Cisco 1760 router and VPN client Connection Issues

Cisco 1760 router and VPN client Connection Issues

Post by jeroen.mus » Mon, 07 Jan 2008 19:47:59


have a Cisco 1760 router with IOS 12.4 connected to the Internet
with a WIC-1ADSL card. It has a dynamic external IP address. The
fastethernet 0/0 has ip address 192.168.1.254 and now I want to be
able to log into the 1760 through the Internet with a VPN connection.
I have changed the configuration to the one below, but I still am not
able to log in, the Cisco VPN client starts making a connection, but
it say in the end that it can not get access. Is there anything that I
missed in this configuration?
Thx
Jeroen


c1760#sh run
Building configuration...

Current configuration : 3618 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log uptime
service password-encryption
!
hostname c1760
!
boot-start-marker
boot-end-marker
!
enable password 7 1304191C020705
!
aaa new-model
!
aaa authentication login my_userauthen local
aaa authorization network my_groupauthor local
!
aaa session-id common
!
resource policy
!
ip cef
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool my_dhcp
network 192.168.1.0 255.255.255.0
dns-server 212.71.8.11 212.71.0.2
default-router 192.168.1.254
!
ip domain name dyndns.org
ip host members.dyndns.org 63.208.196.96
ip name-server 212.71.8.11
ip name-server 212.71.0.2
ip ddns update method my_dyndns
HTTP
add http://xxx:xxx@<s>/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
!
username xxx password xxx
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group my_clientconfig
key xxx
pool my_vpnippool
include-local-lan
!
crypto ipsec transform-set my_trafoset esp-des esp-sha-hmac
!
crypto dynamic-map my_dyncmap 10
set transform-set my_trafoset
reverse-route
!
crypto map my_cmap client authentication list my_userauthen
crypto map my_cmap isakmp authorization list my_groupauthor
crypto map my_cmap client configuration address respond
crypto map my_cmap 10 ipsec-isakmp dynamic my_dyncmap
!
interface ATM0/0
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Dialer0
ip ddns update hostname xxx.dyndns.org
ip ddns update my_dyndns host members.dyndns.org
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxx@xxx
ppp chap password xxx
crypto map my_cmap
!
ip local pool my_vpnippool 192.168.1.50 192.168.1.69
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.1.221 10002 interface Dialer0
10002
ip nat inside source static udp 192.168.1.221 10001 interface Dialer0
10001
ip nat inside source static udp 192.168.1.221 10000 interface Dialer0
10000
ip nat inside source static udp 192.168.1.221 5060 interface Dialer0
5060
ip nat inside source static tcp 192.168.1.221 22 interface Dialer0 22
ip nat inside source static tcp 192.168.1.221 20 interface Dialer0 20
ip nat inside
 
 
 

Cisco 1760 router and VPN client Connection Issues

Post by Merv » Tue, 08 Jan 2008 01:35:54

suggest you use a different address range for VPN pool

try using 172.16.1.x-y

 
 
 

Cisco 1760 router and VPN client Connection Issues

Post by jeroen.mus » Tue, 08 Jan 2008 02:13:55

have changed it to the config below, but I am still not able to
login with the cisco secure vpn client. Not sure where the mistake is.


c1760#sh run
Building configuration...

Current configuration : 3615 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log uptime
service password-encryption
!
hostname c1760
!
boot-start-marker
boot-end-marker
!
enable password 7 xxxx
!
aaa new-model
!
aaa authentication login my_userauthen local
aaa authorization network my_groupauthor local
!
aaa session-id common
!
resource policy
!
ip cef
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool my_dhcp
network 192.168.1.0 255.255.255.0
dns-server 212.71.8.11 212.71.0.2
default-router 192.168.1.254
!
ip domain name dyndns.org
ip host members.dyndns.org 63.208.196.96
ip name-server 212.71.8.11
ip name-server 212.71.0.2
ip ddns update method my_dyndns
HTTP
add http://xxx:xxx@<s>/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
!
username xxx password xxx
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group my_clientconfig
key annika
pool my_vpnippool
include-local-lan
!
crypto ipsec transform-set my_trafoset esp-des esp-sha-hmac
!
crypto dynamic-map my_dyncmap 10
set transform-set my_trafoset
reverse-route
!
crypto map my_cmap client authentication list my_userauthen
crypto map my_cmap isakmp authorization list my_groupauthor
crypto map my_cmap client configuration address respond
crypto map my_cmap 10 ipsec-isakmp dynamic my_dyncmap
!
interface ATM0/0
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
!
interface Dialer0
ip ddns update hostname evwaes.dyndns.org
ip ddns update my_dyndns host members.dyndns.org
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxx@xxx
ppp chap password xxxx
crypto map my_cmap
!
ip local pool my_vpnippool 172.16.1.1 172.16.1.10
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.1.221 10002 interface Dialer0
10002
ip nat inside source static udp 192.168.1.221 10001 interface Dialer0
10001
ip nat inside source static udp 192.168.1.221 10000 interface Dialer0
10000
ip nat inside source static udp 192.168.1.221 5060 interface Dialer0
5060
ip nat inside source static tcp 192.168.1.221 22 interface Dialer0 22
ip nat inside source static tcp 192.168.1.221 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.221 110 interface Dialer0
110
ip nat inside source static tcp 192.168.1.221 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.221 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.221 11888 interface Dialer0
11888
ip nat inside source static tcp 192.168.1.221 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.221
 
 
 

Cisco 1760 router and VPN client Connection Issues

Post by p_teatreeo » Tue, 08 Jan 2008 02:28:46

I'm assuming you can ping the public IP from outside and that you are
able to telnet to your router through the Internet as well.

Have you tried pinging with 1500-byte packets with the df bit set?

