedRouteMasks:arrayindex:0 = "255.255.255.0"
vpn:Servers:com.apple.ppp.l2tp:L2TP:Transport = "IPSec"
vpn:Servers:com.apple.ppp.l2tp:L2TP:IPSecSharedSecretValue = "*****" -
Problem with VPN client on Cisco 1801
Hi,
I have configured a new router for a customer.
All works fine but i have a strange issue with the VPN client.
When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connected status.
This is the log form the VPN client:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 14:37:59.133 04/08/13 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2 14:38:01.321 04/08/13 Sev=Info/4 CM/0x63100002
Begin connection process
3 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100004
Establish secure connection
4 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "asgardvpn.dyndns.info"
5 14:38:02.380 04/08/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 79.52.36.120.
6 14:38:02.384 04/08/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
7 14:38:02.388 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 79.52.36.120
8 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
9 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
11 14:38:02.460 04/08/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 79.52.36.120
12 14:38:02.506 04/08/13 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
13 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
16 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
17 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
18 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
19 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 79.52.36.120
20 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
21 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xCEFD, Remote Port = 0x1194
22 14:38:02.465 04/08/13 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
23 14:38:02.465 04/08/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
24 14:38:02.502 04/08/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
25 14:38:02.502 04/08/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 79.52.36.120
26 14:38:02.502 04/08/13 Sev=Info/4 CM/0x63100015
Launch xAuth application
27 14:38:07.623 04/08/13 Sev=Info/4 CM/0x63100017
xAuth application returned
28 14:38:07.623 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 79.52.36.120
29 14:38:12.656 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
30 14:38:22.808 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
31 14:38:32.949 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
32 14:38:43.089 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
33 14:38:53.230 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
34 14:39:03.371 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
35 14:39:13.514 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
36 14:39:23.652 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
37 14:39:33.807 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
38 14:39:43.948 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
39 14:39:54.088 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
40 14:40:04.233 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
41 14:40:14.384 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
42 14:40:24.510 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
43 14:40:34.666 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
44 14:40:44.807 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
45 14:40:54.947 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
46 14:41:05.090 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
47 14:41:15.230 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
48 14:41:25.370 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
49 14:41:35.524 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
50 14:41:45.665 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
51 14:41:55.805 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
52 14:42:05.951 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
53 14:42:16.089 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
54 14:42:26.228 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
55 14:42:36.383 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
56 14:42:46.523 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
57 14:42:56.664 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
58 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
59 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 79.52.36.120
60 14:43:03.248 04/08/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
61 14:43:03.248 04/08/13 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "asgardvpn.dyndns.info" because of "DEL_REASON_CANNOT_AUTH"
62 14:43:03.248 04/08/13 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
63 14:43:03.262 04/08/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
64 14:43:03.262 04/08/13 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
65 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
66 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
67 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
68 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
And this is the conf from the 1801:
hostname xxx
boot-start-marker
boot-end-marker
enable secret 5 xxx
aaa new-model
aaa authentication login xauthlist local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.1 10.0.1.10
ip dhcp excluded-address 10.0.1.60 10.0.1.200
ip dhcp excluded-address 10.0.1.225
ip dhcp excluded-address 10.0.1.250
ip dhcp pool LAN
network 10.0.1.0 255.255.255.0
default-router 10.0.1.10
dns-server 10.0.1.200 8.8.8.8
domain-name xxx
lease infinite
ip name-server 10.0.1.200
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall vdolive
ip inspect name Firewall udp
ip inspect name Firewall tcp
ip inspect name Firewall https
ip inspect name Firewall http
multilink bundle-name authenticated
username xxx password 0 xxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group xxx
key xxx
dns 10.0.1.200
wins 10.0.1.200
domain xxx
pool ippool
acl 101
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode adsl2+
hold-queue 224 in
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
ip address 10.0.1.10 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username aliceadsl password 0 aliceadsl
crypto map clientmap
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 10.0.1.2
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source static udp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source list 101 interface Dialer0 overload
access-list 101 remark *** ACL nonat ***
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 150 remark *** ACL split tunnel ***
access-list 150 permit ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password xxx
scheduler max-task-time 5000
end
Anyone can help me ?
Sometimes the vpn can be vreated using the iPhone or iPad vpn client...I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
HELP? -
Problem with IP phone over VPN
| UC520 | ------------------------ | 861 |
| |
LAN LAN
Scenario:
UC520 box is at HQ and serving as a EZVPN server and 861 at branch as a EZVPN client. There is no problem with VPN i can communicate with HQ network. My ip phone get registered but facing these problems.
1) Dialling out and in OK
2) Connects OK after picking up
3) NO sound either way
4) Cannot end call from this side. End call button does not work
5) When other end hangs up - message "UCM down, features disabled". Then phone registers again.
