Reason 401: An unrecognized error occurred while establishing the VPN connection.

Discussion in 'Cisco' started by James, Feb 16, 2006.

  1. James

    James Guest

    My first VPN will not connect from an external site - it will not even
    get a pwd prompt. From inside the site (not sure if you can really
    test this way) I get the following after logging on successfully:

    Secure VPN Connection terminated locally by the Client.
    Reason 401: An unrecognized error occurred while establishing the VPN
    connection.

    My transform set is 3DES and SHA #MAC
    Auth's are local and if-auth to the network
    I am using a group with a pre-share key
    My ISAKMP policy is also 3DES, group 2
    My interface that has the crypto map policy is the BVI1

    In the config I am a bit mystified why my VLAN1 states it has no ip.
    Do I need some vpn ACL commands?
    I get an error on the client (config'd for NAT/PAT) of "15
    15:24:49.174 02/16/06 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from
    80.177.223.54"

    Any help would be very appreciated...
     
    James, Feb 16, 2006
    #1
    1. Advertising

  2. James

    Merv Guest

    You might be better off to post this info under the orignal thread

    Please post your config as it now stands
     
    Merv, Feb 16, 2006
    #2
    1. Advertising

  3. James

    James Guest

    Sorry, thought you had gone off-line! My config has not changed.
    Still get no prompt for pwd from home site (here all day). Can post
    config again on Mon. One thought is: I don't have to have a cisco
    router at the remote site do I? Just the client software?
     
    James, Feb 17, 2006
    #3
  4. James

    Merv Guest

    You changed the groupanme and passwords and you should have change the
    crypto setup based on some recommendatiosn made.

    but if you could repost I would like to see the configs current state
     
    Merv, Feb 17, 2006
    #4
  5. James

    James Guest

    OK, here it is...
    Please can you answer some other simple questions too such as can I
    test this from within the network? And in the config I am a bit
    mystified why my VLAN1 states it has no ip. Do I need some vpn ACL
    commands?

    CONFIG AS AT 20 Feb
    !This is the running config of the router: xxx.xxx.xxx.100
    !----------------------------------------------------------------------------
    !version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 52000 debugging
    logging console critical
    enable secret 5 $1$LR.f$pB8.ZdKhW3GXtV8S4gj3J.
    !
    username xxxxx privilege 15 secret 5 $1$lURO$tewOxEtKEAqZxNz7Zdbd4.
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default local
    aaa authorization network default if-authenticated
    aaa session-id common
    ip subnet-zero
    no ip source-route
    !
    !
    ip cef
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name domainname
    ip name-server 158.152.1.58
    ip name-server 158.152.1.43
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key keydetails address 82.0.98.178
    crypto isakmp key keydetails address xxx.xxx.xxx.22 255.255.255.0
    !
    crypto isakmp client configuration group Hovarians
    key keydetails
    dns 158.152.1.58 158.152.1.43
    wins xxx.xxx.xxx.200
    domain domainname
    pool SDM_POOL_1
    include-local-lan
    max-users 1
    max-logins 3
    !
    !
    crypto ipsec transform-set TransformSet1 esp-3des esp-sha-hmac
    !
    crypto ipsec profile IPSecProfile1
    set transform-set TransformSet1
    !
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set TransformSet1
    reverse-route
    !
    !
    crypto map SDM_CMAP_1 client authentication list default
    crypto map SDM_CMAP_1 isakmp authorization list default
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    bridge irb
    !
    !
    interface Null0
    no ip unreachables
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description $ES_WAN$$FW_OUTSIDE$
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    no ip address
    no cdp enable
    !
    interface FastEthernet1
    no ip address
    no cdp enable
    !
    interface FastEthernet2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface Dot11Radio0
    no ip address
    !
    ssid ssidname
    authentication open
    !
    speed basic-1.0 2.0 5.5 6.0 9.0 11.0
    channel 2462
    no cdp enable
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    no ip address
    bridge-group 1
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address 80.177.223.54 255.0.0.0
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DEFAULT100 out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname
    ppp chap password 7 05082E1D2042405A0A
    !
    interface BVI1
    description $ES_LAN$$FW_INSIDE$
    ip address xxx.xxx.xxx.100 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    crypto map SDM_CMAP_1
    !
    ip local pool SDM_POOL_1 xxx.xxx.xxx.50 xxx.xxx.xxx.55
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http access-class 2
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    !
    logging trap debugging
    logging xxx.xxx.xxx.100
    logging 80.177.223.54
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit xxx.xxx.xxx.0 0.0.0.255
    access-list 2 remark HTTP Access-class list
    access-list 2 remark SDM_ACL Category=1
    access-list 2 permit xxx.xxx.xxx.0 0.0.0.255
    access-list 2 deny any
    access-list 100 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 permit ip host xxx.xxx.xxx.50 any
    access-list 100 permit ip host xxx.xxx.xxx.51 any
    access-list 100 permit ip host xxx.xxx.xxx.52 any
    access-list 100 permit ip host xxx.xxx.xxx.53 any
    access-list 100 permit ip host xxx.xxx.xxx.54 any
    access-list 100 permit ip host xxx.xxx.xxx.55 any
    access-list 100 permit udp any host xxx.xxx.xxx.100 eq non500-isakmp
    access-list 100 permit udp any host xxx.xxx.xxx.100 eq isakmp
    access-list 100 permit esp any host xxx.xxx.xxx.100
    access-list 100 permit ahp any host xxx.xxx.xxx.100
    access-list 100 deny ip 80.0.0.0 0.255.255.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit ip host xxx.xxx.xxx.50 any
    access-list 101 permit ip host xxx.xxx.xxx.51 any
    access-list 101 permit ip host xxx.xxx.xxx.52 any
    access-list 101 permit ip host xxx.xxx.xxx.53 any
    access-list 101 permit ip host xxx.xxx.xxx.54 any
    access-list 101 permit ip host xxx.xxx.xxx.55 any
    access-list 101 permit udp any host 80.177.223.54 eq non500-isakmp
    access-list 101 permit udp any host 80.177.223.54 eq isakmp
    access-list 101 permit esp any host 80.177.223.54
    access-list 101 permit ahp any host 80.177.223.54
    access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq
    non500-isakmp
    access-list 101 permit udp host 82.0.98.178 host 80.177.223.54 eq
    isakmp
    access-list 101 permit esp host 82.0.98.178 host 80.177.223.54
    access-list 101 permit ahp host 82.0.98.178 host 80.177.223.54
    access-list 101 permit udp host 158.152.1.43 eq domain host
    80.177.223.54
    access-list 101 permit udp host 158.152.1.58 eq domain host
    80.177.223.54
    access-list 101 deny ip xxx.xxx.xxx.0 0.0.0.255 any
    access-list 101 permit icmp any host 80.177.223.54 echo-reply
    access-list 101 permit icmp any host 80.177.223.54 time-exceeded
    access-list 101 permit icmp any host 80.177.223.54 unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    access-list 101 remark IPSec Rule
    access-list 101 permit ip xxx.xxx.xxx.0 0.0.0.255 xxx.xxx.xxx.0
    0.0.0.255
    access-list 103 remark SDM_ACL Category=2
    access-list 103 deny ip any host xxx.xxx.xxx.50
    access-list 103 deny ip any host xxx.xxx.xxx.51
    access-list 103 deny ip any host xxx.xxx.xxx.52
    access-list 103 deny ip any host xxx.xxx.xxx.53
    access-list 103 deny ip any host xxx.xxx.xxx.54
    access-list 103 deny ip any host xxx.xxx.xxx.55
    access-list 103 permit ip xxx.xxx.xxx.0 0.0.0.255 any
    access-list 105 remark VTY Access-class list
    access-list 105 remark SDM_ACL Category=1
    access-list 105 permit ip xxx.xxx.xxx.0 0.0.0.255 any
    access-list 105 deny ip any any
    access-list 700 permit 0001.e694.aa0a 0000.0000.0000
    access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
    dialer-list 1 protocol ip permit
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 103
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    no modem enable
    transport preferred all
    transport output telnet
    line aux 0
    transport preferred all
    transport output telnet
    line vty 0 4
    access-class 105 in
    transport preferred all
    transport input telnet ssh
    transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp server 130.88.203.12 prefer
    end
     
