topic Re: 1841 vpn client in Network Security

1841 vpn client

columoconnor — Mon, 11 Mar 2019 10:50:36 GMT

I have an 1841 that has a working site to site vpn tunnel....I added the config for a vpn client and nothing happens

I debugged crypto isakmp and dont even see the client trying to connect

anyone see wants wrong

version 12.4

aaa new-model

aaa session-id common

ip inspect name test http urlfilter

username xxxxxx privilege 15 password 7 xxxxxxxx

crypto isakmp policy 11

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key ciscociscoAZ address x.x.x.x no-xauth

crypto isakmp keepalive 10

crypto isakmp client configuration group Remote_User

key cisco

pool VPNpool

acl 150

crypto ipsec transform-set remotesite esp-3des esp-md5-hmac

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set myset

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap 11 ipsec-isakmp

set peer x.x.x.x

set transform-set remotesite

match address vpn

interface FastEthernet0/0

ip address 192.168.12.1 255.255.255.0

ip inspect test in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

interface FastEthernet0/1

ip address x.x.x.x 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map mymap

ip local pool VPNpool 192.168.50.50 192.168.50.160

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip nat inside source list NoNat interface FastEthernet0/1 overload

ip access-list extended NoNat

deny ip 192.168.12.0 0.0.0.255 192.168.9.0 0.0.0.255

deny ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended vpn

permit ip 192.168.12.0 0.0.0.255 host 10.155.102.252

access-list 150 permit ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255

thanks

Re: 1841 vpn client

mattiaseriksson — Sat, 28 Jul 2007 07:17:57 GMT

Try to add "reverse-route" under the dynamic crypto map.

But everything else looks ok, verify that the crypto map is applied with "sh crypto dynamic-map".

A debug crypto isakmp should show when it tries to connect, either you have not configured logging properly, or the client can not reach the router.

Re: 1841 vpn client

columoconnor — Mon, 30 Jul 2007 12:57:23 GMT

Mattias

the reverse route didnt work

When I debug crypto isakmp I dont even see it trying....but I can ping outside interface from where I'm trying the client

router#sh cry dynamic-map

Crypto Map Template"dynmap" 10

No matching address list set.

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

myset,

}

does this tell you anything

thanks

Colum

Re: 1841 vpn client

mattiaseriksson — Mon, 30 Jul 2007 13:09:50 GMT

Also, you are referring to the aaa groups userauthen and groupauthor but they are not defined anywhere?

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

You need something like this:

aaa authentication login userauthen local

aaa authorization network groupauthor local

If you want to use xauth with local authentication.

Re: 1841 vpn client

columoconnor — Mon, 30 Jul 2007 14:29:44 GMT

You are right ...that was missing but still doesnt work...

its weird...

client log

813 11:11:24.307 07/30/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=CFDA79CF5F04F509 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

814 11:11:24.828 07/30/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=CFDA79CF5F04F509 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

its like it cant get to the outside IP

could it be the inspect/websense

Re: 1841 vpn client

purohit_810 — Mon, 30 Jul 2007 14:32:35 GMT

Hi,

Please refer below document.

Which will guide you step by step procedure to configure client VPN.

As well as it also showing Troubleshooting.

It is well easier.

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Regards,

Dharmesh Purohit