cisco 837 vpn issue

Soldato
Joined
18 Oct 2002
Posts
7,139
Location
Ironing
I'm trying to get vpn on my home router working, but I keep getting the following error in my syslog:

Mar 4 16:06:49 nosey 77118: nosey: 4w2d: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE pack
et from 217.155.216.166 was not encrypted and it should've been.

Any idea on what I'm doing wrong?

my current config is:

Code:
Current configuration : 5065 bytes
!
! Last configuration change at 16:09:39 GMT Sat Mar 4 2006 by growse
! NVRAM config last updated at 15:56:29 GMT Sat Mar 4 2006 by growse
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname nosey
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
logging count
logging userinfo
no logging buffered
no logging console
enable secret 5 *******
!
username growse password 7 *******
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
aaa new-model
!
!
aaa authentication login userauthenticate local
aaa authorization network groupauthorise local
aaa session-id common
ip subnet-zero
no ip source-route
no ip icmp rate-limit unreachable
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.1 192.168.0.19
!
ip dhcp pool CLIENT
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   domain-name mrmen.home
   dns-server 192.168.0.1
!
!
ip domain timeout 1
ip domain name mrmen.home
ip name-server 192.168.0.2
no ip bootp server
ip inspect max-incomplete low 70
ip inspect max-incomplete high 100
ip inspect one-minute low 300
ip inspect one-minute high 400
ip inspect udp idle-time 20
ip inspect dns-timeout 1
ip inspect tcp idle-time 900
ip inspect tcp finwait-time 3
ip inspect tcp synwait-time 15
ip inspect name inspectout icmp
ip inspect name myinspect http timeout 10
ip inspect name myinspect icmp
ip inspect name myinspect tcp
ip inspect name myinspect udp
ip inspect name myinspect smtp
ip ips po max-events 100
ip ssh authentication-retries 2
ip ssh source-interface Ethernet0
ip ssh rsa keypair-name mine
ip ssh version 2
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group growse
 key ************
 dns 192.168.0.1
 domain *******
 pool ippool
!
!
crypto ipsec transform-set ts-mrmen esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set ts-mrmen
!
!
crypto map clientmap client authentication list userauthenticate
crypto map clientmap isakmp authorization list groupauthorise
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface Ethernet2
 ip address 10.1.0.1 255.255.255.0
 shutdown
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 ip address negotiated
 ip access-group INTERNET-IN in
 ip nat outside
 ip inspect myinspect out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ************
 ppp chap password 7 ********
 ppp pap sent-username *************
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map clientmap
 hold-queue 224 in
!
ip local pool ippool 192.168.0.100 192.168.0.110
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route [ext_ip] 255.255.255.255 Ethernet0 192.168.0.2
no ip http server
no ip http secure-server
ip dns server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.2 25 interface Dialer1 25
ip nat inside source static tcp 192.168.0.2 80 interface Dialer1 80
ip nat inside source static tcp 192.168.0.2 443 interface Dialer1 443
!
!
ip access-list extended INTERNET-IN
 permit tcp any any eq www
 permit tcp any any eq 443
 permit udp any any eq domain
 permit esp any host [ext_ip]
 permit udp any eq isakmp host [ext_ip] eq isakmp
 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit tcp any any eq smtp
 deny   ip any any log
logging origin-id hostname
logging 192.168.0.2
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community mrmen RO
snmp-server location Under The Chest of Drawers
snmp-server contact Andrew
snmp-server enable traps tty
no cdp run
!
control-plane
!
banner login ^CC
[--- Hello! ---]

Go Away. You Are Being Watched.
^C
!
line con 0
 exec-timeout 120 0
 no modem enable
 transport preferred all
 transport output all
 stopbits 1
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 length 0
 transport preferred ssh
 transport input ssh
 transport output all
!
scheduler max-task-time 5000
sntp server 192.36.143.150
sntp broadcast client
end
 

Tui

Tui

Associate
Joined
30 Aug 2004
Posts
174
growse said:
Any idea on what I'm doing wrong?
Yeah, you're NATing your outgoing VPN traffic. You need a line in your NAT access list excluding VPN destination IP addresses. Since your VPN client pool is in the same subnet as your internal network, change:

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

to:

access-list 102 deny ip 192.168.0.0 0.0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any

While I'm here, can I suggest a few of things :)

- Exclude your VPN client pool range from your DHCP pool (just in case)

- The "in" thing is to use route maps in NAT maps instead of referencing an ACL, so:

route-map NONAT
match ip address 102

no ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map NONAT interface Dialer1 overload

- Don't assume isakmp will have a source of UDP 500 coming in, some firewalls will change this as well as the source address. If you're using the Cisco VPN client using NAT-T, encrypted traffic uses UDP 4500, so you need an entry for that. Entries in ACL INTERNET-IN for these should be:

permit udp any host [ext_ip] eq non500-isakmp
permit udp any host [ext_ip] eq isakmp

HTH
 
Soldato
OP
Joined
18 Oct 2002
Posts
7,139
Location
Ironing
made those changes - still getting:

Code:
Mar  8 15:01:20 nosey 1489: nosey: 3d03h: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 212.183.128.185 was not encrypted and it should've been.
 

Tui

Tui

Associate
Joined
30 Aug 2004
Posts
174
I should have noticed before, this and the first message is about traffic from the remote end.

Are you using the Cisco VPN client?
Are the local networks that you are connecting from also 192.169.0.X?
 

Tui

Tui

Associate
Joined
30 Aug 2004
Posts
174
I've tried to test a similar setup to yours thinking that the problem is happening with a client routing issue caused by overlapping addresses - your network is 192.168.0.0/24 and why I asked if you're connecting from 192.168.0.X.

I can't get the same error you get, not with client version 4.6 anyway, but I discovered something else - your VPN address pool must be in a different network from your internal networks, otherwise traffic won't be routed back through the tunnel.

Also, to avoid address conflicts if you ever decide to allow local LAN connection or split tunnelling (most home networks are using defaults of 192.168.0.0/24 or 192.168.1.0/24), have your internal and VPN pool addresses something that is unlikely to be used elsewhere e.g. internal network 192.168.200.0/24 and VPN pool a range from 192.168.201.0/24

Can you post if you still get errors after making these changes - will need to do some debugging.
 
Back
Top Bottom