IPSec VPN with c2600 router
- From: RJ45 <rj45@xxxxxxxxxxxxxxxxxx>
- Date: Fri, 11 Apr 2008 06:51:08 +0000 (UTC)
Hello,
I have a Cisco 2621 router, and I would like to use it for my office
VPN access.
I configured it with pptp and it work with default local user called
"root".
I root is just the privilege cisco 2600 user and I just used it to test
VPN also.
Now I wanted to do something more complicate and I wanted to configure
a IPSec VPN using Cisco VPN client to connect to my c2621,
but it does not work and I fail to configure it.
The situation is this, my router has a public IP
131.x.a.b
and when I am connected in VPN the public IP 131.z.a.c
is assigned to me and this works with vpdn PPTP.
How to do it with IPSEC ?
This is really not very well documented around and here I REport
the configuration which apparently does not work.
Could someone give me a solution to a good configuration for
a IPSec VPN using Cisco VPN client to connect to my router ?
here is the router config:
!
! Last configuration change at 08:30:48 CEST Fri Apr 11 2008 by root
! NVRAM config last updated at 08:30:57 CEST Fri Apr 11 2008 by root
!
version 12.3
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
enable password 7 104D4252130411
!
clock timezone CEST 1
clock summer-time CEST recurring 4 Sun Mar 0:00 4 Sun Oct 0:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpnuser local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
ip cef
!
!
ip domain name cnaf.infn.it
ip name-server 131.x.y.z
!
ip audit po max-events 100
vpdn enable
!
vpdn-group pptpcnaf
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username root password 7 0115020557040206
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnuser
key xxxxxxx
dns 131.x.y.z
domain cnaf.infn.it
pool internalpool
!
!
crypto ipsec transform-set default-set esp-3des esp-sha-hmac
!
crypto dynamic-map default-map 13
set transform-set default-set
!
!
crypto map mobile-map client authentication list vpnuser
crypto map mobile-map client configuration address respond
crypto map mobile-map 13 ipsec-isakmp dynamic default-map
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 131.x.a.b 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool internalpool
ppp encrypt mppe 128 required
ppp authentication ms-chap ms-chap-v2
!
ip local pool internalpool 131.x.a.c
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 131.x.a.z
!
!
!
snmp-server community public RO
snmp-server enable traps tty
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 5 15
!
end
And here is the DEBUG output:
1d12h: ISAKMP (0:0): received packet from 131.x.y.h dport 500 sport 500 Glob
al (N) NEW SA
1d12h: ISAKMP: Locking peer struct 0x82FEEBB4, IKE refcount 2 for Responding to
new initiation
1d12h: ISAKMP: local port 500, remote port 500
1d12h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83
13D0D8
1d12h: ISAKMP (0:2): processing SA payload. message ID = 0
1d12h: ISAKMP (0:2): processing ID payload. message ID = 0
1d12h: ISAKMP (0:2): ID payload
next-payload : 13
type : 11
group id : vpnuser
protocol : 17
port : 500
length : 15
1d12h: ISAKMP (0:2): peer matches *none* of the profiles
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch
1d12h: ISAKMP (0:2): vendor ID is XAUTH
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID is DPD
1d12h: ISAKMP (0:2): processing vendor id payload
1d12h: ISAKMP (0:2): vendor ID is Unity
1d12h: ISAKMP : Scanning profiles for xauth ...
1d12h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 256
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash MD5
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth XAUTHInitPreShared
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3 policy
1d12h: ISAKMP: encryption AES-CBC
1d12h: ISAKMP: hash SHA
1d12h: ISAKMP: default group 2
1d12h: ISAKMP: auth pre-share
1d12h: ISAKMP: life type in seconds
1d12h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
1d12h: ISAKMP: keylength of 128
1d12h: ISAKMP (0:2): Encryption algorithm offered does not match policy!
1d12h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
1d12h: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3 policy
and keeps logging that non ISAKMP transform patch policy encryption...
any hints or suggetions ?
thanks
RJ45
.
- Follow-Ups:
- Re: IPSec VPN with c2600 router
- From: News Reader
- Re: IPSec VPN with c2600 router
- Prev by Date: Re: Pix 506e w/5 static outside IPs - How to create a rule to allow ALL tcp/udp traffic from one outside IP to an internal IP (for an internal router/NAT with it's own subnet)
- Next by Date: Using Dialer Watch to Failover
- Previous by thread: Dinosaurs won't route
- Next by thread: Re: IPSec VPN with c2600 router
- Index(es):
Relevant Pages
|
