Hi all,
I'm trying to configure IOS VPN over a NAT overload connection on an 1841, to allow Cisco vpn client software to connect up to it.
Sorry for the long post, but I feel that I have stuffed up the ACL's in the config. It's basically a collection of what I can find on the web on VPN connection, most of them don't deal with NAT and I tried looking at the commands that SDM inserts and tried to copy those and yet still no go.
Below are some logs if anyone is so kind to provide assistance! Much appreciated & many thanks!!!
VPN client log error shows:
15 08:13:52.139 11/28/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=51319E76F3A3DA11 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
16 08:13:52.639 11/28/06 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=51319E76F3A3DA11 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
17 08:13:52.639 11/28/06 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "****" because of "DEL_REASON_PEER_NOT_RESPONDING"
Below is my config:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
ip domain name *****
ip name-server ***
ip name-server ***
ip name-server ***
ip ddns update method dyndns
HTTP
add http://***:***@members.dyndns.org/nic/update?system=dyndns&hostname=***.***.***&myip=
interval maximum 0 0 5 0
!
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-1122731203
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1122731203
revocation-check none
rsakeypair TP-self-signed-1122731203
!
!
crypto pki certificate chain TP-self-signed-1122731203
certificate self-signed 01
quit
username *** password 7 ***
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ***
key ***
dns ***
domain ***
pool ippool
acl 110
split-dns ***
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
description Trunk to Switch
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.110
encapsulation dot1Q 110
ip address 172.16.30.2 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no snmp trap link-status
!
interface FastEthernet0/0.120
encapsulation dot1Q 120
ip address 172.16.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no snmp trap link-status
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer1
mtu 1492
ip ddns update hostname ***
ip ddns update dyndns host members.dyndns.org
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ****
ppp chap password 7 ****
crypto map clientmap
!
ip local pool ippool 172.16.50.1 172.16.50.4
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http access-class 50
ip http secure-server
ip nat inside source route-map rmap1
interface Dialer1 overload
!
access-list 1 permit 172.16.30.0 0.0.0.255
access-list 1 permit 172.16.40.0 0.0.0.255
access-list 50 permit 172.16.30.0 0.0.0.255
access-list 105 remark RMAP1_ACL
access-list 105 deny ip 172.16.30.0 0.0.0.255 172.16.50.0 0.0.0.3
access-list 105 deny ip 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.3
access-list 105 permit ip 172.16.0.0 0.0.255.255 any
access-list 110 remark VPN_ACL
access-list 110 permit ip 172.16.30.0 0.0.0.255 any
access-list 110 permit ip 172.16.40.0 0.0.0.255 any
!
!
route-map rmap1 permit 1
match ip address 105
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 ****
logging synchronous
line aux 0
password 7 ****
line vty 0 4
access-class 50 in
password 7 ****
line vty 5 807
access-class 50 in
password 7 ****
!
scheduler allocate 20000 1000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
I'm trying to configure IOS VPN over a NAT overload connection on an 1841, to allow Cisco vpn client software to connect up to it.
Sorry for the long post, but I feel that I have stuffed up the ACL's in the config. It's basically a collection of what I can find on the web on VPN connection, most of them don't deal with NAT and I tried looking at the commands that SDM inserts and tried to copy those and yet still no go.
Below are some logs if anyone is so kind to provide assistance! Much appreciated & many thanks!!!
VPN client log error shows:
15 08:13:52.139 11/28/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=51319E76F3A3DA11 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
16 08:13:52.639 11/28/06 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=51319E76F3A3DA11 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
17 08:13:52.639 11/28/06 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "****" because of "DEL_REASON_PEER_NOT_RESPONDING"
Below is my config:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
ip domain name *****
ip name-server ***
ip name-server ***
ip name-server ***
ip ddns update method dyndns
HTTP
add http://***:***@members.dyndns.org/nic/update?system=dyndns&hostname=***.***.***&myip=
interval maximum 0 0 5 0
!
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-1122731203
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1122731203
revocation-check none
rsakeypair TP-self-signed-1122731203
!
!
crypto pki certificate chain TP-self-signed-1122731203
certificate self-signed 01
quit
username *** password 7 ***
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ***
key ***
dns ***
domain ***
pool ippool
acl 110
split-dns ***
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
description Trunk to Switch
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.110
encapsulation dot1Q 110
ip address 172.16.30.2 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no snmp trap link-status
!
interface FastEthernet0/0.120
encapsulation dot1Q 120
ip address 172.16.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no snmp trap link-status
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer1
mtu 1492
ip ddns update hostname ***
ip ddns update dyndns host members.dyndns.org
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ****
ppp chap password 7 ****
crypto map clientmap
!
ip local pool ippool 172.16.50.1 172.16.50.4
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http access-class 50
ip http secure-server
ip nat inside source route-map rmap1
interface Dialer1 overload
!
access-list 1 permit 172.16.30.0 0.0.0.255
access-list 1 permit 172.16.40.0 0.0.0.255
access-list 50 permit 172.16.30.0 0.0.0.255
access-list 105 remark RMAP1_ACL
access-list 105 deny ip 172.16.30.0 0.0.0.255 172.16.50.0 0.0.0.3
access-list 105 deny ip 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.3
access-list 105 permit ip 172.16.0.0 0.0.255.255 any
access-list 110 remark VPN_ACL
access-list 110 permit ip 172.16.30.0 0.0.0.255 any
access-list 110 permit ip 172.16.40.0 0.0.0.255 any
!
!
route-map rmap1 permit 1
match ip address 105
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 ****
logging synchronous
line aux 0
password 7 ****
line vty 0 4
access-class 50 in
password 7 ****
line vty 5 807
access-class 50 in
password 7 ****
!
scheduler allocate 20000 1000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Facebook
Twitter