Rejection of authentication: unspecified - Concentrator VPN with MS Radius
Please,
I'm trying to connect with Cisco VPN Client using MS Radius, but the message appears: rejection of authentication: unspecified.
I tried also to use the option [x] do not held pre-authentication, but don t work of cisco_vpn_msradius.pdf guide - troubleshooting.
VPN concentrator - Administration of the ping test is ok for the server Radius Ms.
I see the newspapers and the only other thing that appear is the error of payload.
Thank you very much
You can check that your group has PAP as authentication under the PPP attributes Protocol? So if you have newspapers of som on the event viewer on the windows box please share them here.
Tags: Cisco Security
Similar Questions
-
ASA SSL VPN with RSA authentication
All those implemented SSL VPN on a device of the ASA using remote Securid tokens? The technical sheets indicate native RSA can be used for authentication, but this works with SSL VPN?
Thank you
Try this link
http://www.Cisco.com/en/us/products/ps6120/prod_release_note09186a0080688004.html
-
question links to site 2 site VPN with authentication cert
Currently we are accumulate tunnel site-2-site VPN with our client. Usually we use pre-shared key as authentication with other customers without any problems, but it must use authentication cert with her this time. But the question is that our CA is different from theirs. I tried a few times, but he failed. Is it someone please let me know that he must have the certificate issued by the same certification authority to create the VPN tunnel?
Thank you very much!
Hello
You can read this document to get a simple example of setting up a VPN S2S using certificates on an ASA:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080aa5be1.shtml
Basically the sides must have the same certification authority and If there is an intermediate certificate that must be installed also. The ASA 2 will generate a CSR (certificate access code request), now then PKI will create a certificate for both parties, commonly called "certificate of identity".
Please pass a note and mark as he corrected the post helpful!
David Castro,
Kind regards
-
VPN with AD authentication fails Error 691
Hello
I have configured my asa 5510 use AD for authentication of the vpn users. Although I am using l2tp ipsec I used the following document as a line manager https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml#prereq
. When testing within the ASDM AD connection is successful.
. When you try to connect with a microsoft vpn client I get error 691: the remote connection was denied because the user name and password combination, you have provided is not recognized or the selected authentication protocol is not permitted on the remote access server. On the vpn client, I have only active MSCHAPv2 and I require encryption.
. When debugging ldap 255 running I get the following output
[26] starting a session
[26] new application Session, framework 0xd8760198, reqType = authentication
[26] the fiber began
[26] Failed: the user name or password is empty
[26] output fiber Tx = 0 bytes Rx = 0 bytes, status =-3
[26] end of sessionBefore you configure my conncetion VPN profile to use AD, I was able to connect using the LOCAL users. When connected to the vpn, there is no access to the network.
Here is the output of conf, see the
name of host host1
Select r2.d52YOdvbTM6/l encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP 100.100.100.178 255.255.255.240 watch 100.100.100.179
!
interface Ethernet0/1
nameif Inside_1
security-level 60
IP 20.20.20.2 255.255.255.0 watch 20.20.20.3
!
interface Ethernet0/2
nameif Inside_2
security-level 90
IP 30.30.30.2 255.255.255.0 watch 30.30.30.3
!
interface Ethernet0/3
nameif DMZ
security-level 30
IP 10.10.3.2 255.255.255.0 watch 10.10.3.3
!
interface Management0/0
Failover LAN Interface Description
!
