Cisco VPN clients unable to connect to 3725 VPN server

Discussion in 'Cisco' started by S Reese, Jan 18, 2008.

  1. S Reese

    S Reese Guest

    I have a 3725 router that is acting as a VPN server as well as a
    performing NAT for the internal network. The VPN is setup to connect
    to another remote network and to allow clients to connect securely to
    the router and access the local network

    The problem is the client is prompted for the user name and password
    but it won't establish the connection so I'm not sure what's missing.
    Any help would be greatly appreciated.

    The only error I get is:
    Jan 18 18:21:06.319: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick
    mode failed with peer at 172.16.2.4

    Here's the config:
    !
    ! Last configuration change at 13:30:31 PCTime Fri Jan 18 2008 by
    rsreese
    ! NVRAM config last updated at 13:30:34 PCTime Fri Jan 18 2008 by
    rsreese
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname 3725router
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret 5 $1$BUZ8$sNjxnHHht1NP3co5Vkj2o0
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    aaa authorization exec default local
    aaa authorization network default local
    !
    aaa session-id common
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    no network-clock-participate slot 1
    no network-clock-participate slot 2
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 172.16.2.1
    ip dhcp excluded-address 172.16.3.1
    !
    ip dhcp pool VLAN2clients
    network 172.16.2.0 255.255.255.0
    default-router 172.16.2.1
    dns-server 205.152.144.23 205.152.132.23
    !
    ip dhcp pool VLAN3clients
    network 172.16.3.0 255.255.255.0
    default-router 172.16.3.1
    dns-server 205.152.144.23 205.152.132.23
    !
    !
    ip domain name neocipher.net
    ip name-server 205.152.144.23
    ip name-server 205.152.132.23
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    vpdn enable
    !
    vpdn-group 1
    ! Default L2TP VPDN group
    accept-dialin
    protocol l2tp
    virtual-template 1
    no l2tp tunnel authentication
    ip pmtu
    !
    vpdn-group L2TP_VPN
    accept-dialin
    protocol l2tp
    virtual-template 1
    no l2tp tunnel authentication
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    username rsreese privilege 15 secret 5 $1$k.mV$065vhIx6xkX.kM6jxTAOM.
    !
    !
    ip ssh authentication-retries 2
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    crypto isakmp key cisco address 10.0.0.2 no-xauth
    !
    crypto isakmp client configuration group VPN-Users
    key test00
    dns 205.152.144.23 205.152.132.23
    domain neocipher.net
    pool VPN_POOL
    acl 115
    include-local-lan
    netmask 255.255.255.0
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    mode transport
    !
    crypto dynamic-map DYNMAP 10
    set transform-set ESP-3DES-SHA
    match address 115
    !
    !
    crypto map CLIENTMAP client authentication list default
    crypto map CLIENTMAP isakmp authorization list default
    crypto map CLIENTMAP client configuration address respond
    crypto map CLIENTMAP 1 ipsec-isakmp
    set peer 10.0.0.2
    set transform-set ESP-3DES-SHA
    match address 100
    crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
    !
    !
    !
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    !
    interface FastEthernet0/0
    ip address dhcp client-id FastEthernet0/0 hostname 3725router
    ip nat outside
    ip virtual-reassembly
    speed 100
    full-duplex
    crypto map CLIENTMAP
    !
    interface Serial0/0
    ip address 10.0.0.1 255.255.240.0
    clock rate 2000000
    crypto map CLIENTMAP
    !
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.2
    encapsulation dot1Q 2
    ip address 172.16.2.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    crypto map CLIENTMAP
    !
    interface FastEthernet0/1.3
    encapsulation dot1Q 3
    ip virtual-reassembly
    !
    interface Serial0/1
    no ip address
    shutdown
    clock rate 2000000
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet0/0
    peer default ip address pool PPTP-POOL
    no keepalive
    ppp encrypt mppe auto required
    ppp authentication pap chap ms-chap
    !
    ip local pool PPTP-POOL 172.16.20.25 172.16.20.35
    ip local pool VPN_POOL 192.168.0.55 192.168.0.105
    ip default-gateway 192.168.1.1
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 192.168.1.1
    ip route 172.16.10.0 255.255.255.0 10.0.0.2
    !
    !
    no ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source route-map NONAT interface FastEthernet0/0
    overload
    !
    access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
    access-list 115 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255
    access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
    access-list 120 permit ip 172.16.0.0 0.0.255.255 any
    !
    route-map NONAT permit 10
    match ip address 120
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password 7 05080F1C2243
    transport input ssh
    line vty 5 903
    transport input ssh
    !
    ntp clock-period 17180664
    ntp server 129.6.15.29 source FastEthernet0/0 prefer
    !
    end
    S Reese, Jan 18, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    4,952
  2. Fabio
    Replies:
    1
    Views:
    487
    Walter Roberson
    Oct 9, 2006
  3. mmcnichol
    Replies:
    2
    Views:
    1,715
    mmcnichol
    Oct 20, 2006
  4. S Reese
    Replies:
    3
    Views:
    489
    S Reese
    Jan 12, 2008
  5. Pappy
    Replies:
    1
    Views:
    2,341
    Pappy
    Jan 30, 2009
Loading...

Share This Page