VPN Issues on 837

[Jonathan Wright]

Hiya,

Over the last few days I've been trying to setup a VPN for Remote Access
(as well as Site-to-Site, although not tested that one yet), but I'm
having problems with both by Laptop (Cisco VPN Client) and PDA
(movianVPN) establishing a connection:

!
crypto keyring vpnkey
description Key for VPN Users
pre-shared-key address 0.0.0.0 0.0.0.0 key t3sting
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group remoteaccess
dns 10.0.1.61
wins 10.0.1.61
domain xyz.com
pool vpn-addresses
netmask 255.255.255.192
!
crypto isakmp client configuration group sitetosite
dns 10.0.1.61
wins 10.0.1.61
domain xyz.com
pool vpn-addresses
netmask 255.255.255.192
!
crypto isakmp profile remoteaccess
description Remote Access (Client to Site) VPN Profile
keyring vpnkey
match identity group remoteaccess
client authentication list vpn-users
isakmp authorization list vpn-auth
client configuration address respond
keepalive 20 retry 3
!
crypto isakmp profile sitetosite
description L2L (Site to Site) VPN Profile
keyring vpnkey
match identity group sitetosite
match identity address 0.0.0.0
keepalive 20 retry 3
!
crypto ipsec transform-set vpn-trans esp-3des esp-sha-hmac
!
crypto dynamic-map vpnmap 5
set transform-set vpn-trans
set isakmp-profile remoteaccess
crypto dynamic-map netwrk 10
set transform-set vpn-trans
set isakmp-profile sitetosite
!
crypto map myvpn 10 ipsec-isakmp dynamic vpnman
!
interface Dialer0
ip access-group from-internet in
ip nat outside
crypt map myvpn
!
ip local pool vpn-addresses 10.0.1.21 10.0.1.25
!
ip access-list extended from-internet
remark ACL for incoming traffic from the Internet
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit igmp any any
permit esp any any
permit gre any any
permit udp any eq ntp any eq ntp
permit udp any any eq isakmp
permit tcp any any eq 22
permit tcp any any eq smtp
permit tcp any any eq www
permit tcp any any eq 143
permit tcp any any eq 993
permit udp any any eq 5004
permit udp any any eq 5060
deny ip any any log

However, it seams to be having problems with the hash:

