Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > can't connect to cisco 837 easy vpn <-> Client ver 3.6

Reply
Thread Tools

can't connect to cisco 837 easy vpn <-> Client ver 3.6

 
 
eramm
Guest
Posts: n/a
 
      12-16-2003
Hi,

trying to connect to my Cisco 837 easy vpn server w/a Cisco vpn client
version 3.6.4 w/ no luck.

I wrote the config file myself based on what i as able to find on the net.

the errors i am getting on the client side are:

1 19:11:59.698 12/16/03 Sev=Warning/2 IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding

2 19:11:59.748 12/16/03 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).

my config file is as follows:

!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Cisco
!
no logging buffered
no logging console
enable secret 5 $1$vdy9$F4DHZSFx6awZW6YPZZ/XK0
!
username xxxx password 7 1105xxxxxxx

aaa new-model
!
!
aaa authentication password-prompt "Enter your password now:"
aaa authentication username-prompt "Enter your name here:"
aaa authentication login default local
aaa authentication login userlist local
aaa authentication ppp default local
aaa authorization network grouplist local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.129 10.0.0.254
!
ip dhcp pool CLIENT
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
lease infinite
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name myfw icmp
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group group1
key MyPassword
domain local
pool clients
acl 106
!
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
!
crypto dynamic-map MyVpnUsers 1
description Client to Site VPN Users
set transform-set tr-des-md5
!
!
crypto map cm-cryptomap client authentication list userlist
crypto map cm-cryptomap isakmp authorization list grouplist
crypto map cm-cryptomap client configuration address respond
crypto map cm-cryptomap 99 ipsec-isakmp dynamic MyVpnUsers
!
!
!
!
interface Ethernet0
ip address 10.0.0.1 255.255.255.0
ip nat inside
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/40
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
dsl power-cutback 0
!
interface Dialer0
no ip address
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname dsluser
ppp chap password 7 123456789
ppp pap sent-username dsluser password 7 123456789
ppp ipcp dns request
ppp ipcp wins request
crypto map cm-cryptomap
hold-queue 224 in
!
ip local pool vpnclients 192.168.10.1 192.168.10.254
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source list 105 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
no ip http secure-server
!
access-list 23 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 10.0.0.1
access-list 102 deny ip any host 10.0.0.255
access-list 102 deny udp any any eq tftp
access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny ip any 0.0.0.0 0.255.255.255
access-list 102 deny ip any 10.0.0.0 0.255.255.255
access-list 102 deny ip any 127.0.0.0 0.255.255.255
access-list 102 deny ip any 169.254.0.0 0.0.255.255
access-list 102 deny ip any 172.16.0.0 0.15.255.255
access-list 102 deny ip any 192.0.2.0 0.0.0.255
access-list 102 deny ip any 192.168.0.0 0.0.255.255
access-list 102 deny ip any 198.18.0.0 0.1.255.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any
access-list 106 remark User to Site VPN Clients
access-list 106 permit ip 10.0.0.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 111 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.0.255
dialer-list 1 protocol ip permit
banner motd ^CWelcome To The Machine.^C
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 23 in
exec-timeout 120 0
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end


 
Reply With Quote
 
 
 
 
Ravikumar Eswaran
Guest
Posts: n/a
 
      12-19-2003
Hi,

Everything looks fine except that you need to move the ACE "access-list
111 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.0.255" to the top or
atleast before "> access-list 102 deny ip any 10.0.0.0 0.255.255.255"