passive FTP mode
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
Standard access list DefaultRAGroup_splitTunnelAcl allow 20.20.20.0 255.255.255.0
20.20.20.0 IP Access-list extended sheep 255.255.255.0 allow 10.0.5.0 255.255.255.0
pager lines 24
asdm of logging of information
Outside 1500 MTU
MTU 1500 Inside_1
MTU 1500 Inside_2
MTU 1500 DMZ
IP local pool clientVPNpool 10.0.5.10 - 10.0.5.150 mask 255.255.255.0
failover
secondary failover lan unit
failover lan interface failoverlink Management0/0
failover interface ip failoverlink 90.0.0.2 255.255.255.0 ensures 90.0.0.3
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global (1 interface external)
NAT 0 access-list sheep (Inside_1)
NAT (Inside_1) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 100.100.100.177 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server ActiveDirectory ldap Protocol
AAA-Server Active Directory (Inside_1) 20.20.20.24
LDAP-base-dn OU = ouname, DC = domain_name, DC = local
LDAP-scope subtree
LDAP-naming-attribute sAMAccountName
LDAP-login-password *.
LDAP-connection-dn CN = cisco, OU = Service accounts, OR = ouname, DC = domain_name, DC = local
microsoft server type
the ssh LOCAL console AAA authentication
Enable http server
http 20.20.20.0 255.255.255.0 Inside_1
http 30.30.30.0 255.255.255.0 Inside_2
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set transport mode ESP-AES-256-SHA
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA mode transit
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
card crypto Outside_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
Telnet timeout 5
SSH 20.20.20.0 255.255.255.0 Inside_1
SSH 30.30.30.0 255.255.255.0 Inside_2
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
allow outside
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of 20.20.20.24 DNS server 30.30.30.35
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DefaultRAGroup_splitTunnelAcl
by default-field value NomDomaine.local
username password test DLaUiAX3l78qgoB5c7iVNw is encrypted nt
VPNtest2 password pXVGjB7BA7pQ4yNcDbuXkw user name is nt encrypted
attributes global-tunnel-group DefaultRAGroup
address clientVPNpool pool
ActiveDirectory authentication-server-group
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
ms-chap-v2 authentication
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the pptp
World-Policy policy-map
class inspection_default
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:756efffc44ac8f81f4f377567174c15f
: endHmmm what DPI only on ASA setting and customer?
It is obviously one of the possibilities.
-
concentrator 3000 2 lan lan VPN with NAT
I need to configure a vpn lan-2lan between 2 3030 concentrators (separate companies) on the Internet. My company assigns a small subnet for hosts sitting on the client network. The customer wants to use their own IP subnet and assign IP addresses within their range. So, they do static NAT on their hub. Is this possible? Or have they NAT s pc before arriving to the hub? Any help much appreciated.
Hello
Concentrator VPN supports the NAT.
HTH
Kind regards
GE.
-
Concentrator VPN 3020 - wait of disconnection from the user before extinction
Dear Forum community!
We have a 3020 Cisco Concentrator VPN Balancing cluster configured, the device on main site with top priority. We would like to stop the master device due to short maintenance.
I wonder if there is an option in GUI of VPN concentrator, waiting for all active sessions for volunteers end before the start/stop. Does anyone have experience on this feature?
There are still about 80-100 remote user access VPN online and don't want to break the connections of these users with a simple poweroff.
Thank you and BR
Belabacsi
Budapest, Hungary
I just wanted to clarify two things.
I always save my configuration file before restarting. That's why I restart without saving the changes. I think that my wording could mislead.
If you need your customers to be re - authenticate the VPN session after a period of time, for example 10 hours, the VPN session will be moved to another Member of the cluster when the session is authenticated again. Each client must re-establish the VPN session on another hub in the cluster. If you do not use this feature, you will need to wait until each of them ends its VPN session.
-
I use a Windows Vista Home Edition on a laptop. The system connects to the Internet through a cellular router EDGE (via Ethernet) and receives the data by linking receiver DVB - S2 satellite broadband connected via a USB interface. The connection is through a VPN. Windows Vista loses the symbol of the "blue planet", as soon as the VPN connects. Authentication and connectivity is OK. DNS also works OK by the way VPN, with pointing to the VPN IP address 0.0.0.0. The diagnosis indicates an error where Vista says that she finds multiple active dial connections. Y at - it a configuration option that allows me to bind the interface transmission (VPN) with return channel satellite? The same software and configuration under Windows XP SP3 works OK.
