Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1911
Views
0
Helpful
2
Replies

Remote Access VPN with IOS using certificate authentication

jinyu1
Level 1
Level 1

‎11-21-2003 05:48 PM - edited ‎02-21-2020 10:08 AM

I am trying to setup a Cisco 2610 running IOS 12.3(1) for remote access VPNs from Cisco VPN Client 4.02(d) running on Windows.

I use certificate authentication (rsa-sig) without XAUTH. Both the router and clients get certificates from a Microsoft Windows 2000 CA. VPN connections are established without problem. However, there is no traffic flowing through the tunnel. I cannot ping from either side.

The client's status bar (bottom of the screen) says:

bytes in(0), bytes out(38434). So it looks like client cannot receive incoming packet.

Any suggestions?

Note that in the IOS config attached below, the isakmp client configuration group OU1 was never matched. The Cisco documentation said the group name would match the OU field in client certificate. My client cert has the OU field set to "OU1", but it did not work. That's why I also have a "crypto isakmp client configuration address-pool local" statement to define the IP pool.

Here is my IOS config:

version 12.3

!

hostname cmohanan12

!

clock timezone PT -8

no ip subnet-zero

!

!

ip domain name martsoft.com

!

ip audit notify log

ip audit po max-events 100

!

crypto ca trustpoint mart-th

enrollment mode ra

enrollment url http://192.168.10.66:80/certsrv/mscep/mscep.dll

usage ike

serial-number

crl optional

!

crypto ca certificate chain mart-th

certificate xxxxx

certificate xxxxx

nvram:mart#62ACA.cer

!

crypto isakmp policy 1

encr aes 256

group 5

!

crypto isakmp client configuration address-pool local vpn-pool1

!

crypto isakmp client configuration group OU1

dns 192.168.10.11

domain martsoft.com

pool vpn-pool1

acl 199

!

crypto ipsec transform-set tran1 esp-des esp-md5-hmac

crypto ipsec transform-set tran2 esp-des esp-sha-hmac

crypto ipsec transform-set tran3 ah-md5-hmac esp-des

crypto ipsec transform-set tran4 ah-sha-hmac esp-des

crypto ipsec transform-set tran5 esp-3des esp-md5-hmac

crypto ipsec transform-set tran6 esp-3des esp-sha-hmac

crypto ipsec transform-set tran7 esp-aes esp-md5-hmac

crypto ipsec transform-set tran8 esp-aes esp-sha-hmac

!

crypto dynamic-map dyntmp1 1

set transform-set tran1 tran2 tran8 tran7 tran5 tran6

!

!

crypto map dynmap1 client configuration address respond

crypto map dynmap1 1 ipsec-isakmp dynamic dyntmp1

!

interface Ethernet0/0

ip address 192.168.10.23 255.255.255.0

half-duplex

!

interface Serial0/0

no ip address

no ip mroute-cache

shutdown

!

interface Serial0/1

no ip address

shutdown

!

interface Ethernet1/0

ip address 172.16.172.40 255.255.255.0

half-duplex

crypto map dynmap1

!

interface Ethernet1/1

no ip address

shutdown

half-duplex

!

interface Ethernet1/2

no ip address

shutdown

half-duplex

!

interface Ethernet1/3

no ip address

shutdown

half-duplex

!

ip local pool vpn-pool1 192.168.10.205 192.168.10.209

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.10.1

!

access-list 199 permit ip 192.168.10.0 0.0.0.255 any

!

line con 0

timeout login response 0

line aux 0

line vty 0 4

password cisco

login

!

end

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎11-23-2003 08:26 PM

This looks like a routing problem. Once connected (meaning the certs were compared and found to be valid), then they shouldn't come into it. The fact your PC is sending packets but receiving nothing usually signifies a routing issue.

So, you have the crypto map applied to e1/0, which is the interface that your VPN clients are connected off. However, you have a default route pointing out e0/0.

What's happening is the router is receiving the encrypted packets from your clients, decrypting them and forwarding them on internally. When the response comes back from the internal server, the router sees that it has to send the packet to the VPN PC, but the default route points back out to the e0/0 interface which doesn't have a crypto map on it. The return packets will never be encrypted and will never reach the VPN client, hence why you're seeing 0 bytes in. Fix this default route and you should start seeing replies.

0 Helpful

jinyu1
Level 1
Level 1
In response to gfullage

‎11-24-2003 11:49 AM

Before the VPN connection, I was able to ping e0/0 (192.168.10.23) as well as all hosts in the subnet 192.168.10.0 from the PC. After the VPN tunnel is established, I couldn't even ping e0/0. Also, I could not ping the PC's VPN address (192.168.10.209) from the router (I could ping the PC's local IP, though).

So I think this doesn't have much to do with the default route in the router, which points to 192.168.10.1, since I'm only trying to access the LAN connected to e0/0 at this point.

Here is the result of running "ipconfig /all" on the PC:

Ethernet adapter Local Area Connection 1:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Cisco Systems VPN Adapter

Physical Address. . . . . . . . . : 00-05-9A-3C-78-00

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.10.209

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.10.209

DNS Servers . . . . . . . . . . . :

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/100+ Alert on LAN* Management Adapter

Physical Address. . . . . . . . . : 00-02-B3-19-32-9A

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 172.16.172.129

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 172.16.172.40

DNS Servers . . . . . . . . . . . : 192.168.10.11

0 Helpful
Customers Also Viewed These Support Documents