Identical symptoms for both softphone and 7941.This document provides a sample configuration for Quality of Service (QoS) for Voice over IP (VoIP) traffic on VPN tunnels that terminate on the PIX/ASA Security Appliances.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml -
Problem with ASA 5505 VPN config
Hi to all,
I have a problem with ASA 5505 remote access vpn. I have site-to-site VPN and I need that my VPN clients can access IP subnets that I have behind site-to-site VPN. All that I have tried I get and error to my log “Flow is a loopback”.
So what I need : for example I need that vpn client with ip 10.0.0.1 can go to 192.168.1.2
My config:
access-list Test_splitTunnelAcl standard permit host 10.0.2.3
access-list Test_splitTunnelAcl standard permit host 10.0.2.4
access-list Test_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list nonat_outside extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool VPN_Client_Pool2 10.0.0.1-10.0.0.200 mask 255.255.255.0
nat (outside) 0 access-list nonat_outside
nat (outside) 1 10.0.0.0 255.255.255.0
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Test_splitTunnelAcl
Site-to-Site:
crypto map outside_map 3 set peer 195.233.x.x
access-list outside_3_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_4
object-group network DM_INLINE_NETWORK_2
network-object 10.0.2.0 255.255.255.0
network-object 10.0.3.0 255.255.255.0
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.2.70
network-object host 192.168.3.55
network-object 192.168.1.0 255.255.255.0
I hope that someone can post an answer and solve my problemA few things are required:
1) You don't need the following 2 lines, so it can be removed:
nat (outside) 0 access-list nonat_outside
nat (outside) 1 10.0.0.0 255.255.255.0
2) On the ASA, you need to configure:
same-security-traffic permit intra-interface
3) Object group: DM_INLINE_NETWORK_2 needs to include 10.0.0.0/24
4) On the remote lan-to-lan end, the crypto ACL also needs to include 10.0.0.0/24 as the destination subnet.
5) The NAT exemption (NONAT) on the remote lan-to-lan end also needs to include 10.0.0.0/24 as the destination subnet.
Hope that will resolve your problem. -
Problem with VPN Client passthrough on ASA 5505
I am having a problem with passing through a VPN client connection on an ASA 5505. The ASA is running version 8 and terminates an anyconnect VPN. The ASA is using PAT. When the inside user connects with the VPN client, it connects but no traffic passes through the tunnel. I see the error
305006 regular translation creation failed for protocol 50 src INSIDE:y.y.y.y dst OUTSIDE:x.x.x.x
UDP 500,4500 and ESP are allowed into the ASA. Ipsec inspection has also been setup on a global policy, but the user still cannot pass traffice to the remote VPN he is connected through.
At the Main Office we have an ASA 5510 that terminates a site to site VPN, allows remote connections with PAT and allows passthrough no problems. Any ideas?I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
HELP? -
Problem with Word 2013 through VPN
Hello,
From several weeks my company has a problem
with Word 2013 when laptop is connected to the network
via VPN.
Symptoms:
- Word 2013 is opening very slow (even
opening a blank card)
- there are no matter if I try to open blank page or network files
- All other Office 2013 components are working fine (Excel, Powerpoint etc).
- When I disconnect from a VPN, Word is opening properly.
It is not a problem with VPN because:
- Word is opening locally (not network files)
- before we had Word 2010 and it was working smoothly
Does anyone know a similar case
and could help solve this problem?
Regards,
PawelHi,
"- before we had Word 2010 and it was working smoothly" -
Word 2013 might deal with documents in different ways.
Since Word will open properly when you disconnect from a VPN, you might want to start by analyzing the network traffic, VPN connections.
Please try to check the option "Copy remotely stored files onto your computer and update the remote file when saving" in
FILE>Options>Advanced>Save section, and then verify result.
The other thing to check is add-ins. I'd suggest you to start Word in safe mode and see if issue persists:
Press Win + R and type "winword /safe" in the blank box, then press Enter.
Thanks,
Ethan Hua CHN
TechNet Community Support
It's recommended to download and install
Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
programs. -
Problem with L2TP IPSEC VPN login...