Thanks in advance for your advice.
Hello
Your question of Windows 7 is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please post your question in the Technet Forum. You can follow the link to your question:
http://social.technet.Microsoft.com/forums/en-us/category/w7itproYou can also check the links below for assistance.
http://TechNet.Microsoft.com/en-us/library/cc728078 (WS.10) .aspx
http://TechNet.Microsoft.com/en-us/library/cc737767 (WS.10) .aspx
Hope that helps.
-
We have Concentrator VPN 3030 with software version 4.7.2.J. We use to manage graphical interface using HTTPS access. The problem, now, is that we are not in a position of HTTPS (on the private interface) to manage the hub by GUI. However, the device can be telneted to port 443 and is also accessible by telnet. We have also restarted the unit twice.
Is this some sort of BUG or something misconfigured?
Here is some information for you on this issue. I think you have to re - generate the certificate on the hub. HTH
-
Network Concentrator VPN access.
We have a 3000 Concentrator and is configured with a remote vpn on it. All inside network is allowed once a connceted to the vpn user. It is quite behind firewalls. I can access an external IP.
But I can't log in to the vpn from the inside network. I can ping the public interface; but when I try to log in from the client, the server report displays no records to my IP.
Why can't I connect from the inside?
Thank you
= Internal network = Concentrator VPN = FW = off-grid
Why try you to VPN from the inside? The purpose of the VPN is to encrypt the traffic between your PC over the internet to the VPN concentrator, once traffic arrives to your VPN concentrator, it is decrypted, and he'll be in the clear to your internal network.
So, what's the purpose of attempting to connect from the network Cabinet?
The reason why it does not work is because of the delivery. You are on the internal network, while traffic will exit to the firewall and return by the same firewall to connect to the public interface of the VPN concentrator, which is why it does not work and if the goal is access to the internal network, you are already inside the network which complicates things as your ip pool must then be routed to the inside.
Hope that makes sense.
-
IPSEC VPN with Dynamics to dynamic IP
Hello
I tried IPSEC VPN with dynamic IP to dynamic (router to router) for some time. But still can not auto-établir the tunnel.
Is someone can you please tell me if it is possible to do?
If so, please share with me the secret to do work.
Thank you!
Best regards
Rather than the Crypto map, I would use the profile of Crypto. Then, establish you an IPSEC tunnel. The beauty of the profile, is that you can run through it routing protocols, and you do not have to change constantly the cards whenever you change the topology of the network. The "* * *" in the timer event is "minute hour day week month" so "* * *" is updated every minute. In Tunnel destination, it's an IP address, not a hostname that is stored, but when you set it, you can put in a HOST name and it converts to the moment where you configure it to an IP address.
So, if you type:
config t
interface tunnel100
destination remote.dyndns.com tunneloutput
See the race int tunnel100
It shows:
interface Tunnel100
tunnel destination 75.67.43.79That's why the event handler goes and becomes the destination of tunnel every minute what ever the DDNS says that is the new IP address.
I have seen that two of your routers running DDNS. They will have to do this.
Local router:
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of remote.dyndns.org
IP 10.254.220.10 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 75.67.43.79
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profileIP route 192.168.2.0 255.255.255.0 10.254.220.9
Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination remote.dyndns.org tunnel".
!--------
Remote router:
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
ISAKMP crypto key XXXXXXX address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set ESP-AES-SHA esp - aes 256 esp-sha-hmac
!
Profile of crypto ipsec CRYPTOPROFILE
game of transformation-ESP-AES-SHA
!
interface Tunnel100
Description of local.dyndns.org
IP 10.254.220.9 255.255.255.252
IP virtual-reassembly
IP tcp adjust-mss 1400
source of Dialer0 tunnel
tunnel destination 93.219.58.191
ipv4 ipsec tunnel mode
Tunnel CRYPTOPROFILE ipsec protection profileIP route 192.168.1.0 255.255.255.0 10.254.220.10
Change-tunnel-dest applet event handler
cron-event entry timer cron name "CHRON" * * *"
command action 1.0 cli 'enable '.
action 1.1 cli command "configures terminal.
