|
Posted by on April 14, 2008, 1:23 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> Search for these on the Cisco web site:
>
> Configuring Cisco VPN Client and Cisco IOS Easy VPN Server
>
> Configuring Cisco VPN Client and Easy VPN Server with Xauth
>
> Configuring Cisco VPN Client and Easy VPN Server with Xauth and Split
> Tunneling
>
> They might be a couple years old, but they should help.
>
>
>
> RJ45 wrote:
> > hello,
> > thanks for your help,
> > I wrote to the newsgroup because I could not find on the cisco
> > site any help abotu setting up an end user VPN.
> > there are plenty of IOS example with site to site VPN,
> > and the end user vpn examples are only for ASA or PIX hardware
> > and not with normal router hardware and IOS.
> > I tryed to apply your hints but still I have the same
> > error and vpn cannot be established with
> > cisco vpn client. any more hints ?
> > thanks
>
> > 4d19h: ISAKMP (0:0): received packet from 131.154.3.242 dport 500 sport
> > 500 Glob
> > al (N) NEW SA
> > 4d19h: ISAKMP: Locking peer struct 0x82FEEB8C, IKE refcount 2 for
> > Responding to
> > new initiation
> > 4d19h: ISAKMP: local port 500, remote port 500
> > 4d19h: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert=
> > sa =3D 83
> > 14B168
> > 4d19h: ISAKMP (0:2): processing SA payload. message ID =3D 0
> > 4d19h: ISAKMP (0:2): processing ID payload. message ID =3D 0
> > 4d19h: ISAKMP (0:2): ID payload
> > next-payload : 13
> > type =A0 =A0 =A0 =A0 : 11
> > group id =A0 =A0 : vpnuser
> > protocol =A0 =A0 : 17
> > port =A0 =A0 =A0 =A0 : 500
> > length =A0 =A0 =A0 : 15
> > 4d19h: ISAKMP (0:2): peer matches *none* of the profiles
> > 4d19h: ISAKMP (0:2): processing vendor id payload
> > 4d19h: ISAKMP (0:2): vendor ID seems Unity/DPD but major 215 mismatch
> > 4d19h: ISAKMP (0:2): vendor ID is XAUTH
> > 4d19h: ISAKMP (0:2): processing vendor id payload
> > 4d19h: ISAKMP (0:2): vendor ID is DPD
> > 4d19h: ISAKMP (0:2): processing vendor id payload
> > 4d19h: ISAKMP (0:2): vendor ID is Unity
> > 4d19h: ISAKMP : Scanning profiles for xauth ...
> > 4d19h: ISAKMP (0:2): Checking ISAKMP transform 1 against priority 3
> > policy
> > 4d19h: ISAKMP: =A0 =A0 =A0encryption AES-CBC
> > 4d19h: ISAKMP: =A0 =A0 =A0hash SHA
> > 4d19h: ISAKMP: =A0 =A0 =A0default group 2
> > 4d19h: ISAKMP: =A0 =A0 =A0auth XAUTHInitPreShared
> > 4d19h: ISAKMP: =A0 =A0 =A0life type in seconds
> > 4d19h: ISAKMP: =A0 =A0 =A0life duration (VPI) of =A00x0 0x20 0xC4 0x9B
> > 4d19h: ISAKMP: =A0 =A0 =A0keylength of 256
> > 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!=
> > 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
> > 4d19h: ISAKMP (0:2): Checking ISAKMP transform 2 against priority 3
> > policy
> > 4d19h: ISAKMP: =A0 =A0 =A0encryption AES-CBC
> > 4d19h: ISAKMP: =A0 =A0 =A0hash MD5
> > 4d19h: ISAKMP: =A0 =A0 =A0default group 2
> > 4d19h: ISAKMP: =A0 =A0 =A0auth XAUTHInitPreShared
> > 4d19h: ISAKMP: =A0 =A0 =A0life type in seconds
> > 4d19h: ISAKMP: =A0 =A0 =A0life duration (VPI) of =A00x0 0x20 0xC4 0x9B
> > 4d19h: ISAKMP: =A0 =A0 =A0keylength of 256
> > 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!=
> > 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
> > 4d19h: ISAKMP (0:2): Checking ISAKMP transform 3 against priority 3
> > policy
> > 4d19h: ISAKMP: =A0 =A0 =A0encryption AES-CBC
> > 4d19h: ISAKMP: =A0 =A0 =A0hash SHA
> > 4d19h: ISAKMP: =A0 =A0 =A0default group 2
> > 4d19h: ISAKMP: =A0 =A0 =A0auth pre-share
> > 4d19h: ISAKMP: =A0 =A0 =A0life type in seconds