Have you tried running any debugs?
 
 
 

Cisco 1760 router and VPN client Connection Issues

Post by Bod4 » Tue, 08 Jan 2008 08:55:28

n 6 Jan, 17:28, p_teatreeoil < XXXX@XXXXX.COM > wrote:

I have a working router configuration from a while back.
It has a load of unnecesary bits in it and may be too
complex to help. It also has at least one point to
point VPN too.

Both the Point to point permanent VPN and the
Cisco VPN client worked.

I have not tried to strip out all of the rubbish - sorry
but I am concerned that I may miss something,

In particular check out the no-xauth. I have NO IDEA
what it might do but I had to add something like it
to a PIX to get the Client VPN working.

If you still have trouble let me know (here) and I might
be able to have a look.

This was done years ago (3 at least) so some things
may have changed.

abcuk#sh run
Building configuration...


no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname abcuk
!
logging buffered 32000 debugging
no logging console
!
username abcClient password 123456
aaa new-model
!
!
aaa authentication login userauthenticate local
aaa authorization network groupauthorise local
aaa session-id common
ip domain name abcglobal.com
ip name-server 123.110.64.10
ip name-server 123.110.64.11
!
!
ip cef

!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key 0 fred address 123.156.40.110 no-xauth No-xauth
probably needed I didn't try it without.
!
crypto isakmp client configuration group 3000client
key 0 123456789
dns 192.168.168.1 Wrong DNS address. CRAP. 166
domain abclon.corp.abcglobal.com
pool ippool
acl split-tunnel
!
!
crypto ipsec transform-set ciscofw2 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 5
set transform-set ciscofw2
!
!
crypto map fw1 client authentication list userauthenticate
crypto map fw1 isakmp authorization list groupauthorise
crypto map fw1 client configuration address respond
crypto map fw1 10 ipsec-isakmp
set peer 123.156.40.110
set security-association lifetime seconds 86400
set transform-set ciscofw2
match address 110
crypto map fw1 15 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
description $FW_INSIDE$ abc London ###
ip address 192.168.166.254 255.255.255.0
ip access-group E0-in in
no ip redirects
no ip proxy-arp
ip nat inside
no ip route-cache cef
ip tcp adjust-mss 1392
no ip mroute-cache
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
description $FW_OUTSIDE$ Secviced Office outside Ethernet
ip address 213.234.103.41 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect INTERNET-IN in
ip inspect INTERNET-OUT out
ip audit INTERNET-IN in
ip audit INTERNET-OUT out
no ip route-cache cef
duplex auto
no cdp enable
crypto map fw1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip local pool ippool 10.10.166.1 10.10.166.254
ip nat inside source route-map nonat interface Ethernet1 overload
ip nat inside source static 192.168.166.1 213.234.103.46 route-map
static-nat extendable
ip classless
 
 
 

Cisco 1760 router and VPN client Connection Issues

Post by jeroen.mus » Thu, 10 Jan 2008 09:02:56

have been trying various configs, but I do not seem to ba able to
get router access from a vpn client. I have found on the web the
configuration below, seems that most configs are similar, but this one
does not work on my c1760. I will post my current config tomorrw, just
lost full config.

Rgds
Jeroen

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

hostname moepi-border

boot-start-marker
boot-end-marker

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX

no aaa new-model

resource policy

clock timezone Berlin 1
clock summer-time Berlin date Mar 27 2005 2:00 Oct 31 2005 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip cef


no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.0.51 172.16.0.254
ip dhcp excluded-address 172.16.0.1 172.16.0.9
ip dhcp ping timeout 100

ip dhcp pool Moepistation
host 172.16.0.1 255.255.255.0
client-identifier 0100.07e9.46b9.e7
dns-server 172.16.0.254
default-router 172.16.0.254
lease infinite

ip dhcp pool Moepinet
network 172.16.0.0 255.255.255.0
default-router 172.16.0.254
dns-server 172.16.0.254
lease 2


ip domain name moepinet.local
no ip ips deny-action ips-interface
ip ddns update method dyndns
HTTP
add http:// XXXX@XXXXX.COM /nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 1 0 0



crypto pki trustpoint TP-self-signed-389617976
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-389617976
revocation-check none
rsakeypair TP-self-signed-389617976


crypto pki certificate chain TP-self-signed-389617976
certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer

username XXXXX password 7 XXXXXXXXXXXXXXXXXX

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group moepiremote
key XXXXXXXXXXXXXXXXXXX
dns 172.16.0.254
pool moepiremotepool
include-local-lan
netmask 255.255.255.0

crypto ipsec transform-set remoteset esp-3des esp-sha-hmac
crypto ipsec df-bit clear

crypto dynamic-map remotedyn 10
set transform-set remoteset

crypto map remoteclient client authentication list ipsec
crypto map remoteclient isakmp authorization list ipsec
crypto map remoteclient client configuration address respond
crypto map remoteclient 10 ipsec-isakmp dynamic remotedyn


interface Loopback0
description Router-ID
ip address 192.168.255.128 255.255.255.255

interface Ethernet0
description Verbindung zum DSL Modem
bandwidth 10240
no ip address
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
fair-queue
no cdp enable

interface FastEthernet0
description LAN-Interface
bandwidth 102400
ip address 172.16.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
speed auto
fair-queue
no cdp enable

interface Dialer0
description TDSL-Dialer
mtu 1492
bandwidth 3072
ip ddns update hostname moepinet.dyndns.org
ip ddns update dyndns
ip address negotiated previous
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
keepalive 60 1
no fair-queue
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXXXX
ppp ipcp dns request
crypto map remoteclient

ip local pool moepiremotepool 172.16.200.1 172.16.200.2
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0

ip dns server