Action 1.2 command cli "interface tunnel100".
Action 1.3 cli command "destination local.dyndns.org tunnel".Thank you
Bert
-
I recently bought an ASA5520, and begins to migrate my VPN tunnels to a concentrator 3005 with the SAA. I noticed, it doesn't seem to be a way to monitor the tunnel by NAME, like on the hub connections. It does not display the active tunnels by IP address, but I will soon more than 200 tunnels. I would like to see a 'name' rather than an IP address when I followed him. Any ideas of how this could be achieved?
Try using the command "name". The 'name' command associates a name to an IP address. See the following page for more information on the command "name".
http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/cmd_ref/no_711.htm#wp1645754
-
Remote access VPN with ASA 5510 by using the DHCP server
Hello
Can someone please share your knowledge to help me find out why I'm not able to receive an IP address on the remote access VPN connection so that I can get an IP local pool DHCP?
I'm trying to set up remote access VPN with ASA 5510. It works with dhcp local pool but does not seem to work when I tried to use an existing DHCP server. It is tested in an internal network as follows:
!
ASA Version 8.2 (5)
!
interface Ethernet0/1
nameif inside
security-level 100
IP 10.6.0.12 255.255.254.0
!
IP local pool testpool 10.6.240.150 - 10.6.240.159 a mask of 255.255.248.0. (worked with it)
!
Route inside 0.0.0.0 0.0.0.0 10.6.0.1 1
!
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap map crypto inside interface
crypto ISAKMP allow inside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
!
VPN-addr-assign aaa
VPN-addr-assign dhcp
!
internal group testgroup strategy
testgroup group policy attributes
DHCP-network-scope 10.6.192.1
enable IPSec-udp
IPSec-udp-port 10000
!
username testlay password * encrypted
!
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
strategy-group-by default testgroup
DHCP-server 10.6.20.3
testgroup group tunnel ipsec-attributes
pre-shared key *.
!
I got following output when I test connect to the ASA with Cisco VPN client 5.0
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: (4) SA (1) + KE + NUNCIO (10) + ID (5), HDR + VENDO
4024 bytesR copied in 3,41 0 seconds (1341 by(tes/sec) 13) of the SELLER (13) seller (13) + the SELLER (13), as well as the SELLER (13) ++ (0) NONE total length: 853
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, processing ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ISA_KE
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, nonce payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing ID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received xauth V6 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, DPD received VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received Fragmentation VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, received NAT-Traversal worm 02 VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, connection landed on tunnel_group testgroup
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA payload processing
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, IKE SA proposal # 1, turn # 9 entry overall IKE acceptable matches # 1
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build the payloads of ISAKMP security
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building ke payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building nonce payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, Generating keys for answering machine...
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of payload ID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of Cisco Unity VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing payload V6 VID xauth
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, building dpd vid payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, constructing the payload of the NAT-Traversal VID ver 02
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, NAT-discovery payload construction
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, construction of Fragmentation VID + load useful functionality
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR SA (1) KE (4) NUNCIO (10) + ID (5) + HASH (8) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) total length: 440
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 0) with payloads: HDR + HASH (8) + NOTIFY (11) + NAT - D (130) + NAT - D (130) of the SELLER (13) + the seller (13) + NONE (0) overall length: 168
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash for ISAKMP
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload NAT-discovery of treatment
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, calculation of hash discovered NAT
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, useful treatment IOS/PIX Vendor ID (version: 1.0.0 capabilities: 00000408)
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, payload processing VID
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, the customer has received Cisco Unity VID
Jan 16 15:39:21 [IKEv1]: Group = testgroup, I
[OK]
KenS-mgmt-012 # P = 10.15.200.108, status of automatic NAT detection: remote end is NOT behind a NAT device this end is NOT behind a NAT device
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:21 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:21 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 72
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = d4ca48e4) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 87
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, IP = 10.15.200.108, transformation MODE_CFG response attributes.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: primary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: secondary DNS = authorized
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized primary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: = authorized secondary WINS
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Compression IP = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: Split Tunneling political = disabled
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: setting Proxy browser = no - modify
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKEGetUserAttributes: browser Local Proxy bypass = disable
Jan 16 15:39:26 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, (testlay) the authenticated user.
