1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cisco 837 vpn issue

Discussion in 'Networks & Internet Connectivity' started by growse, 4 Mar 2006.

  1. growse

    Soldato

    Joined: 18 Oct 2002

    Posts: 7,139

    Location: Ironing

    I'm trying to get vpn on my home router working, but I keep getting the following error in my syslog:

    Mar 4 16:06:49 nosey 77118: nosey: 4w2d: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE pack
    et from 217.155.216.166 was not encrypted and it should've been.

    Any idea on what I'm doing wrong?

    my current config is:

    Code:
    Current configuration : 5065 bytes
    !
    ! Last configuration change at 16:09:39 GMT Sat Mar 4 2006 by growse
    ! NVRAM config last updated at 15:56:29 GMT Sat Mar 4 2006 by growse
    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname nosey
    !
    boot-start-marker
    boot-end-marker
    !
    memory-size iomem 5
    logging count
    logging userinfo
    no logging buffered
    no logging console
    enable secret 5 *******
    !
    username growse password 7 *******
    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
    aaa new-model
    !
    !
    aaa authentication login userauthenticate local
    aaa authorization network groupauthorise local
    aaa session-id common
    ip subnet-zero
    no ip source-route
    no ip icmp rate-limit unreachable
    ip dhcp excluded-address 192.168.0.1
    ip dhcp excluded-address 192.168.0.1 192.168.0.19
    !
    ip dhcp pool CLIENT
       import all
       network 192.168.0.0 255.255.255.0
       default-router 192.168.0.1
       domain-name mrmen.home
       dns-server 192.168.0.1
    !
    !
    ip domain timeout 1
    ip domain name mrmen.home
    ip name-server 192.168.0.2
    no ip bootp server
    ip inspect max-incomplete low 70
    ip inspect max-incomplete high 100
    ip inspect one-minute low 300
    ip inspect one-minute high 400
    ip inspect udp idle-time 20
    ip inspect dns-timeout 1
    ip inspect tcp idle-time 900
    ip inspect tcp finwait-time 3
    ip inspect tcp synwait-time 15
    ip inspect name inspectout icmp
    ip inspect name myinspect http timeout 10
    ip inspect name myinspect icmp
    ip inspect name myinspect tcp
    ip inspect name myinspect udp
    ip inspect name myinspect smtp
    ip ips po max-events 100
    ip ssh authentication-retries 2
    ip ssh source-interface Ethernet0
    ip ssh rsa keypair-name mine
    ip ssh version 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    crypto isakmp policy 10
     encr 3des
     authentication pre-share
     group 2
    !
    crypto isakmp client configuration group growse
     key ************
     dns 192.168.0.1
     domain *******
     pool ippool
    !
    !
    crypto ipsec transform-set ts-mrmen esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 10
     set transform-set ts-mrmen
    !
    !
    crypto map clientmap client authentication list userauthenticate
    crypto map clientmap isakmp authorization list groupauthorise
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    !
    !
    !
    interface Ethernet0
     ip address 192.168.0.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     no ip mroute-cache
     no cdp enable
     hold-queue 100 out
    !
    interface Ethernet2
     ip address 10.1.0.1 255.255.255.0
     shutdown
     hold-queue 100 out
    !
    interface ATM0
     no ip address
     no ip mroute-cache
     atm vc-per-vp 64
     no atm ilmi-keepalive
     dsl operating-mode auto
     pvc 0/38
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
    !
    interface FastEthernet1
     no ip address
     duplex auto
     speed auto
    !
    interface FastEthernet2
     no ip address
     duplex auto
     speed auto
    !
    interface FastEthernet3
     no ip address
     duplex auto
     speed auto
    !
    interface FastEthernet4
     no ip address
     duplex auto
     speed auto
    !
    interface Dialer1
     ip address negotiated
     ip access-group INTERNET-IN in
     ip nat outside
     ip inspect myinspect out
     ip virtual-reassembly
     encapsulation ppp
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication chap pap callin
     ppp chap hostname ************
     ppp chap password 7 ********
     ppp pap sent-username *************
     ppp ipcp dns request
     ppp ipcp wins request
     crypto map clientmap
     hold-queue 224 in
    !
    ip local pool ippool 192.168.0.100 192.168.0.110
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip route [ext_ip] 255.255.255.255 Ethernet0 192.168.0.2
    no ip http server
    no ip http secure-server
    ip dns server
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 192.168.0.2 25 interface Dialer1 25
    ip nat inside source static tcp 192.168.0.2 80 interface Dialer1 80
    ip nat inside source static tcp 192.168.0.2 443 interface Dialer1 443
    !
    !
    ip access-list extended INTERNET-IN
     permit tcp any any eq www
     permit tcp any any eq 443
     permit udp any any eq domain
     permit esp any host [ext_ip]
     permit udp any eq isakmp host [ext_ip] eq isakmp
     permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
     permit tcp any any eq smtp
     deny   ip any any log
    logging origin-id hostname
    logging 192.168.0.2
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    snmp-server community mrmen RO
    snmp-server location Under The Chest of Drawers
    snmp-server contact Andrew
    snmp-server enable traps tty
    no cdp run
    !
    control-plane
    !
    banner login ^CC
    [--- Hello! ---]
    