ISAKMP (0:0): received packet from 202.89.184.82 dport 500 sport 500
Global (N) NEW SA
ISAKMP: Created a peer struct for 202.89.184.82, peer port 500
ISAKMP: New peer created peer = 0x8286B458 peer_handle = 0x80000005
ISAKMP: Locking peer struct 0x8286B458, IKE refcount 1 for
crypto_isakmp_process_block
ISAKMP: local port 500, remote port 500
insert sa successfully sa = 82867158
ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
ISAKMP:(0:0:N/A:0): processing vendor id payload
ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 228 mismatch
ISAKMP:(0:0:N/A:0): processing vendor id payload
ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
ISAKMP:(0:0:N/A:0): processing vendor id payload
ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
ISAKMP:(0:0:N/A:0): processing vendor id payload
ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 184 mismatch
ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 202.89.184.82
ISAKMP:(0:0:N/A:0): local preshared key found
ISAKMP : Scanning profiles for xauth ... netwrkers
ISAKMP:(0:0:N/A:0): Authentication by xauth preshared
ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth XAUTHInitPreShared
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
ISAKMP: unknown attribute 16384
ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 3
CryptoEngine0: generating alg parameter for connid 4
CryptoEngine0: CRYPTO_ISA_DH_CREATE(hw)(ipsec)
CRYPTO_ENGINE: Dh phase 1 status: OK
ISAKMP:(0:4:HW:2): processing vendor id payload
ISAKMP:(0:4:HW:2): vendor ID seems Unity/DPD but major 228 mismatch
ISAKMP:(0:4:HW:2): processing vendor id payload
ISAKMP:(0:4:HW:2): vendor ID seems Unity/DPD but major 194 mismatch
ISAKMP:(0:4:HW:2): processing vendor id payload
ISAKMP:(0:4:HW:2): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0:4:HW:2): vendor ID is NAT-T v2
ISAKMP:(0:4:HW:2): processing vendor id payload
ISAKMP:(0:4:HW:2): vendor ID seems Unity/DPD but major 184 mismatch
ISAKMP:(0:4:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0:4:HW:2):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP:(0:4:HW:2): constructed NAT-T vendor-02 ID
ISAKMP:(0:4:HW:2): sending packet to 202.89.184.82 my_port 500 peer_port
500 (R) MM_SA_SETUP
ISAKMP:(0:4:HW:2):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0:4:HW:2):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP (0:268435460): received packet from 202.89.184.82 dport 500 sport
500 Global (R) MM_SA_SETUP
ISAKMP:(0:4:HW:2):Couldn't find node: message_id 2060467861
ISAKMP (0:268435460): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:
state = IKE_R_MM2
ISAKMP:(0:4:HW:2):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
ISAKMP:(0:4:HW:2):Old State = IKE_R_MM2 New State = IKE_R_MM2
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed
with peer at 202.89.184.82
ISAKMP:(0:4:HW:2): retransmitting phase 1 MM_SA_SETUP...
ISAKMP (0:268435460): incrementing error counter on sa, attempt 1 of 5:
retransmit phase 1
ISAKMP:(0:4:HW:2): retransmitting phase 1 MM_SA_SETUP
ISAKMP:(0:4:HW:2): sending packet to 202.89.184.82 my_port 500 peer_port
500 (R) MM_SA_SETUP
ISAKMP:(0:4:HW:2): retransmitting phase 1 MM_SA_SETUP...
ISAKMP (0:268435460): incrementing error counter on sa, attempt 2 of 5:
retransmit phase 1
ISAKMP:(0:4:HW:2): retransmitting phase 1 MM_SA_SETUP
ISAKMP:(0:4:HW:2): sending packet to 202.89.184.82 my_port 500 peer_port
500 (R) MM_SA_SETUP
ISAKMP:(0:4:HW:2): retransmitting phase 1 MM_SA_SETUP...
ISAKMP (0:268435460): incrementing error counter on sa, attempt 3 of 5:
retransmit phase 1
ISAKMP:(0:4:HW:2): retransmitting phase 1 MM_SA_SETUP
ISAKMP:(0:4:HW:2): sending packet to 202.89.184.82 my_port 500 peer_port
500 (R) MM_SA_SETUP
ISAKMP:(0:4:HW:2): retransmitting phase 1 MM_SA_SETUP...
ISAKMP (0:268435460): incrementing error counter on sa, attempt 4 of 5:
retransmit phase 1
ISAKMP:(0:4:HW:2): retransmitting phase 1 MM_SA_SETUP
ISAKMP:(0:4:HW:2): sending packet to 202.89.184.82 my_port 500 peer_port
500 (R) MM_SA_SETUP
ISAKMP:(0:4:HW:2): retransmitting phase 1 MM_SA_SETUP...
ISAKMP (0:268435460): incrementing error counter on sa, attempt 5 of 5:
retransmit phase 1
ISAKMP:(0:4:HW:2): retransmitting phase 1 MM_SA_SETUP
ISAKMP:(0:4:HW:2): sending packet to 202.89.184.82 my_port 500 peer_port
500 (R) MM_SA_SETUP
ISAKMP:(0:4:HW:2): retransmitting phase 1 MM_SA_SETUP...
ISAKMP:(0:4:HW:2):peer does not do paranoid keepalives.
ISAKMP:(0:4:HW:2):deleting SA reason "Death by retransmission P1" state
(R) MM_SA_SETUP (peer 202.89.184.82)
ISAKMP:(0:4:HW:2):deleting SA reason "Death by retransmission P1" state
(R) MM_SA_SETUP (peer 202.89.184.82)
ISAKMP: Unlocking IKE struct 0x8286B458 for isadb_mark_sa_deleted(), count 0
ISAKMP: Deleting peer node by peer_reap for 202.89.184.82: 8286B458
ISAKMP:(0:4:HW:2):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
ISAKMP:(0:4:HW:2):Old State = IKE_R_MM2 New State = IKE_DEST_SA
IPSEC(key_engine): got a queue event with 1 kei messages
ISAKMP (0:268435460): received packet from 202.89.184.82 dport 500 sport
500 Global (R) MM_NO_STATE
ISAKMP:(0:4:HW:2):purging SA., sa=82867158, delme=82867158
CryptoEngine0: delete connection 4
CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec)

Any idea how I can fix this problem?

--
Jonathan Wright ma...@djnauk.co.uk
http://djnauk.co.uk

cat /dev/random (you never know, you may see something you like!)

2.6.17-gentoo-r3-djnauk-b1 AMD Athlon(tm) XP 2100+
up 17:07, 0 users, load average: 1.01, 1.14, 1.12