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 64
Jan 16 15:39:26 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 6b1b471) with payloads: HDR + HASH (8) + ATTR (14) + NONE (0) overall length: 60
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:26 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cfg ACK processing attributes
Jan 16 15:39:27 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = 49ae1bb8) with payloads: HDR + HASH (8) + ATTR (14) + (0) NONE total length: 182
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, process_attr(): enter!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, treatment cfg request attributes
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 address!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the IPV4 network mask!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for DNS server address.
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the address of the WINS server.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, transaction mode attribute unhandled received: 5
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the banner!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting save PW!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: receipt of request for default domain name!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for Split-Tunnel list!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for split DNS!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for PFS setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Proxy Client browser setting!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the list of backup peer ip - sec!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for setting disconnect from the Client Smartcard Removal!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the Version of the Application.
Jan 16 15:39:27 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, Type of Client: Windows NT Client Application Version: 5.0.07.0440
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for FWTYPE!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: request received for the DHCP for DDNS hostname is: DEC20128!
Jan 16 15:39:27 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, MODE_CFG: application received for the UDP Port!
Jan 16 15:39:32 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:37 [IKEv1]: IP = 10.15.200.108, IKE_DECODE RECEIPT Message (msgid = b04e830f) with payloads: HDR + HASH (8) + NOTIFY (11) + (0) NONE total length: 84
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing hash payload
Jan 16 15:39:37 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, processing notify payload
Jan 16 15:39:37 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, in double Phase 2 detected packets. No last packet retransmit.
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE has received the response from type [] at the request of the utility of IP address
Jan 16 15:39:39 [IKEv1]: Group = testgroup, Username = testlay, IP = 10.15.200.108, cannot get an IP address for the remote peer
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE TM V6 WSF (struct & 0xd8030048)
, : TM_DONE, EV_ERROR--> TM_BLD_REPLY, EV_IP_FAIL--> TM_BLD_REPLY NullEvent--> TM_BLD_REPLY, EV_GET_IP--> TM_BLD_REPLY, EV_NEED_IP--> TM_WAIT_REQ, EV_PROC_MSG--> TM_WAIT_REQ, EV_HASH_OK--> TM_WAIT_REQ, NullEvent Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, case of mistaken IKE AM Responder WSF (struct & 0xd82b6740)
, : AM_DONE, EV_ERROR--> AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL--> AM_TM_INIT_MODECFG_V6H NullEvent--> AM_TM_INIT_MODECFG, EV_WAIT--> AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG--> AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK--> AM_TM_INIT_XAUTH_V6H NullEvent--> AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, IKE SA AM:bd3a9a4b ending: 0x0945c001, refcnt flags 0, tuncnt 0
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, sending clear/delete with the message of reason
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, empty building hash payload
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, constructing the payload to delete IKE
Jan 16 15:39:39 [IKEv1 DEBUG]: Group = testgroup, Username = testlay, IP = 10.15.200.108, build payloads of hash qm
Jan 16 15:39:39 [IKEv1]: IP = 10.15.200.108, IKE_DECODE SEND Message (msgid = 9de30522) with payloads: HDR HASH (8) + DELETE (12) + (0) NONE total length: 80
Kind regards
Lay
For the RADIUS, you need a definition of server-aaa:
Protocol AAA - NPS RADIUS server RADIUS
AAA-server RADIUS NPS (inside) host 10.10.18.12
key *.
authentication port 1812
accounting-port 1813
and tell your tunnel-group for this server:
General-attributes of VPN Tunnel-group
Group-NPS LOCAL RADIUS authentication server
--
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni -
I have a very simple deal put in place and wanted to similate a vpn with a site on the dhcp address.
