IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
3 posts • Page 1 of 1
Hei guys, Please help me on this one as I got pretty stuck on it.. I am trying to connect to a 3700 Cisco router configured as a VPN server using a VPN client, and the VPN connection does not get established.This is an extract of the log: 130 12:48:30.585 01/07/11 Sev=Info/5 IKE/0x63000001Peer supports XAUTH131 12:48:30.585 01/07/11 Sev=Warning/3 IKE/0xE3000057The received HASH payload cannot be verified132 12:48:30.600 01/07/11 Sev=Warning/2 IKE/0xE300007EHash verification failed... may be configured with invalid group password.133 12:48:30.600 01/07/11 Sev=Warning/2 IKE/0xE300009BFailed to authenticate peer Navigator:904134 12:48:30.600 01/07/11 Sev=Info/4 IKE/0x63000013SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 18.104.22.168 I attach the whole log extract.. The bold message is quite obvious, you would say but I am 100% sure that in the Connection entry I typed in correctly the group password : pass My topology is very basic as I am setting this up only to get a hint of how Cisco VPN works. Its built in GNS3:- 2 routers 3700 : one of them holds the VPN server configuration and the other would be the ISP through which the remote worker would try to establish a VPN connection. // I also attach the configuration file for the router configured as VPN router. Behind the second router there is a virtual XP machine on which I have installed the VPN client.. My connection entry in the client is having the following parameters:Host: 22.214.171.124 //which is the IP of the VPNserverAuthentication -> Group Authentication -> Name : grup1 Password : pass // I am absolutely positive that I typed in the correct password...even though the log messages are related to a faulty authentication credentials. I have been using only public addresses, as I have noticed there is an issue concerning behind NAT VPN connections and not being very familiar to NAT. Another aspect that might be of any importance is that "Enable Transport Tunneling" from within Transport tab of the Connection entry is disabledand that the VPNserver router logs the following error message when trying to establish the connection: *Mar 1 01:08:47.147: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 126.96.36.199 was not encrypted and it shouldve been.*Mar 1 01:08:47.151: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 188.8.131.52 was not encrypted and it shouldve been. Have you got any clue why I can establish the connection? Is there something wrong with my VPN server configuration..or with theconnection entry within VPN client? Thank you,Iulia
According to the router configuration, the group name is grup1 and the password is cheie. You are also missing the ipsec transform set that you would need to apply to the dynamic-map. Here is a sample configuration for your reference:http://www.cisco.com/en/US/tech/tk583/t ... 5197.shtml Hope that helps.
Hy, You were most helpful. I first added a transform set which I assigned to the dynamic-map...and afterwards I changed the password into cheie [as this was actually the correct password and not the users password..my bad]. The tunnel has been established..I made a capture with Wireshark and there were only ESPs passing through.I will read the document you directed me to and the document Roberto attached..as I feel that there are so much more things to explore and it really interests me. Thank you guys,Iulia
Excellent, and great to hear its working now.Pls kindly mark the post as answered and rate useful posts so others can learn. Thank you.
Hello Lulia, Jennifer Halim is completely right, you are missing some important stuffs in your configuration including the ipsec transform set. The group grup1 password is actually cheie and this credentials you must enter in the vpn client, after that you will be prompted to enter a second set o credentials that must match any username configured in the router. I am attaching a sample configuration which you can use a guidance. Hope it helps, Best Regards,Roberto López.