can't connect to cisco 837 easy vpn <-> Client ver 3.6

Discussion in 'Cisco' started by eramm, Dec 16, 2003.

  1. eramm

    eramm Guest

    Hi,

    trying to connect to my Cisco 837 easy vpn server w/a Cisco vpn client
    version 3.6.4 w/ no luck.

    I wrote the config file myself based on what i as able to find on the net.

    the errors i am getting on the client side are:

    1 19:11:59.698 12/16/03 Sev=Warning/2 IKE/0xE300007C
    Exceeded 3 IKE SA negotiation retransmits... peer is not responding

    2 19:11:59.748 12/16/03 Sev=Warning/3 DIALER/0xE3300008
    GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).

    my config file is as follows:

    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Cisco
    !
    no logging buffered
    no logging console
    enable secret 5 $1$vdy9$F4DHZSFx6awZW6YPZZ/XK0
    !
    username xxxx password 7 1105xxxxxxx

    aaa new-model
    !
    !
    aaa authentication password-prompt "Enter your password now:"
    aaa authentication username-prompt "Enter your name here:"
    aaa authentication login default local
    aaa authentication login userlist local
    aaa authentication ppp default local
    aaa authorization network grouplist local
    aaa session-id common
    ip subnet-zero
    ip dhcp excluded-address 10.0.0.1
    ip dhcp excluded-address 10.0.0.129 10.0.0.254
    !
    ip dhcp pool CLIENT
    import all
    network 10.0.0.0 255.255.255.0
    default-router 10.0.0.1
    lease infinite
    !
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw smtp timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    ip inspect name myfw icmp
    ip audit notify log
    ip audit po max-events 100
    ip ssh break-string
    no ftp-server write-enable
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group group1
    key MyPassword
    domain local
    pool clients
    acl 106
    !
    !
    crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
    crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
    crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
    crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
    !
    crypto dynamic-map MyVpnUsers 1
    description Client to Site VPN Users
    set transform-set tr-des-md5
    !
    !
    crypto map cm-cryptomap client authentication list userlist
    crypto map cm-cryptomap isakmp authorization list grouplist
    crypto map cm-cryptomap client configuration address respond
    crypto map cm-cryptomap 99 ipsec-isakmp dynamic MyVpnUsers
    !
    !
    !
    !
    interface Ethernet0
    ip address 10.0.0.1 255.255.255.0
    ip nat inside
    no ip mroute-cache
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 8/40
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    dsl power-cutback 0
    !
    interface Dialer0
    no ip address
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip nat outside
    ip inspect myfw out
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname dsluser
    ppp chap password 7 123456789
    ppp pap sent-username dsluser password 7 123456789
    ppp ipcp dns request
    ppp ipcp wins request
    crypto map cm-cryptomap
    hold-queue 224 in
    !
    ip local pool vpnclients 192.168.10.1 192.168.10.254
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source list 105 interface Dialer0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    ip http authentication local
    no ip http secure-server
    !
    access-list 23 permit 10.0.0.0 0.0.0.255
    access-list 101 permit ip 10.0.0.0 0.0.0.255 any
    access-list 102 remark Traffic allowed to enter the router from the Ethernet
    access-list 102 permit ip any host 10.0.0.1
    access-list 102 deny ip any host 10.0.0.255
    access-list 102 deny udp any any eq tftp
    access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.10.0 0.0.0.255
    access-list 102 deny ip any 0.0.0.0 0.255.255.255
    access-list 102 deny ip any 10.0.0.0 0.255.255.255
    access-list 102 deny ip any 127.0.0.0 0.255.255.255
    access-list 102 deny ip any 169.254.0.0 0.0.255.255
    access-list 102 deny ip any 172.16.0.0 0.15.255.255
    access-list 102 deny ip any 192.0.2.0 0.0.0.255
    access-list 102 deny ip any 192.168.0.0 0.0.255.255
    access-list 102 deny ip any 198.18.0.0 0.1.255.255
    access-list 102 permit ip 10.0.0.0 0.0.0.255 any
    access-list 102 permit ip any host 255.255.255.255
    access-list 102 deny ip any any
    access-list 106 remark User to Site VPN Clients
    access-list 106 permit ip 10.0.0.0 0.0.0.255 any
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 139
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 deny ip any any
    access-list 111 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.0.255
    dialer-list 1 protocol ip permit
    banner motd ^CWelcome To The Machine.^C
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    transport preferred all
    transport output all
    stopbits 1
    line aux 0
    transport preferred all
    transport output all
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    length 0
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    !
    end
     