    James, Feb 20, 2006
    #5
  6. James

    Merv Guest

    I will take a detailed look at this later today.
     
    Merv, Feb 20, 2006
    #6
  7. James

    James Guest

    Thanks for your help on this. As I was investigating changing the link
    to the Dialer0{ATM0.1} instead of the BVI1 for the crypto map (as you
    suggested) I opened the current config for the BVI1 to see how it was
    setup and when I clicked OK I got this message:

    "Method list for group policy lookup contains methods not supported by
    Easy VPN Server" Continue: Yes/No.

    The policy is set as "default" but I can't find where this is
    configured so I don't know what "default" really means. Any pointers
    welcome on how to config the group policy lookup. This must be the
    main issue because my connection fails because no policy was selected.
     
    James, Feb 21, 2006
    #7
  8. James

    James Guest

    Just discovered that I might need a TACACS or RADIUS server/group.
    What on earth are these? Are they part of this router's config? Can't
    disable AAA as Easy VPN requires this.
     
    James, Feb 21, 2006
    #8
  9. James

    Merv Guest

    just use aaa extended local authentication

    see

    http://www.cisco.com/en/US/products...s_configuration_example09186a00801c4246.shtml


    !--- Enable Authentication, Authorizing and Accounting (AAA)
    !--- for user authentication and group authorization.

    aaa new-model

    !--- To enable X-Auth for user authentication,
    !--- enable the aaa authentication commands.

    aaa authentication login userauthen local


    !--- To enable group authorization,
    !--- enable the aaa authorization commands.

    aaa authorization network groupauthor local
     
    Merv, Feb 21, 2006
    #9
  10. James

    James Guest

    Merv,
    I'm moving house at the moment plus have new router at home as last
    firmware upgrade blew it - that's Belkin for you. Once up and running
    again will try new settings and if no joy will start looking into
    having a Cisco router at home as well...
     
    James, Mar 6, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul
    Replies:
    4
    Views:
    498
    Ivan Ostres
    Feb 13, 2004
  2. Michael
    Replies:
    5
    Views:
    18,864
    Maestro
    Sep 17, 2003
  3. joeandmav
    Replies:
    0
    Views:
    8,066
    joeandmav
    Feb 3, 2009
  4. kanman
    Replies:
    0
    Views:
    5,463
    kanman
    Apr 25, 2009
  5. John Smith
    Replies:
    6
    Views:
    2,352
    mcnairdj
    Mar 21, 2013
Loading...

Share This Page