Hello,
I have a problem with my trying to login on my laptop to my work vpn. I was given from my work, the vpn's ip address, the psk, my username, and password for the vpn. I feel like I am hitting a brick wall and makes me just want to forget it all together... I can get in with my info on this same laptop on the same connection at my apartment from my windows 8.1 partition just fine. I have also verified and triple checked all my vpn information required. I also don't know but I think have it setup to use PAP, MS CHAP, or MS CHAP v2.. Any help I would be greatly appreciated. Pretty much the way my VPN for my work works is you have to VPN on L2TP over IPSEC with a username and password and a psk to allow you to remote desktop to my desktop at work. Really wish this could work as I am tired of supporting windows at home when I pretty much only use it to VPN into work when I have to get work done...
pacman -Q openswan
openswan 2.6.41-1
pacman -Q xl2tpd
xl2tpd 1.3.6-1
uname -a
Linux tux 3.17.1-1-ARCH #1 SMP PREEMPT Wed Oct 15 15:04:35 CEST 2014 x86_64 GNU/Linux
Now I have all the configs setup below following the L2TP/IPsec VPN client setup arch wiki page and I keep getting this:
ipsec auto --up <vpn connection name>
022 "<vpn connection name>": We cannot identify ourselves with either end of this connection.
my process to run the vpn connection:
sudo systemctl start openswan
sudo systemctl start xl2tpd
ipsec auto --up <vpn connection name>
echo "c <vpn connection name>" > /var/run/xl2tpd/l2tp-control
how I added my vpn connection:
sudo ipsec auto --add <vpn connection name>
/etc/xl2tpd/xl2tpd.conf
[global]
; listen-addr = <my ip address>
debug avp = no
debug network = no
debug packet = no
debug state = no
debug tunnel = no
[lac <vpn connection name>]
lns = <vpn ip address>
pppoptfile = /etc/ppp/<vpn connection name>.options.xl2tpd
length bit = no
redial = no
/etc/ppp/<vpn connection name>.options.xl2tpd
plugin passprompt.so
ipcp-accept-local
ipcp-accept-remote
idle 72000
ktune
noproxyarp
asyncmap 0
noauth
crtscts
lock
hide-password
modem
noipx
ipparam L2tpIPsecVpn-<vpn connection name>
promptprog "/usr/bin/L2tpIPsecVpn"
refuse-eap
remotename ""
name "<vpn username>"
password <vpn password>
usepeerdns
/etc/ipsec.secrets
%any @<vpn ip address>: PSK <psk key here>
Last edited by adramalech (2014-10-25 04:53:46)Hello,
I have a problem with my trying to login on my laptop to my work vpn. I was given from my work, the vpn's ip address, the psk, my username, and password for the vpn. I feel like I am hitting a brick wall and makes me just want to forget it all together... I can get in with my info on this same laptop on the same connection at my apartment from my windows 8.1 partition just fine. I have also verified and triple checked all my vpn information required. I also don't know but I think have it setup to use PAP, MS CHAP, or MS CHAP v2.. Any help I would be greatly appreciated. Pretty much the way my VPN for my work works is you have to VPN on L2TP over IPSEC with a username and password and a psk to allow you to remote desktop to my desktop at work. Really wish this could work as I am tired of supporting windows at home when I pretty much only use it to VPN into work when I have to get work done...
pacman -Q openswan
openswan 2.6.41-1
pacman -Q xl2tpd
xl2tpd 1.3.6-1
uname -a
Linux tux 3.17.1-1-ARCH #1 SMP PREEMPT Wed Oct 15 15:04:35 CEST 2014 x86_64 GNU/Linux
Now I have all the configs setup below following the L2TP/IPsec VPN client setup arch wiki page and I keep getting this:
ipsec auto --up <vpn connection name>
022 "<vpn connection name>": We cannot identify ourselves with either end of this connection.
my process to run the vpn connection:
sudo systemctl start openswan
sudo systemctl start xl2tpd
ipsec auto --up <vpn connection name>
echo "c <vpn connection name>" > /var/run/xl2tpd/l2tp-control
how I added my vpn connection:
sudo ipsec auto --add <vpn connection name>
/etc/xl2tpd/xl2tpd.conf
[global]
; listen-addr = <my ip address>
debug avp = no
debug network = no
debug packet = no
debug state = no
debug tunnel = no
[lac <vpn connection name>]
lns = <vpn ip address>
pppoptfile = /etc/ppp/<vpn connection name>.options.xl2tpd
length bit = no
redial = no
/etc/ppp/<vpn connection name>.options.xl2tpd
plugin passprompt.so
ipcp-accept-local
ipcp-accept-remote
idle 72000
ktune
noproxyarp
asyncmap 0
noauth
crtscts
lock
hide-password
modem
noipx
ipparam L2tpIPsecVpn-<vpn connection name>
promptprog "/usr/bin/L2tpIPsecVpn"
refuse-eap
remotename ""
name "<vpn username>"
password <vpn password>
usepeerdns
/etc/ipsec.secrets
%any @<vpn ip address>: PSK <psk key here>
Last edited by adramalech (2014-10-25 04:53:46) -
Problem with Cisco 861W router and outgoing VPN
We have a Cisco 861W router that is blocking an outgoing PPTP on the internal access point only. The outgoing VPN works when the traffic is through a wired connection or the connection is on another access point. We fail to make a connection only when connection to the 861W's internal Access Point.