    Go Away. You Are Being Watched.
    ^C
    !
    line con 0
     exec-timeout 120 0
     no modem enable
     transport preferred all
     transport output all
     stopbits 1
    line aux 0
     transport preferred all
     transport output all
    line vty 0 4
     access-class 23 in
     exec-timeout 120 0
     length 0
     transport preferred ssh
     transport input ssh
     transport output all
    !
    scheduler max-task-time 5000
    sntp server 192.36.143.150
    sntp broadcast client
    end
    
     
  2. Tui

    Gangster

    Joined: 30 Aug 2004

    Posts: 174

    Yeah, you're NATing your outgoing VPN traffic. You need a line in your NAT access list excluding VPN destination IP addresses. Since your VPN client pool is in the same subnet as your internal network, change:

    access-list 102 permit ip 192.168.0.0 0.0.0.255 any

    to:

    access-list 102 deny ip 192.168.0.0 0.0.0.0.255 192.168.0.0 0.0.0.255
    access-list 102 permit ip 192.168.0.0 0.0.0.255 any

    While I'm here, can I suggest a few of things :)

    - Exclude your VPN client pool range from your DHCP pool (just in case)

    - The "in" thing is to use route maps in NAT maps instead of referencing an ACL, so:

    route-map NONAT
    match ip address 102

    no ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source route-map NONAT interface Dialer1 overload

    - Don't assume isakmp will have a source of UDP 500 coming in, some firewalls will change this as well as the source address. If you're using the Cisco VPN client using NAT-T, encrypted traffic uses UDP 4500, so you need an entry for that. Entries in ACL INTERNET-IN for these should be:

    permit udp any host [ext_ip] eq non500-isakmp
    permit udp any host [ext_ip] eq isakmp

    HTH
     
  3. growse

    Soldato

    Joined: 18 Oct 2002

    Posts: 7,139

    Location: Ironing

    made those changes - still getting:

    Code:
    Mar  8 15:01:20 nosey 1489: nosey: 3d03h: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 212.183.128.185 was not encrypted and it should've been.
    
     
  4. Tui

    Gangster

    Joined: 30 Aug 2004

    Posts: 174

    I should have noticed before, this and the first message is about traffic from the remote end.

    Are you using the Cisco VPN client?
    Are the local networks that you are connecting from also 192.169.0.X?
     
  5. growse

    Soldato

    Joined: 18 Oct 2002

    Posts: 7,139

    Location: Ironing

    Yes, and no. I'm using the Cisco client, and could be connecting from absolutely anywhere.
     
  6. Tui

    Gangster

    Joined: 30 Aug 2004

    Posts: 174

    I've tried to test a similar setup to yours thinking that the problem is happening with a client routing issue caused by overlapping addresses - your network is 192.168.0.0/24 and why I asked if you're connecting from 192.168.0.X.

    I can't get the same error you get, not with client version 4.6 anyway, but I discovered something else - your VPN address pool must be in a different network from your internal networks, otherwise traffic won't be routed back through the tunnel.

    Also, to avoid address conflicts if you ever decide to allow local LAN connection or split tunnelling (most home networks are using defaults of 192.168.0.0/24 or 192.168.1.0/24), have your internal and VPN pool addresses something that is unlikely to be used elsewhere e.g. internal network 192.168.200.0/24 and VPN pool a range from 192.168.201.0/24

    Can you post if you still get errors after making these changes - will need to do some debugging.