R1 - R2 = R3 - R4.
R2 with static IP and R3 is supposed to be with DHCP. The underlying routing works very well. But when I apply cryptography to routers, it stops working.
When I got a ping from R1 to R4, R2 is decryption, but when I ping from R1 to R4, R2 is not encrypt.
Thank you.
===============
Chantal of R2
!
R2 #sh run
hostname R2
!!
crypto ISAKMP policy 10
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto cisco123 key address 0.0.0.0 0.0.0.0 no.-xauth
!
!
Crypto ipsec transform-set RIGHT aes - esp esp-md5-hmac
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
match address 150
!
!
map statmap 65000-isakmp ipsec crypto dynamic dynmap
!
!
!
!
interface FastEthernet0/0
1.1.12.2 IP address 255.255.255.0
automatic duplex
automatic speed
!
interface FastEthernet1/0
IP 1.1.23.2 255.255.255.0
automatic duplex
automatic speed
statmap card crypto
!
no ip address of the http server
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 1.1.23.3
!
!
access-list 150 permit icmp 1.1.12.1 host 1.1.34.4
access-list 150 permit ip host 1.1.12.1 1.1.34.4
!
===============R3 racing
R3 #sh run
!
hostname R3
!
!
crypto ISAKMP policy 10
BA aes
md5 hash
preshared authentication
Group 2
ISAKMP crypto key cisco123 address 1.1.23.2 No.-xauth
!
!
Crypto ipsec transform-set RIGHT aes - esp esp-md5-hmac
!
MYmap 10 ipsec-isakmp crypto map
defined by peer 1.1.23.2
Set transform-set RIGHT
match address 150
!
!
!
!
interface FastEthernet0/0
IP 1.1.23.3 255.255.255.0
automatic duplex
automatic speed
crypto mymap map
!
interface FastEthernet1/0
IP 1.1.34.3 255.255.255.0
automatic duplex
automatic speed
!
no ip address of the http server
no ip http secure server
IP classless
IP route 0.0.0.0 0.0.0.0 1.1.23.2
!
!
access-list 150 permit ip host 1.1.34.4 1.1.12.1
access-list 150 permit icmp 1.1.34.4 host 1.1.12.1
!
endFor dynamic to static IPSec site to site VPN, you can only come from the dynamic end VPN tunnel.
In your topology, you can only start the VPN of R4 to R1, and once the VPN tunnel is established, you will be able to pass traffic in both directions, that is to say: R4 R1 and R1 to R4.
The reason why you cannot start the tunnel VPN of R1 to R4 is the static end won't know which IP address to connect to the VPN too since DHCP is.
If however, you want to say that even after the opening of the tunnel VPN of R4 to R1, still cannot you ping from R1 to R4, then it's probably a config problem.
Please kindly share the complete configuration of all 4 routers, as well as the output of "show the isa cry his ' and ' show cry ipsec his" of R2 and R3 after the test.
-
Hello
I am trying to set up a VPN between a VLAN I have defined and another office. I have been using nat on the interface for internet access with a NAT pool.
I created the VPN with crypto card and the VPN is successfully registered.
The problem I encounter is that with NAT is enabled, internet access is working but I can ping through the VPN.
If I disable NAT, VPN works perfectly, but then him VLAN cannot access the internet.
What should I do differently?
