Cisco 3620 VPN not listening UDP 500 / 4500

Discussion in 'Cisco' started by Jan Baggen, Jul 29, 2005.

  1. Jan Baggen

    Jan Baggen Guest

    My Cisco 3620 IOS router is not listening on ports 500 and 4500 to setup
    the VPN connection. what could be wrong with my config?


    acc01# sh ip sockets
    Proto Remote Port Local Port In Out Stat TTY OutputIF
    17 0.0.0.0 0 xxx 67 0 0 2211 0
    17 --listen-- xxx 123 0 0 1 0
    17 --listen-- xxx 161 0 0 1 0
    17 --listen-- xxx 162 0 0 11 0
    17 --listen-- xxx 56636 0 0 1 0


    !
    version 12.3
    service timestamps debug datetime localtime
    service timestamps log datetime localtime
    service password-encryption
    !
    hostname xxx
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 8096 debugging
    enable password xxx
    !
    username console password xxx
    clock timezone GMT 1
    clock summer-time GMT+01:00 recurring last Sun Mar 2:00 last Sun Oct 3:00
    no aaa new-model
    ip subnet-zero
    no ip source-route
    !
    !
    no ip cef
    ip domain name xxx
    ip name-server xxx
    ip name-server xxx
    !
    ip audit po max-events 100
    !
    isdn switch-type basic-net3
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 20
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group management
    key mykey
    dns xxx
    pool vpn_pool
    acl 100
    !
    !
    crypto ipsec transform-set ip2encr esp-3des esp-md5-hmac
    !
    crypto dynamic-map dynmap 40
    set transform-set ip2encr
    !
    !
    crypto map ip2 client authentication list userauthen
    crypto map ip2 isakmp authorization list groupauthor
    crypto map ip2 client configuration address respond
    crypto map ip2 40 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface FastEthernet0/0
    ip address xxx 255.255.255.192
    ip nat outside
    duplex auto
    speed auto
    no cdp enable
    crypto map ip2
    !
    interface FastEthernet0/1
    ip address 10.1.0.254 255.255.0.0
    ip nat inside
    duplex auto
    speed auto
    no cdp enable
    !
    interface BRI1/0
    no ip address
    isdn switch-type basic-net3
    no cdp enable
    !
    interface BRI1/1
    no ip address
    shutdown
    isdn switch-type basic-net3
    no cdp enable
    !
    interface BRI1/2
    no ip address
    shutdown
    isdn switch-type basic-net3
    no cdp enable
    !
    interface BRI1/3
    no ip address
    shutdown
    isdn switch-type basic-net3
    no cdp enable
    !
    interface Group-Async1
    ip address negotiated
    encapsulation ppp
    async mode interactive
    peer default ip address pool setup_pool
    ppp authentication chap pap
    group-range 1 2
    !
    ip local pool setup_pool 10.1.0.100 10.1.0.199
    ip local pool vpn_pool 10.2.0.0 10.2.0.100
    ip nat inside source route-map nonat interface FastEthernet0/0 overload
    no ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    !
    !
    access-list 1 permit 10.0.0.0 0.255.255.255
    access-list 100 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
    access-list 101 deny ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
    access-list 101 permit ip 10.1.0.0 0.0.255.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    route-map nonat permit 10
    match ip address 101
    !
    !
    line con 0
    line 1 2
    login local
    modem Dialin
    autoselect during-login
    autoselect ppp
    stopbits 1
    speed 115200
    flowcontrol hardware
    line aux 0
    line vty 0 4
    password xxx
    login
    line vty 5
    password xxx
    login
    !
    end
    Jan Baggen, Jul 29, 2005
    #1
    1. Advertising

  2. Jan Baggen

    rave Guest

    Did you ever try to connect using the vpn clients.
    Secondlh you have used:
    > crypto map ip2 client authentication list userauthen
    > crypto map ip2 isakmp authorization list groupauthor


    But I dont see any equivalent aaa commans in the router config.
    aaa new-model

    Go to cisco.com and search for a sample config.