> > 4d19h: ISAKMP: =A0 =A0 =A0life duration (VPI) of =A00x0 0x20 0xC4 0x9B
> > 4d19h: ISAKMP: =A0 =A0 =A0keylength of 256
> > 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!=
> > 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
> > 4d19h: ISAKMP (0:2): Checking ISAKMP transform 4 against priority 3
> > policy
> > 4d19h: ISAKMP: =A0 =A0 =A0encryption AES-CBC
> > 4d19h: ISAKMP: =A0 =A0 =A0hash MD5
> > 4d19h: ISAKMP: =A0 =A0 =A0default group 2
> > 4d19h: ISAKMP: =A0 =A0 =A0auth pre-share
> > 4d19h: ISAKMP: =A0 =A0 =A0life type in seconds
> > 4d19h: ISAKMP: =A0 =A0 =A0life duration (VPI) of =A00x0 0x20 0xC4 0x9B
> > 4d19h: ISAKMP: =A0 =A0 =A0keylength of 256
> > 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!=
> > 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
> > 4d19h: ISAKMP (0:2): Checking ISAKMP transform 5 against priority 3
> > policy
> > 4d19h: ISAKMP: =A0 =A0 =A0encryption AES-CBC
> > 4d19h: ISAKMP: =A0 =A0 =A0hash SHA
> > 4d19h: ISAKMP: =A0 =A0 =A0default group 2
> > 4d19h: ISAKMP: =A0 =A0 =A0auth XAUTHInitPreShared
> > 4d19h: ISAKMP: =A0 =A0 =A0life type in seconds
> > 4d19h: ISAKMP: =A0 =A0 =A0life duration (VPI) of =A00x0 0x20 0xC4 0x9B
> > 4d19h: ISAKMP: =A0 =A0 =A0keylength of 128
> > 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!=
> > 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
> > 4d19h: ISAKMP (0:2): Checking ISAKMP transform 6 against priority 3
> > policy
> > 4d19h: ISAKMP: =A0 =A0 =A0encryption AES-CBC
> > 4d19h: ISAKMP: =A0 =A0 =A0hash MD5
> > 4d19h: ISAKMP: =A0 =A0 =A0default group 2
> > 4d19h: ISAKMP: =A0 =A0 =A0auth XAUTHInitPreShared
> > 4d19h: ISAKMP: =A0 =A0 =A0life type in seconds
> > 4d19h: ISAKMP: =A0 =A0 =A0life duration (VPI) of =A00x0 0x20 0xC4 0x9B
> > 4d19h: ISAKMP: =A0 =A0 =A0keylength of 128
> > 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!=
> > 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
> > 4d19h: ISAKMP (0:2): Checking ISAKMP transform 7 against priority 3
> > policy
> > 4d19h: ISAKMP: =A0 =A0 =A0encryption AES-CBC
> > 4d19h: ISAKMP: =A0 =A0 =A0hash SHA
> > 4d19h: ISAKMP: =A0 =A0 =A0default group 2
> > 4d19h: ISAKMP: =A0 =A0 =A0auth pre-share
> > 4d19h: ISAKMP: =A0 =A0 =A0life type in seconds
> > 4d19h: ISAKMP: =A0 =A0 =A0life duration (VPI) of =A00x0 0x20 0xC4 0x9B
> > 4d19h: ISAKMP: =A0 =A0 =A0keylength of 128
> > 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!=
> > 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
> > 4d19h: ISAKMP (0:2): Checking ISAKMP transform 8 against priority 3
> > policy
> > 4d19h: ISAKMP: =A0 =A0 =A0encryption AES-CBC
> > 4d19h: ISAKMP: =A0 =A0 =A0hash MD5
> > 4d19h: ISAKMP: =A0 =A0 =A0default group 2
> > 4d19h: ISAKMP: =A0 =A0 =A0auth pre-share
> > 4d19h: ISAKMP: =A0 =A0 =A0life type in seconds
> > 4d19h: ISAKMP: =A0 =A0 =A0life duration (VPI) of =A00x0 0x20 0xC4 0x9B
> > 4d19h: ISAKMP: =A0 =A0 =A0keylength of 128
> > 4d19h: ISAKMP (0:2): Encryption algorithm offered does not match policy!=
> > 4d19h: ISAKMP (0:2): atts are not acceptable. Next payload is 3
> > 4d19h: ISAKMP (0:2): Checking ISAKMP transform 9 against priority 3
> > policy
> > 4d19h: ISAKMP: =A0 =A0 =A0encryption 3DES-CBC
> > 4d19h: ISAKMP: =A0 =A0 =A0hash SHA
> > 4d19h: ISAKMP: =A0 =A0 =A0default group 2
> > 4d19h: ISAKMP: =A0 =A0 =A0auth XAUTHInitPreShared
> > 4d19h: ISAKMP: =A0 =A0 =A0life type in seconds
> > 4d19h: ISAKMP: =A0 =A0 =A0life duration (VPI) of =A00x0 0x20 0xC4 0x9B
> > 4d19h: ISAKMP (0:2): Xauth authentication by pre-shared key offered but
> > does not
> > =A0match policy!