    eramm, Dec 16, 2003
    #1
    1. Advertising

  2. Hi,

    Everything looks fine except that you need to move the ACE "access-list
    111 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.0.255" to the top or
    atleast before "> access-list 102 deny ip any 10.0.0.0 0.255.255.255"

    Regards,
    Ravikumar

    eramm wrote:
    > Hi,
    >
    > trying to connect to my Cisco 837 easy vpn server w/a Cisco vpn client
    > version 3.6.4 w/ no luck.
    >
    > I wrote the config file myself based on what i as able to find on the net.
    >
    > the errors i am getting on the client side are:
    >
    > 1 19:11:59.698 12/16/03 Sev=Warning/2 IKE/0xE300007C
    > Exceeded 3 IKE SA negotiation retransmits... peer is not responding
    >
    > 2 19:11:59.748 12/16/03 Sev=Warning/3 DIALER/0xE3300008
    > GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).
    >
    > my config file is as follows:
    >
    > !
    > version 12.3
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > !
    > hostname Cisco
    > !
    > no logging buffered
    > no logging console
    > enable secret 5 $1$vdy9$F4DHZSFx6awZW6YPZZ/XK0
    > !
    > username xxxx password 7 1105xxxxxxx
    >
    > aaa new-model
    > !
    > !
    > aaa authentication password-prompt "Enter your password now:"
    > aaa authentication username-prompt "Enter your name here:"
    > aaa authentication login default local
    > aaa authentication login userlist local
    > aaa authentication ppp default local
    > aaa authorization network grouplist local
    > aaa session-id common
    > ip subnet-zero
    > ip dhcp excluded-address 10.0.0.1
    > ip dhcp excluded-address 10.0.0.129 10.0.0.254
    > !
    > ip dhcp pool CLIENT
    > import all
    > network 10.0.0.0 255.255.255.0
    > default-router 10.0.0.1
    > lease infinite
    > !
    > ip inspect name myfw cuseeme timeout 3600
    > ip inspect name myfw ftp timeout 3600
    > ip inspect name myfw rcmd timeout 3600
    > ip inspect name myfw realaudio timeout 3600
    > ip inspect name myfw smtp timeout 3600
    > ip inspect name myfw tftp timeout 30
    > ip inspect name myfw udp timeout 15
    > ip inspect name myfw tcp timeout 3600
    > ip inspect name myfw h323 timeout 3600
    > ip inspect name myfw icmp
    > ip audit notify log
    > ip audit po max-events 100
    > ip ssh break-string
    > no ftp-server write-enable
    > !
    > !
    > !
    > crypto isakmp policy 1
    > encr 3des
    > authentication pre-share
    > group 2
    > !
    > crypto isakmp client configuration group group1
    > key MyPassword
    > domain local
    > pool clients
    > acl 106
    > !
    > !
    > crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
    > crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
    > crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
    > crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
    > !
    > crypto dynamic-map MyVpnUsers 1
    > description Client to Site VPN Users
    > set transform-set tr-des-md5
    > !
    > !
    > crypto map cm-cryptomap client authentication list userlist
    > crypto map cm-cryptomap isakmp authorization list grouplist
    > crypto map cm-cryptomap client configuration address respond
    > crypto map cm-cryptomap 99 ipsec-isakmp dynamic MyVpnUsers
    > !
    > !
    > !
    > !
    > interface Ethernet0
    > ip address 10.0.0.1 255.255.255.0
    > ip nat inside
    > no ip mroute-cache
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > no ip mroute-cache
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > pvc 8/40
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > dsl operating-mode auto
    > dsl power-cutback 0
    > !
    > interface Dialer0
    > no ip address
    > !
    > interface Dialer1
    > ip address negotiated
    > ip access-group 111 in
    > ip nat outside
