Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN error

Status
Not open for further replies.
dtk3

dtk3

MIS
Feb 24, 2004
44
CA
Hello. I have Cisco VPN client 4.0.3 on a Win XP machine. I have configured the client and try connecting but receive the following error:

Secure VPN Connection terminated locally by the Client. Reasong 412: The remote peer is no longer responding.

Our router is a 3640 and was recently upgraded to version 12.2(13)T14 to handle the VPN connections.

What does this error mean? Is there a setting I need to change on the router config? (I have done very little router configuring before and never anything to do with VPN's). Originally we had someone come in to do the router upgrade and VPN configuration but it still doesn't work and the consultant we had come in isn't being very helpful.

Any help is appreciated.

Thanks.
Cheers
DTK3
 
Sort by date Sort by votes
unfortunatly the error is a generic BS error with no explaination. WHat you are going to need to do is look at the logs on the client side to see what is happening.

Here are some URL's that you might find helpful:


Here is one that outlines the configuration of an IOS router and the VPN client:



"For every complex problem, there is a solution that is simple, neat and wrong" -- H.L. Mencken
 
Upvote 0 Downvote
Try this.

Click on "Modify" to change the group settings and then click on the Transport tab. Under the transport tab you will see a check box that should be checked labeled "Enable Transparent Tunneling". Under that you should see two selections one for TCP and the other for UDP. Depending on which one is selected choose the other. If you select TCP make sure its port 10000. This should correct the problem if it resides on the client side. Also make sure the firewall is not blocking it. Hope this helps.
 
Upvote 0 Downvote
Hello. Where and how do I check if the firewall is blocking VPN client connections?

Cheers
DTK3
 
Upvote 0 Downvote
Hi dtk3,

I am having VPN nightmares myself. I have attached a config I have running in a 1760 router acting as a VPN server. I am trying to set up a VPN connection using the same client and OS as you are.

The reason that you are getting the error messages (I have debugged ISAKMP on the router while a connection is taking place) is that the client and server are not agreeing on security policies.

If you use the config below this will help you establish a connection, however, my problem at the moment is that once I have a connection, I cannot pass traffic over it. I think this is due to the client not encrypting packets. The client is being given an IP address from the dynamic pool but thats about it.


version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5
enable password 7
!
username <any username> password 7 <any password>
(these are what you will be asked for for authentication once the security negociation is confirmed)

aaa new-model

aaa authentication login userauthen local
aaa authorization network nclset local
aaa session-id common

ip subnet-zero
no ip source-route

ip name-server <Primary DNS server IP>
ip name-server <Secondary DNS server IP>
ip cef
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name standard cuseeme
ip inspect name standard ftp
ip inspect name standard h323
ip inspect name standard http
ip inspect name standard rcmd
ip inspect name standard realaudio
ip inspect name standard smtp
ip inspect name standard sqlnet
ip inspect name standard streamworks
ip inspect name standard tcp
ip inspect name standard tftp
ip inspect name standard udp
ip inspect name standard vdolive
ip inspect name standard icmp
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir


crypto isakmp policy 20
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 40 5
(above are the ISAKMP policies that the client and server will agree upon and must match the transform set below - note that default encryption is des and does not appear)

crypto isakmp nat keepalive 20

crypto isakmp client configuration group <enter Name for group authentication>
key <enter password for authentication>
pool nclvpn (defines dynamic pool - see below)

crypto ipsec transform-set nclset esp-des esp-md5-hmac
crypto ipsec transform-set nclvpn esp-des esp-md5-hmac

crypto dynamic-map dynmap 1
set transform-set nclset

crypto map nclvpn client authentication list userauthen
crypto map nclvpn isakmp authorization list nclset
crypto map nclvpn client configuration address respond
crypto map nclvpn 20 ipsec-isakmp dynamic dynmap

interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode auto

interface FastEthernet0/0
description LAN Port
ip address 192.168.42.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect standard in
ip inspect DEFAULT100 out
(this is CBAC which is a form of Firewall it inspects and monitors packets originating from the trusted LAN and allows return packets to pass through the ACLs)
ip route-cache flow
speed auto
full-duplex
no cdp enable

interface Ethernet1/0
description DMZ Port
ip address 192.168.43.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
full-duplex
no cdp enable

interface Virtual-Template1
no ip address

interface Dialer0
no ip address
no cdp enable

interface Dialer1
description ADSL Internet Port
ip address <your public IP address> <Public IP Mask>
ip access-group 127 in
ip nat outside
encapsulation ppp
no ip route-cache same-interface
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <ISP hostname>
ppp chap password 7 <ISP password>
crypto map nclvpn

router rip
network 192.100.42.0
network 192.168.42.0
network 192.168.43.0

ip local pool nclvpn 192.168.42.100 192.168.42.110
(pool of addresses allocated to VPN clients)
ip nat pool outsidepool <public IP> <public IP> netmask <public netmask>
ip nat inside source list 101 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.100.42.0 255.255.255.0 192.168.42.7
ip http server
ip http authentication local
no ip http secure-server

access-list 101 permit ip 192.168.42.0 0.0.0.255 any
access-list 101 permit ip 192.168.43.0 0.0.0.255 any
access-list 101 deny ip any any
(NAT ACL permitting traffic from local LANs to reach any destination)

SDM_ACL Category=17
access-list 122 deny ip 192.168.42.0 0.0.0.255 any
access-list 122 permit icmp any host <public IP> echo-reply
access-list 122 permit icmp any host <public IP> time-exceeded
access-list 122 permit icmp any host <public IP> unreachable
access-list 122 deny ip 10.0.0.0 0.255.255.255 any
access-list 122 deny ip 172.16.0.0 0.15.255.255 any
access-list 122 deny ip 192.168.0.0 0.0.255.255 any
access-list 122 deny ip 127.0.0.0 0.255.255.255 any
access-list 122 deny ip host 255.255.255.255 any
access-list 122 deny ip host 0.0.0.0 any
access-list 122 permit tcp any any eq smtp
access-list 122 permit icmp any any
access-list 122 deny ip any any
(CBAC ACL)

access-list 127 remark DIALER1 ACL
access-list 127 permit tcp any any eq telnet
access-list 127 permit tcp any any eq smtp
access-list 127 permit esp any any
access-list 127 permit udp any any eq isakmp
access-list 127 permit udp any any eq non500-isakmp
access-list 127 permit icmp any any
access-list 127 deny ip any any
(Dialer1 ACL - note that esp is permitted - for IPsec, and ISAKMP port 500 and 4500 udp are permitted)

dialer-list 1 protocol ip permit


I hope the above helps you on your way and if you suss out how to get traffic going across it, please give me a shout!!!!!

Have fun

Jim (almost CCNA)


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
262
quazimotto
quazimotto
tviman
  • Locked
  • Question
Same subnet on each side of a VPN 1
Replies
2
Views
267
tviman
tviman
DigitalG
  • Locked
  • Question
cisco rv180 vpn tunnel between a rv130
Replies
0
Views
211
DigitalG
DigitalG
napoleao
  • Locked
  • Question
IPSec VPN
Replies
3
Views
325
napoleao
napoleao
mtlyndonl
  • Locked
  • Question
7600-SIP-400 high error rate
Replies
0
Views
183
mtlyndonl
mtlyndonl

Part and Inventory Search

Sponsor

Back
Top