>
> >> News Reader wrote:
> >>> RJ45 wrote:
> >>>> Hello,
> >>>> I have a Cisco 2621 router, and I would like to use it for my office
> >>>> VPN access.
> >>>> I configured it with pptp and it work with default local user called
> >>>> "root".
> >>>> I root is just the privilege cisco 2600 user and I just used it to te=
st
> >>>> VPN also.
>
> >>>> Now I wanted to do something more complicate and I wanted to configur=
e
> >>>> a IPSec VPN using Cisco VPN client to connect to my c2621,
> >>>> but it does not work and I fail to configure it.
>
> >>>> The situation is this, =A0my router has a public IP
>
> >>>> 131.x.a.b
>
> >>>> and when I am connected in VPN the public IP 131.z.a.c
> >>>> is assigned to me and this works with vpdn PPTP.
>
> >>>> How to do it with IPSEC ?
>
> >>>> This is really not very well documented around and here I REport
> >>>> the configuration which apparently does not work.
> >>> There are plenty of configuration examples on the Cisco web site that
> >>> would have helped you get farther with this task.
>
> >>>> Could someone give me a solution to a good configuration for
> >>>> a IPSec VPN using Cisco VPN client to connect to my router ?
>
> >>>> here is the router config:
>
> >>>> !
> >>>> ! Last configuration change at 08:30:48 CEST Fri Apr 11 2008 by root
> >>>> ! NVRAM config last updated at 08:30:57 CEST Fri Apr 11 2008 by root
> >>>> !
> >>>> version 12.3
> >>>> no parser cache
> >>>> service timestamps debug uptime
> >>>> service timestamps log uptime
> >>>> service password-encryption
> >>>> !
> >>>> hostname r1
> >>>> !
> >>>> boot-start-marker
> >>>> boot-end-marker
> >>>> !
> >>>> enable password 7 104D4252130411
> >>> Don't include passwords in your post. Type 7 passwords are easily
> >>> decrypted with readily available utilities. Takes less than 1 sec. Mos=
t
> >>> of us can tell you what your password is, if you need proof. Use the
> >>> "enable secret" command instead of "enable password". The result is a
> >>> type 5 password that is not so easily decrypted. Don't include those i=
n
> >>> your post either.
>
> >>>> !
> >>>> clock timezone CEST 1
> >>>> clock summer-time CEST recurring 4 Sun Mar 0:00 4 Sun Oct 0:00
> >>>> aaa new-model
> >>>> !
> >>>> !
> >>>> aaa authentication login default local
> >>>> aaa authentication login vpnuser local
> >>> =A0 =A0aaa authorization network vpnuser local
>
> >>>> aaa authentication ppp default local
> >>>> aaa session-id common
> >>>> ip subnet-zero
> >>>> ip cef
> >>>> !
> >>>> !
> >>>> ip domain name cnaf.infn.it
> >>>> ip name-server 131.x.y.z
> >>>> !
> >>>> ip audit po max-events 100
> >>>> vpdn enable
> >>>> !
> >>>> vpdn-group pptpcnaf
> >>>> ! Default PPTP VPDN group
> >>>> =A0accept-dialin
> >>>> =A0 protocol pptp
> >>>> =A0 virtual-template 1
> >>>> !
> >>>> !
> >>>> !
> >>>> username root password 7 0115020557040206
> >> Use the "username secret" command instead of the "username password"
> >> command. See my prior note on the level of encryption, and the ease wit=
h
> >> which Type 7 passwords are decrypted.
>
> >> Consider setting up a specific VPN username in the aaa local database,
> >> instead of a generic root user, particularly if that root password is
> >> used elsewhere in the organization.
>
> >> =A0 =A0 =A0 username <desire-vpn-username> secret <secret-password>
>
> >> You may also want to specify a privilege level (lower the better) for
> >> that user, in case they try logging into the router.
>
> >>>> !
> >>>> !
> >>>> ! !
> >>>> crypto isakmp policy 3
> >>>> =A0encr 3des
> >>>> =A0authentication pre-share
> >>>> =A0group 2
> >>>> !
> >>> crypto isakmp client configuration
>
I posted what I think was a working config for this a while back
"combining site to site vpn & vpn client on 837"
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map