https://community.cisco.com/t5/network-access-control/vpn-client-address-assignment-with-certificate-authentication/m-p/1040626#M2190 <HTML><HEAD></HEAD><BODY><P>The config lacks authorization part:</P><P></P><P>Use either ISAKMP Profile:</P><P></P><P>isakmp authorization list list-name</P><P></P><P>Or:</P><P></P><P>crypto map map-name isakmp authorization list list-name</P><P></P><P>In general, I don't like your config as it uses both crypto map EasyVPN features and ISAKMP Profile EasyVPN features. If you are able to classify all of you EasyVPN users with Profiles then don't use commands like "crypto map vpnmap1 client configuration address respond". Use ISAKMP Profile command to configure it. Or better use ISAKMP Profiles and VTI interfaces.</P><P></P><P>Also, verify that your users are classified into the correct Profile with "show cry isa sa det" or "show cry isa peers det".</P><P></P><P>HTH</P><P></P></BODY></HTML> Sat, 27 Sep 2008 09:38:14 GMT ovt 2008-09-27T09:38:14Z https://community.cisco.com/t5/network-access-control/vpn-client-address-assignment-with-certificate-authentication/m-p/1040625#M2186 <P>I have the following config and I can not get the client to pull an ip address</P><P></P><P>crypto pki trustpoint dc-ho1</P><P> enrollment mode ra</P><P> enrollment url <A class="jive-link-custom" href="http://10.10.20.2:80/certsrv/mscep/mscep.dll" target="_blank">http://10.10.20.2:80/certsrv/mscep/mscep.dll</A></P><P> serial-number none</P><P> fqdn HOEDTVPN.edt.net</P><P> ip-address none</P><P> password 7 0350792F532D761F1B5B4F564E30525921</P><P> subject-name O=EDT, OU=VPN, C=US, ST=Tx</P><P> revocation-check crl</P><P> rsakeypair HOEDTVPN.edt.net</P><P> auto-enroll</P><P>!</P><P>!</P><P>!</P><P>crypto pki certificate map cert_map 10</P><P> subject-name co ou = vpn</P><P>!</P><P>crypto isakmp policy 1</P><P> encr 3des</P><P></P><P>crypto isakmp client configuration group VPN</P><P> dns 10.10.20.2</P><P> wins 10.10.20.2</P><P> domain edg.net</P><P> pool hoedtvpn</P><P> acl 101</P><P> netmask 255.255.255.128</P><P>!</P><P>crypto isakmp profile VPN_client</P><P> ca trust-point dc-ho1</P><P> match certificate cert_map</P><P> client configuration address respond</P><P> client configuration group VPN</P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac</P><P>crypto dynamic-map vpnclient 20</P><P> set transform-set ESP-3DES-SHA</P><P>crypto map vpnmap1 local-address GigabitEthernet0/1</P><P>crypto map vpnmap1 client configuration address respond</P><P>crypto map vpnmap1 20 ipsec-isakmp dynamic vpnclient</P><P>interface GigabitEthernet0/1</P><P> description External Interface</P><P> ip address 64.XX.XX.XXX 255.255.255.248</P><P> ip access-group 111 in</P><P> duplex auto</P><P> speed auto</P><P> media-type rj45</P><P> crypto map vpnmap1</P><P></P><P>ip local pool hoedtvpn 10.20.90.1 10.20.90.126</P><P>access-list 101 permit ip 10.0.0.0 0.0.0.255 10.20.90.0 0.0.0.127</P><P>access-list 111 remark SDM_ACL Category=17</P><P>access-list 111 remark Auto generated by SDM for NTP (123) 10.10.20.2</P><P>access-list 111 permit udp host 10.10.20.2 eq ntp host 64.XX.xx.XXX eq ntp</P><P>access-list 111 permit udp any any eq isakmp</P><P>access-list 111 permit udp any any eq non500-isakmp</P><P>access-list 111 permit icmp any any</P><P>access-list 111 permit tcp any any eq 22</P><P>access-list 111 permit tcp any any eq telnet</P><P>access-list 111 permit gre any any</P><P>access-list 111 permit esp any any</P><P>access-list 111 permit tcp any any eq 10000</P><P></P><P></P><P>If I assign the pool directly under isakmp it will work but does not provide the other needed attributes, dns, wins ect.</P><P></P><P>when debug I get </P><P>Sep 23 14:48:24.090: ISAKMP:(7177):attributes sent in message:</P><P>Sep 23 14:48:24.090: Address: 0.2.0.0</P><P>Sep 23 14:48:24.090: ISAKMP:(7177):No IP address pool defined for ISAKMP!</P><P>Sep 23 14:48:24.090: ISAKMP:(7177):peer does not do paranoid keepalives.</P><P>Sep 23 14:48:24.090: ISAKMP:(7177):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer 24.XXX.XX.XX)</P><P> </P><P>any ideas?</P> Fri, 21 Feb 2020 18:22:10 GMT https://community.cisco.com/t5/network-access-control/vpn-client-address-assignment-with-certificate-authentication/m-p/1040625#M2186 jdedon 2020-02-21T18:22:10Z https://community.cisco.com/t5/network-access-control/vpn-client-address-assignment-with-certificate-authentication/m-p/1040626#M2190 <HTML><HEAD></HEAD><BODY><P>The config lacks authorization part:</P><P></P><P>Use either ISAKMP Profile:</P><P></P><P>isakmp authorization list list-name</P><P></P><P>Or:</P><P></P><P>crypto map map-name isakmp authorization list list-name</P><P></P><P>In general, I don't like your config as it uses both crypto map EasyVPN features and ISAKMP Profile EasyVPN features. If you are able to classify all of you EasyVPN users with Profiles then don't use commands like "crypto map vpnmap1 client configuration address respond". Use ISAKMP Profile command to configure it. Or better use ISAKMP Profiles and VTI interfaces.</P><P></P><P>Also, verify that your users are classified into the correct Profile with "show cry isa sa det" or "show cry isa peers det".</P><P></P><P>HTH</P><P></P></BODY></HTML> Sat, 27 Sep 2008 09:38:14 GMT https://community.cisco.com/t5/network-access-control/vpn-client-address-assignment-with-certificate-authentication/m-p/1040626#M2190 ovt 2008-09-27T09:38:14Z