Here is the config:
Feature: 2911 with security package
Local network: 10.10.104.0/24
Remote network: 192.168.1.0/24
Public beach: 65.49.46.68/28
crypto ISAKMP policy 104
BA 3des
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key REDACTED address 75.76.102.50
Crypto ipsec transform-set esp-3des esp-sha-hmac strongsha
OFFICE 104 ipsec-isakmp crypto map
defined by peer 75.76.102.50
Set transform-set strongsha
match address 104
interface GigabitEthernet0/0
IP 65.49.46.68 255.255.255.240
penetration of the IP stream
NAT outside IP
IP virtual-reassembly
full duplex
Speed 100
standby mode 0 ip 65.49.46.70
0 6 2 sleep timers
standby 0 preempt
card crypto OFFICE WAN redundancy
interface GigabitEthernet0/2.104
encapsulation dot1Q 104
IP 10.10.104.254 255.255.255.0
IP nat pool wan_access 65.49.46.70 65.49.46.70 prefix length 28
overload of IP nat inside source list 99 pool wan_access
access-list 99 permit 10.10.104.0 0.0.0.255
access-list 104. allow ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104. allow ip 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
access-list 104 allow icmp 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 allow icmp 192.168.1.0 0.0.0.255 10.10.104.0 0.0.0.255
ISAKMP crypto #sh her
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
65.49.46.70 75.76.102.50 QM_IDLE 1299 ACTIVE
Hello!
Please, make these changes:
extended Internet-NAT IP access list
deny ip 10.10.104.0 0.0.0.255 192.168.1.0 0.0.0.255
IP 10.10.104.0 allow 0.0.0.255 any
IP nat inside source list Internet-NAT pool access-wan overload
* Please do not remove the old NAT instance until you add that above.
Please hold me.
Thank you!
Sent by Cisco Support technique Android app
-
How to create vpn with vista home premium on basis of vpn xp settings?
I can connect to the vpn with xp machine, but when I try to imitate xp setting with machine to vista Home premium I can't connect to the same vpn. What do you suggest me?
How to create a vpn connection in Vista: http://techrepublic.com.com/2346-1035_11-61437-1.html?tag=content;leftCol. NOTE: I don't know what you mean "based" vpn xp settings, but you will have to do the best you can with the options and settings available in Vista (that I n "' t know how they compare to XP, but I hope that you will be able to do so because).
Here is another article on the procedure: http://www.publicvpn.com/support/Vista.php.
Here is an article on how configure a VPN with an ISP in Vista: http://www.web-articles.info/e/a/title/How-to-create-a-VPN-connection-over-your-ISP-connection/.
Here is an article with a number of different other items all on vpn in Vista (I don't know exactly what type of configuration you "AVIC - as a host, as a customer, on what type of connection,--but this article covers many different aspects and I hope that at least a couple will be a help for you: http://compnetworking.about.com/od/vpnsetup/VPN_Setup_How_to_Set_Up_a_VPN.htm.)
I hope this helps.
Good luck!
Lorien - MCSA/MCSE/network + / has + - if this post solves your problem, please click the 'Mark as answer' or 'Useful' button at the top of this message. Marking a post as answer, or relatively useful, you help others find the answer more quickly.
Maybe you are looking for
-
Hi guyzz. Actually I want to buy this laptop but I could not found this notebook PC series HP Pavilion 15-bc021tx I am in India, so I found this laptop
-
I'm trying to export contacts as vcards icloud. However, after that select the contacts and click on "Export as vcards" nothing happens. Why? I tried this using edge and chrome and I run Windows 10
-
Is it possible to set the axis prior to 'spin' on a form or a sub-channel
After clicking on a shape or subcircuit in mode 2D structure of EM, there are "rotation" and "flip" command in the context menu. Is there a way to enter precisely into the axis to the plane of rotation and symmetry to overthrow?
-
Dear, My system is equipped with windows 7 Professional, that I am not able to install my "Hp LaserJet p1008" printor thereon. Maybe the compitablity questions. Please notify. If I run the driver, but it fails. Concerning Khurshid Original title: pro
-
I have windows 7 on my new laptop, and I think that the waqs of purchase for Windows XP or Vista