Here is the Access Point Configuration:
Current configuration : 2100 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname obap
enable secret 5 $1$.1RF$go1D7WITXUn3s8TUaw3tC.
no aaa new-model
dot11 syslog
dot11 ssid OLIVER
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 XXXXXXXXXXX
username XXXXXX privilege 15 secret 5 $1$Wc0K$OzcQDDQfjHP6La31eXMoG/
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm tkip
ssid OLIVER
antenna gain 0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecti
ng AP with the host router
no ip address
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 192.168.0.2 255.255.255.0
no ip route-cache
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
banner login ^CC
% Password change notice.
Default username/password setup on AP is cisco/cisco with priv¾ilege level 15.
It is strongly suggested that you create a new username with privilege level
15 using the following command for console security.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to
use. After you change your username/password you can turn off this message
by configuring "no banner login" and "no banner exec" in privileged mode.
^C
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
cns dhcp
end
obap#
Here is the Router's Configuration:
Current configuration : 5908 bytes
! No configuration change since last restart
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname obrouter
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 $1$i9XE$DjxFVAEC9nC4/r6EQKCd6/
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-1856757619
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1856757619
revocation-check none
rsakeypair TP-self-signed-1856757619
crypto pki certificate chain TP-self-signed-1856757619
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383536 37353736 3139301E 170D3036 30313032 31323030
34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38353637
35373631 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1A4 FB786547 3D582260 03DB768D 116BDE9A 309FBA04 B53F77B0 BFE32344
7C3439B3 97192B36 760A9411 1D5C7549 8D86F532 ABA44F53 0D08B7F4 A9A747D5
071330C3 65BF25A8 927F3596 29BB5A80 90C8D169 22268476 3B8DDE1E FDB7170D
B4820D03 5580A849 A92C7E76 9AC10867 505A2FEE 64360741 7F9DBDBF 3D79982C
F81D0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 156F6272 6F757465 722E6272 75736868 6F672E63 6F6D301F
0603551D 23041830 168014D8 5BC2FFB2 967A4C7B 11B44122 5C8D31F7 749B9230
1D060355 1D0E0416 0414D85B C2FFB296 7A4C7B11 B441225C 8D31F774 9B92300D
06092A86 4886F70D 01010405 00038181 005901F1 C239074B B8213567 CF7B65BF
DAFE4557 69B2A3B1 5F2593C7 A54B9598 23FD5E7A 563AA6E0 AFB25801 FA0061E8
F9545372 DB600B3A BE68AE65 1EDA593E 6A0C96B8 5A4136AF 393F9AAC 651E1C36
B8B7C6C0 47936C24 D2ECE9A5 9446EE32 FC7461FA AD8CF1CE A7FBF341 07E9C3C6
505AB88D 0E7FCAFC 5792298A E5E4D1FE CC
quit
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp pool ccp-pool1
import all
network 192.168.0.0 255.255.255.0
dns-server 216.49.160.10 216.49.160.66
default-router 192.168.0.1
ip cef
no ip bootp server
ip domain name brushhog.com
ip name-server 216.49.160.10
ip name-server 216.49.160.66
license udi pid CISCO861W-GN-A-K9 sn FTX155281FY
username tech38 privilege 15 secret 5 $1$d/4Z$n/23EsXbzfHF5XfJ8Nv.y0
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
pppoe-client dial-pool-number 1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXX password 7 XXXXXXXXXXX
no cdp enable
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.25 80 interface Dialer0 80
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Any help would be appreciatedHello,
i have the same problem with router CISCO861W-GN-E-K9. Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
Can someone help?
Thank you.
Here is my config for internal AP and router.
Maybe you are looking for
-
I have a macbook and I'm having trouble backing up my pictures on an external hard drive. The Macbook won't install the backup drive soft ware? It is a new Sea Gate hard rive from costco.
-
I'm having this problem is a period, and I can not solve it by. When the puppet plays in yellow object he's the error shown in the video, trouble follows me and I can not solve it at all. Once I tried to copy and paste all the objects to the Frame 1
-
Burning a window dub from FCP for spanish translation
I need to burn a window dub of my program for a spanish translation company that needs to translate the english to spanish. Would this be done in FCP or in DVDSP? Thanks. Kevin
-
I'm hesitant to broach this question because I find it hard to formulate it. First, I understand the principles of Layers. I have Barbara's book for PSE3 and Scott Kelby's wonderful book. I understand the "Create Adjustment Layer" and the choices in
-
CS6 Beta won't install for me, either.
Similar but different to others. Here's what I got (three times now): Exit Code: 6 Please see specific errors and warnings below for troubleshooting. For example, ERROR: DF024, DW063 ... -------------------------------------- Summary ---------------