11

I'd be happy to post the config or logs for reference but I am having trouble getting my remote access VPN working on the same interface as my site to site IPSEC VPN. I am using a dynamic crypto map for the remote access vpn but it looks like it is failing trying to do phase one. Would anyone be able to give me a simple example config to work off of?

EDIT:

Here is a debug dump from it failing after implementing ISAKMP profiles per suggestion below. I am prompted for username and password but then it times out. It looks like the isakmp authorization is failing. Currently isakmp authorization is just set to the local user list. Does that appear to be the problem to you guys?

Jul 3 16:40:44.297: ISAKMP/aaa: unique id = 29277 Jul 3 16:40:44.297: ISAKMP:(0):Proposed key length does not match policy Jul 3 16:40:44.297: ISAKMP:(0):atts are not acceptable. Next payload is 3 Jul 3 16:40:44.313: ISAKMP:(0):ISAKMP/tunnel: setting up tunnel REMOTEACCESS pw request Jul 3 16:40:44.313: ISAKMP:(0):ISAKMP/tunnel: Tunnel REMOTEACCESS PW Request successfully sent to AAA Jul 3 16:40:44.317: ISAKMP:(0):ISAKMP/tunnel: received callback from AAA AAA/AUTHOR/IKE: Processing AV tunnel-password AAA/AUTHOR/IKE: Processing AV addr-pool AAA/AUTHOR/IKE: Processing AV inacl AAA/AUTHOR/IKE: Processing AV dns-servers AAA/AUTHOR/IKE: Processing AV wins-servers AAA/AUTHOR/IKE: Processing AV route-metric Jul 3 16:40:44.317: ISAKMP/tunnel: received tunnel atts Jul 3 16:40:44.341: ISAKMP AAA: Deleting old aaa_uid = 29277 Jul 3 16:40:44.341: ISAKMP AAA: NAS Port Id is already set to 174.98.136.27 Jul 3 16:40:44.341: ISAKMP:(0):AAA: Nas Port ID set to 174.98.136.27. Jul 3 16:40:44.341: ISAKMP AAA: Allocated new aaa_uid = 29278 Jul 3 16:40:44.341: ISAKMP AAA: Accounting is not enabled Jul 3 16:40:48.337: ISAKMP AAA: NAS Port Id is already set to 174.98.136.27 Jul 3 16:40:48.337: ISAKMP/Authen: unique id = 29278 Jul 3 16:40:48.337: ISAKMP:(2110):AAA Authen: setting up authen_request Jul 3 16:40:48.337: ISAKMP:(2110):AAA Authen: Successfully sent authen info to AAA Jul 3 16:40:48.337: ISAKMP:(2110):AAA Authen: Local Authentication or no RADIUS atts recvd Jul 3 16:40:48.349: ISAKMP:(2110):ISAKMP/author: setting up the authorization request for REMOTEACCESS Jul 3 16:40:48.349: ISAKMP:(0):ISAKMP/author: received callback from AAA AAA/AUTHOR/IKE: Processing AV tunnel-password AAA/AUTHOR/IKE: Processing AV addr-pool AAA/AUTHOR/IKE: Processing AV inacl AAA/AUTHOR/IKE: Processing AV dns-servers Jul 3 16:40:48.349: AAA/AUTHOR/IKE: no DNS addresses AAA/AUTHOR/IKE: Processing AV wins-servers Jul 3 16:40:48.349: AAA/AUTHOR/IKE: no WINS addresses AAA/AUTHOR/IKE: Processing AV route-metric Jul 3 16:40:48.349: ISAKMP:(2110):ISAKMP/author: No Class attributes Jul 3 16:40:48.349: ISAKMP:FSM error - Message from AAA grp/user.

I also see these errors when I do debug isakmp and ipsec errors and pull the logs:

Jul 3 16:32:33.949: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb Jul 3 16:32:57.557: ISAKMP:(0):Proposed key length does not match policy Jul 3 16:32:57.557: ISAKMP:(0):atts are not acceptable. Next payload is 3 Jul 3 16:33:00.637: ISAKMP:FSM error - Message from AAA grp/user.
Improve this question
5
  • 2
    What IOS major release are you running? Best to mention that and tag with cisco-ios-15 or whatever. Commented May 9, 2013 at 15:43
  • Have you been able to get either/both of these components to function properly independently? I'd start there, making sure the independent config for each is verified before combining them. Commented May 9, 2013 at 18:21
  • What do you mean by a Remote Access VLAN? I understand you are trying to configure and enable an IPSEC VPN by applying a crypto map to an interface, but that is a Remote Access VLAN? Commented May 9, 2013 at 18:50
  • Sorry, supposed to say VPN, I will fix it. I did have them both functioning but at this point only the site to site VPN is working. ISR is running 15.1 right now. Commented May 12, 2013 at 19:36
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer. Commented Jan 3, 2021 at 4:41