    Jan Baggen wrote:
    > My Cisco 3620 IOS router is not listening on ports 500 and 4500 to setup
    > the VPN connection. what could be wrong with my config?
    >
    >
    > acc01# sh ip sockets
    > Proto Remote Port Local Port In Out Stat TTY OutputIF
    > 17 0.0.0.0 0 xxx 67 0 0 2211 0
    > 17 --listen-- xxx 123 0 0 1 0
    > 17 --listen-- xxx 161 0 0 1 0
    > 17 --listen-- xxx 162 0 0 11 0
    > 17 --listen-- xxx 56636 0 0 1 0
    >
    >
    > !
    > version 12.3
    > service timestamps debug datetime localtime
    > service timestamps log datetime localtime
    > service password-encryption
    > !
    > hostname xxx
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > logging buffered 8096 debugging
    > enable password xxx
    > !
    > username console password xxx
    > clock timezone GMT 1
    > clock summer-time GMT+01:00 recurring last Sun Mar 2:00 last Sun Oct 3:00
    > no aaa new-model
    > ip subnet-zero
    > no ip source-route
    > !
    > !
    > no ip cef
    > ip domain name xxx
    > ip name-server xxx
    > ip name-server xxx
    > !
    > ip audit po max-events 100
    > !
    > isdn switch-type basic-net3
    > !
    > !
    > crypto isakmp policy 3
    > encr 3des
    > authentication pre-share
    > group 2
    > !
    > crypto isakmp policy 20
    > encr 3des
    > authentication pre-share
    > group 2
    > !
    > crypto isakmp client configuration group management
    > key mykey
    > dns xxx
    > pool vpn_pool
    > acl 100
    > !
    > !
    > crypto ipsec transform-set ip2encr esp-3des esp-md5-hmac
    > !
    > crypto dynamic-map dynmap 40
    > set transform-set ip2encr
    > !
    > !
    > crypto map ip2 client authentication list userauthen
    > crypto map ip2 isakmp authorization list groupauthor
    > crypto map ip2 client configuration address respond
    > crypto map ip2 40 ipsec-isakmp dynamic dynmap
    > !
    > !
    > !
    > !
    > interface FastEthernet0/0
    > ip address xxx 255.255.255.192
    > ip nat outside
    > duplex auto
    > speed auto
    > no cdp enable
    > crypto map ip2
    > !
    > interface FastEthernet0/1
    > ip address 10.1.0.254 255.255.0.0
    > ip nat inside
    > duplex auto
    > speed auto
    > no cdp enable
    > !
    > interface BRI1/0
    > no ip address
    > isdn switch-type basic-net3
    > no cdp enable
    > !
    > interface BRI1/1
    > no ip address
    > shutdown
    > isdn switch-type basic-net3
    > no cdp enable
    > !
    > interface BRI1/2
    > no ip address
    > shutdown
    > isdn switch-type basic-net3
    > no cdp enable
    > !
    > interface BRI1/3
    > no ip address
    > shutdown
    > isdn switch-type basic-net3
    > no cdp enable
    > !
    > interface Group-Async1
    > ip address negotiated
    > encapsulation ppp
    > async mode interactive
    > peer default ip address pool setup_pool
    > ppp authentication chap pap
    > group-range 1 2
    > !
    > ip local pool setup_pool 10.1.0.100 10.1.0.199
    > ip local pool vpn_pool 10.2.0.0 10.2.0.100
    > ip nat inside source route-map nonat interface FastEthernet0/0 overload
    > no ip http server
    > no ip http secure-server
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
    > !
    > !
    > access-list 1 permit 10.0.0.0 0.255.255.255
    > access-list 100 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
    > access-list 101 deny ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
    > access-list 101 permit ip 10.1.0.0 0.0.255.255 any
    > dialer-list 1 protocol ip permit
    > no cdp run
    > !
    > route-map nonat permit 10
    > match ip address 101
    > !
    > !
    > line con 0
    > line 1 2
    > login local
    > modem Dialin
    > autoselect during-login
    > autoselect ppp
    > stopbits 1
    > speed 115200
    > flowcontrol hardware
    > line aux 0
    > line vty 0 4
    > password xxx
    > login
    > line vty 5
    > password xxx
    > login
    > !
    > end
    rave, Aug 1, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tom
    Replies:
    2
    Views:
    5,174
  2. Taki Soho
    Replies:
    0
    Views:
    1,914
    Taki Soho
    Sep 22, 2004
  3. Thaqalain
    Replies:
    6
    Views:
    1,052
    Thaqalain
    Jul 16, 2005
  4. ttripp
    Replies:
    5
    Views:
    4,497
    ttripp
    Jan 16, 2009
  5. ttripp
    Replies:
    1
    Views:
    836
    Doug McIntyre
    Dec 8, 2009
Loading...

Share This Page