Re: Problem to configure VPN

udayashankarsg · ‎12-17-2007

Hi All,

I am having a problem in configuring a dynamic VPN in my pix which has the 7.2 version of ios but i am able to work with same configuration in the pix whch has 6.3 version i just want a user from outside my network using the vpn client access the resource inside my network below is my configuration is it ok are should i need to do anything more? please advice me.

ip local pool vpnpool1 192.168.170.1-192.168.170.254

crypto dynamic-map map2 20 set transform-set guatemala1

crypto map map1 20 ipsec-isakmp dynamic map2

crypto ipsec transform-set guatemala1 esp-aes-256 esp-sha-hmac

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup Guatemalavpn address-pool vpnpool1

vpngroup Guatemalavpn split-tunnel inside_nat0_outbound

vpngroup Guatemalavpn idle-time 36000

vpngroup Guatemalavpn password xxxxxxx

access-list outside_acl permit tcp 192.168.170.0 255.255.255.0 172.19.10.0 255.255.255.0

route outside 192.168.170.0 255.255.255.0 200.30.222.65

access-list inside_nat0_outbound extended permit ip any 192.168.170.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0

access-list 102 permit ip 172.19.10.0 255.255.255.0 192.168.170.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Alan Huseyin Kayahan · ‎12-18-2007

Hi Uday

6.3 and 7.2 are slightly different. First issue the following command.

isakmp enable outside

Then.

group-policy Guatemalavpn internal

group-policy Guatemalavpn attributes

vpn-idle-timeout 36000

vpn-session-timeout 10080

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 102

tunnel-group Guatemalavpn type ipsec-ra

tunnel-group Guatemalavpn general-attributes

address-pool vpnpool1

authentication-server-group LOCAL

default-group-policy Guatemalavpn

tunnel-group Guatemalavpn ipsec-attributes

pre-shared-key typeyourpresharedkeyhere

Regards

udayashankarsg · ‎12-18-2007

Should i use your command after my command

if i enter following command i will get some error message

vpngroup Guatemalavpn address-pool vpnpool1

vpngroup Guatemalavpn split-tunnel inside_nat0_outbound

vpngroup Guatemalavpn idle-time 36000

vpngroup Guatemalavpn password cisco123

udayashankarsg · ‎12-18-2007

this is the error message

WARNING: the 'vpngroup' command has been deprecated, and will be converted to the corresponding tunnel-group and group-policy syntax

ERROR: ip pool vpnpool1 is not defined.

udayashankarsg · ‎12-18-2007

if i try to connect after the configuration

the cisco vpn client asks for the Authentication after providing the local username and password of the pix and also i tried with username as Guatemalavpn and password as my preshared key i am get eroor saying

secured vpn connection terminated locally by the client reson 403 unable to caoonect security gateway

Alan Huseyin Kayahan · ‎12-18-2007

vpngroup is changed as tunnel-group in 7.x IOS. So dont use vpngroup and use my config instead. Rest of the config is OK.

When it asks you a username and password, submit a username password that you created in pix. For example following command creates a user

username uday password 1234 priv 1

Regards

udayashankarsg · ‎12-18-2007

I am still having the same error and the below command is not working.

tunnel-group Guatemalavpn type ipsec-ra

Alan Huseyin Kayahan · ‎12-18-2007

Uday,

What error do you encounter when you type

tunnel-group Guatemalavpn type ipsec-ra

Posting your running config would be helpful

udayashankarsg · ‎12-18-2007

please find the configuration as attachement.

Alan Huseyin Kayahan · ‎12-18-2007

Type the following in their respective order in configure terminal mode

tunnel-group Guatemalavpn general-attributes

authentication-server-group LOCAL

udayashankarsg · ‎12-19-2007

Do i have any problem with my crypto map command because when i type i get following error.

crypto map map1 20 ipsec-isakmp dynamic map2

WARNING: dynamic map has incomplete entries