3 Answers 3

Reset to default
6

Taking a shot in the dark here because there are a lot of variables you didn't mention. Please update the question to include the specific technologies you are using, your currnet config, and the error you are getting. But if you are using for instance, DMVPN + EZVPN, you will probably have to use keyrings and multiple ISAKMP profiles. Since you point to phase 1 issues I would check that. The following links give reference configs for DMVPN and EZVPN and L2L+EZVPN. You should be able to modify to suit your needs.

Here's a ISAKMP Profile reference for some lunchtime reading.

Improve this answer
1
  • I've updated my original post with some of the logging that I see when it craps out. Where does it look like the breakdown is to you? Currently using isakmp profiles. Commented Jul 3, 2013 at 16:59
1

Without seeing what your setup is this example isn't going to be entirely accurate. However here is how I would configure Site A. Site B would be similar, minus the remote VPN pieces and reversing Site A and Site B pieces. Anything in brackets needs to be filled in with your own information.

Also, for this particular example, the remote VPN would be through the Cisco VPN Client and not the AnyConnect Client. ShrewSoft VPN Client also works.

ip local pool pool-remote-access 10.250.0.1 10.250.0.254 crypto logging ezvpn ! crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key <pre-shared-site-to-site-key-here> address <site-b-ip> no-xauth ! crypto isakmp client configuration group Remote-Users-Group key <pre-shared-key-for-vpn-users> dns <internal-domain-dns-ip> domain <internal-domain-fqdn> pool pool-remote-access acl acl-remote-access split-dns <internal-domain-fqdn> crypto isakmp profile Remote-Users-Profile description Remote VPN Clients match identity group Remote-Users-Group client authentication list <inset-aaa-group-for-remote-user-authentication> isakmp authorization list <inset-aaa-group-for-remote-user-authorization> client configuration address respond ! ! crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac crypto ipsec df-bit clear ! ! ! crypto dynamic-map dynamic-vpn-map 1 set transform-set esp-aes-sha set isakmp-profile Remote-Users-Profile reverse-route qos pre-classify ! ! crypto map vpn-map-all 1 ipsec-isakmp description VPN to Site-B set peer <site-b-IP> set transform-set esp-aes-sha match address acl-vpn-site-b crypto map vpn-map-all 65535 ipsec-isakmp dynamic dynamic-vpn-map ip access-list extended acl-remote-access permit ip <site-a-subnet> 0.0.0.255 10.250.0.0 0.0.0.255 ip access-list extended acl-vpn-site-b permit ip <site-a-subnet> 0.0.0.255 <site-b-subnet> 0.0.0.255 interface <outside-interface> crypto map vpn-map-all ! These ports need to be open on the outside interface ! permit udp any host <public-ip-of-outside-interface> eq non500-isakmp ! permit udp any host <public-ip-of-outside-interface> eq isakmp ! permit esp any host <public-ip-of-outside-interface> ! permit ahp any host <public-ip-of-outside-interface> ! !If doing NAT... need to block VPN-VPN connections from being NAT'd !The following is an example setup - not definitive ! ip access-list extended acl-block-vpn deny ip <site-a-subnet> 0.0.0.255 <site-b-subnet> 0.0.0.255 !Site-B deny ip <site-a-subnet> 0.0.0.255 10.250.0.0 0.0.0.255 !Remote users permit ip <site-a-subnet> 0.0.0.255 any route-map rm-block-vpn-on-nat permit 1 match ip address acl-block-vpn ip nat inside source route-map rm-block-vpn-on-nat interface <overloaded-interface> overload
Improve this answer
1
  • Thanks much, I will compare this to my config and see where the breakdown is. I think my config is probably mostly right but I definitely don't have the ACL entries in there so that may be my issue. Appreciate the response. Commented Jul 8, 2013 at 21:00
0

Here's another excellent resource for DMVPN:

https://nwktimes.blogspot.com/search/label/DMVPN

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.