    > ip inspect myfw out
    > encapsulation ppp
    > dialer pool 1
    > dialer-group 1
    > ppp authentication chap pap callin
    > ppp chap hostname dsluser
    > ppp chap password 7 123456789
    > ppp pap sent-username dsluser password 7 123456789
    > ppp ipcp dns request
    > ppp ipcp wins request
    > crypto map cm-cryptomap
    > hold-queue 224 in
    > !
    > ip local pool vpnclients 192.168.10.1 192.168.10.254
    > ip nat inside source list 102 interface Dialer1 overload
    > ip nat inside source list 105 interface Dialer0 overload
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > ip http server
    > ip http authentication local
    > no ip http secure-server
    > !
    > access-list 23 permit 10.0.0.0 0.0.0.255
    > access-list 101 permit ip 10.0.0.0 0.0.0.255 any
    > access-list 102 remark Traffic allowed to enter the router from the Ethernet
    > access-list 102 permit ip any host 10.0.0.1
    > access-list 102 deny ip any host 10.0.0.255
    > access-list 102 deny udp any any eq tftp
    > access-list 102 permit ip 10.0.0.0 0.0.0.255 192.168.10.0 0.0.0.255
    > access-list 102 deny ip any 0.0.0.0 0.255.255.255
    > access-list 102 deny ip any 10.0.0.0 0.255.255.255
    > access-list 102 deny ip any 127.0.0.0 0.255.255.255
    > access-list 102 deny ip any 169.254.0.0 0.0.255.255
    > access-list 102 deny ip any 172.16.0.0 0.15.255.255
    > access-list 102 deny ip any 192.0.2.0 0.0.0.255
    > access-list 102 deny ip any 192.168.0.0 0.0.255.255
    > access-list 102 deny ip any 198.18.0.0 0.1.255.255
    > access-list 102 permit ip 10.0.0.0 0.0.0.255 any
    > access-list 102 permit ip any host 255.255.255.255
    > access-list 102 deny ip any any
    > access-list 106 remark User to Site VPN Clients
    > access-list 106 permit ip 10.0.0.0 0.0.0.255 any
    > access-list 111 permit icmp any any administratively-prohibited
    > access-list 111 permit icmp any any echo
    > access-list 111 permit icmp any any echo-reply
    > access-list 111 permit icmp any any packet-too-big
    > access-list 111 permit icmp any any time-exceeded
    > access-list 111 permit icmp any any traceroute
    > access-list 111 permit icmp any any unreachable
    > access-list 111 permit udp any eq bootps any eq bootpc
    > access-list 111 permit udp any eq bootps any eq bootps
    > access-list 111 permit udp any eq domain any
    > access-list 111 permit esp any any
    > access-list 111 permit udp any any eq isakmp
    > access-list 111 permit udp any any eq 10000
    > access-list 111 permit tcp any any eq 1723
    > access-list 111 permit tcp any any eq 139
    > access-list 111 permit udp any any eq netbios-ns
    > access-list 111 permit udp any any eq netbios-dgm
    > access-list 111 permit gre any any
    > access-list 111 deny ip any any
    > access-list 111 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.0.255
    > dialer-list 1 protocol ip permit
    > banner motd ^CWelcome To The Machine.^C
    > !
    > line con 0
    > exec-timeout 120 0
    > no modem enable
    > transport preferred all
    > transport output all
    > stopbits 1
    > line aux 0
    > transport preferred all
    > transport output all
    > line vty 0 4
    > access-class 23 in
    > exec-timeout 120 0
    > length 0
    > transport preferred all
    > transport input all
    > transport output all
    > !
    > scheduler max-task-time 5000
    > !
    > end
    >
    >
     
    Ravikumar Eswaran, Dec 19, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,771
    Confused
    Jul 9, 2003
  2. Masud Reza
    Replies:
    2
    Views:
    7,450
    Masud Reza
    Oct 20, 2003
  3. Suppa Lamah
    Replies:
    8
    Views:
    1,649
  4. maurice
    Replies:
    1
    Views:
    4,268
    Ravikumar Eswaran
    Jan 7, 2005
  5. Replies:
    4
    Views:
    4,206
Loading...

Share This Page