Regards,
Ravikumar

eramm wrote:
> Hi,
>
> trying to connect to my Cisco 837 easy vpn server w/a Cisco vpn client
> version 3.6.4 w/ no luck.
>
> I wrote the config file myself based on what i as able to find on the net.
>
> the errors i am getting on the client side are:
>
> 1 19:11:59.698 12/16/03 Sev=Warning/2 IKE/0xE300007C
> Exceeded 3 IKE SA negotiation retransmits... peer is not responding
>
> 2 19:11:59.748 12/16/03 Sev=Warning/3 DIALER/0xE3300008
> GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).
>
> my config file is as follows:
>
> !
> version 12.3
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname Cisco
> !
> no logging buffered
> no logging console
> enable secret 5 $1$vdy9$F4DHZSFx6awZW6YPZZ/XK0
> !
> username xxxx password 7 1105xxxxxxx
>
> aaa new-model
> !
> !
> aaa authentication password-prompt "Enter your password now:"
> aaa authentication username-prompt "Enter your name here:"
> aaa authentication login default local
> aaa authentication login userlist local
> aaa authentication ppp default local
> aaa authorization network grouplist local
> aaa session-id common
> ip subnet-zero
> ip dhcp excluded-address 10.0.0.1
> ip dhcp excluded-address 10.0.0.129 10.0.0.254
> !
> ip dhcp pool CLIENT
> import all
> network 10.0.0.0 255.255.255.0
> default-router 10.0.0.1
> lease infinite
> !
> ip inspect name myfw cuseeme timeout 3600
> ip inspect name myfw ftp timeout 3600
> ip inspect name myfw rcmd timeout 3600
> ip inspect name myfw realaudio timeout 3600
> ip inspect name myfw smtp timeout 3600
> ip inspect name myfw tftp timeout 30
> ip inspect name myfw udp timeout 15
> ip inspect name myfw tcp timeout 3600
> ip inspect name myfw h323 timeout 3600
> ip inspect name myfw icmp
> ip audit notify log
> ip audit po max-events 100
> ip ssh break-string
> no ftp-server write-enable
> !
> !
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group group1
> key MyPassword
> domain local
> pool clients
> acl 106
> !
> !
> crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
> crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
> crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
> crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
> !
> crypto dynamic-map MyVpnUsers 1
> description Client to Site VPN Users
> set transform-set tr-des-md5
> !
> !
> crypto map cm-cryptomap client authentication list userlist
> crypto map cm-cryptomap isakmp authorization list grouplist
> crypto map cm-cryptomap client configuration address respond
> crypto map cm-cryptomap 99 ipsec-isakmp dynamic MyVpnUsers
> !
> !
> !
> !
> interface Ethernet0
> ip address 10.0.0.1 255.255.255.0
> ip nat inside
> no ip mroute-cache
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> no ip mroute-cache
> atm vc-per-vp 64
> no atm ilmi-keepalive
> pvc 8/40
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> dsl operating-mode auto
> dsl power-cutback 0
> !
> interface Dialer0
> no ip address
> !
> interface Dialer1
> ip address negotiated
> ip access-group 111 in
> ip nat outside
> ip inspect myfw out
> encapsulation ppp
> dialer pool 1
> dialer-group 1
> ppp authentication chap pap callin
> ppp chap hostname dsluser
> ppp chap password 7 123456789
> ppp pap sent-username dsluser password 7 123456789
> ppp ipcp dns request
> ppp ipcp wins request
> crypto map cm-cryptomap
> hold-queue 224 in
> !
> ip local pool vpnclients 192.168.10.1 192.168.10.254
> ip nat inside source list 102 interface Dialer1 overload
> ip nat inside source list 105 interface Dialer0 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> ip http server
> ip http authentication local
> no ip http secure-server
> !
> access-list 23 permit 10.0.0.0 0.0.0.255
> access-list 101 permit ip 10.0.0.0 0.0.0.255 any
> access-list 102 remark Traffic allowed to enter the router from the Ethernet
> access-list 102 permit ip any host 10.0.0.1
> access-list 102 deny ip any host 10.0.0.255
> access-list 102 deny udp any any eq tftp
> access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.10.0 0.0.0.255
> access-list 102 deny ip any 0.0.0.0 0.255.255.255
> access-list 102 deny ip any 10.0.0.0 0.255.255.255
> access-list 102 deny ip any 127.0.0.0 0.255.255.255
> access-list 102 deny ip any 169.254.0.0 0.0.255.255
> access-list 102 deny ip any 172.16.0.0 0.15.255.255
> access-list 102 deny ip any 192.0.2.0 0.0.0.255
> access-list 102 deny ip any 192.168.0.0 0.0.255.255
> access-list 102 deny ip any 198.18.0.0 0.1.255.255
> access-list 102 permit ip 10.0.0.0 0.0.0.255 any
> access-list 102 permit ip any host 255.255.255.255
> access-list 102 deny ip any any
> access-list 106 remark User to Site VPN Clients
> access-list 106 permit ip 10.0.0.0 0.0.0.255 any
> access-list 111 permit icmp any any administratively-prohibited
> access-list 111 permit icmp any any echo
> access-list 111 permit icmp any any echo-reply
> access-list 111 permit icmp any any packet-too-big
> access-list 111 permit icmp any any time-exceeded
> access-list 111 permit icmp any any traceroute
> access-list 111 permit icmp any any unreachable
> access-list 111 permit udp any eq bootps any eq bootpc
> access-list 111 permit udp any eq bootps any eq bootps
> access-list 111 permit udp any eq domain any
> access-list 111 permit esp any any
> access-list 111 permit udp any any eq isakmp
> access-list 111 permit udp any any eq 10000
> access-list 111 permit tcp any any eq 1723
> access-list 111 permit tcp any any eq 139
> access-list 111 permit udp any any eq netbios-ns
> access-list 111 permit udp any any eq netbios-dgm
> access-list 111 permit gre any any
> access-list 111 deny ip any any
> access-list 111 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.0.255
> dialer-list 1 protocol ip permit
> banner motd ^CWelcome To The Machine.^C
> !
> line con 0
> exec-timeout 120 0
> no modem enable
> transport preferred all
> transport output all
> stopbits 1
> line aux 0
> transport preferred all
> transport output all
> line vty 0 4
> access-class 23 in
> exec-timeout 120 0
> length 0
> transport preferred all
> transport input all
> transport output all
> !
> scheduler max-task-time 5000
> !
> end
>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Belkin N1 Wireless USB Adapter (F5D8051 ver 2010uk) and Channel 13. Notes on Pre-N Notebook card (F5D8010 ver 1001uk), Wireless G Notebook card (F5D7011 ver 1000uk) and Wireless G Plus router (F5D7231-4 ver 3000uk) John Wireless Networking 1 07-27-2009 08:41 AM
Images; Sony A100 ver Nikon D80 ver Canon Rebel XTi ver Canon 30D Rich Digital Photography 0 10-13-2006 06:45 PM
VPN between Cisco 837 and cisco 837 with IP static and ip dinamic lyvicro@hotmail.com Cisco 4 12-15-2005 09:10 PM
Cisco 837 to Cisco 837 VPN, ping OK, NetBios / VNC DROPPING! Suppa Lamah Cisco 8 12-19-2003 01:15 PM
Cisco 837-837 VPN Confused Cisco 0 07-09-2003 11:13 AM



Advertisments