02-01-2013 08:18 AM
Hello,
I need help connecting VPN client to my router. Here's my config below.
It has site to site VPN which is working fine.
Thanks!!!
Building configuration...
!
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login dafault local
aaa authentication login vpn-xauth1 local
aaa authentication login sslvpn local
aaa authorization network vpn-group1 local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-2155039512
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2155039512
revocation-check none
rsakeypair TP-self-signed-2155039512
!
!
crypto pki certificate chain TP-self-signed-2155039512
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313535 30333935 3737301E 170D3131 30363232 31363239
35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31353530
33393537 3730819F 0129384 2A864886 F70D0101 01050003 818D0030 81890281
8100BCC9 82DD2E9E DB424671 B2481D77 1EB7FDA8 25D2EEFC 6C66A551 68B418C6
75B76471 36D457B1 7AEC16FC 9333A228 A138C24A CCB715CF 143EF482 816C7080
330E7D24 6592EED9 F0167AAB D53490D4 8291CB52 BB40E140 8306A3CA AFE72861
FE9C6E34 B45B08D8 60AF2755 A0B90B4A 5DB260A3 4A879A91 0039C6CB 3F7E9384
43E10203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
551D1104 1F301D82 1B626372 68612D77 6E647372 2D727472 1234234 68612E6C
6F63616C 301F0603 551D2304 18301680 14972BCE BC74B909 D904A757 3C82434A
822B2F65 6E301D06 023424E 04160414 972BCEBC 74B909D9 04A7573C 82434A82
2B2F656E 300D0609 2A864886 F70D0101 04050003 818100B4 A1AC739C 6F212BE9
00FF9D10 67BD509A E7056108 CBF3884E 97E668D3 2CD43BEE B8C10098 56B386D7
B0523710 6E7D4092 71234234CD F6B70179 C89F575C 9889BA15 229E3452 AFC398A4
E016A49C 409ECF55 DCB941FF 092549B2 7E9E42C7 451C410D AF1B5697 01C586ED
D2DD0CB1 D33AAAAD 9A3AEC7A E8F06C61 0EE9A01E A017A6
quit
ip source-route
!
!
!
!
ip cef
ip domain name xxxx.local
ip name-server xx.x.xx.xx
ip name-server xx.xxx.xxx.xx
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn yyyyyy
!
!
username tech privilege 15 secret 5 xxxxxxxxxxx
username vpn-user1 secret 5 xxxxxxxxx
username admin privilege 15 password 7 xxxxxxxx
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any vpn-ssh
match protocol ssh
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol https
match protocol citrix
match protocol ipsec-msft
match protocol pptp
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
match access-group 199
class-map match-all inspection_icmp
match any
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect ccp-icmp-access
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxx address 69.xx.xx.xx
!
crypto isakmp client configuration group XXXXX
key xxxxx
dns 8.8.8.8
pool VPN-Pool
acl 110
crypto isakmp profile VPN-IKE-Profile1
match identity group XXXX
client authentication list VPN-xauth1
isakmp authorization list VPN-group1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile1
set transform-set ESP-3DES-SHA
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to69.xx.xxx.xx
set peer 69.xx.xxx.xx
set transform-set ESP-3DES-SHA
match address 101
!
!
!
!
!
interface FastEthernet0
switchport mode trunk
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address 65.xx.xxx.xx 255.255.255.xxx
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
!
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile1
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
!
ip local pool VPN-Pool 10.10.200.1 10.10.200.50
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 65.xx.xxx.1
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.0.0 0.0.0.255
access-list 23 permit 173.0.0.0 0.255.255.255
access-list 23 permit 152.0.0.0 0.255.255.255
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 69.xx.xxxx.xx any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip 10.20.0.0 0.0.255.255 10.10.0.0 0.0.255.255
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255
access-list 104 permit ip 10.10.0.0 0.0.0.255 any
access-list 110 remark VPN-Users
access-list 110 permit ip 10.10.200.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 199 permit ip any any
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
end
02-01-2013 08:35 AM
I got it.
11-22-2013 06:24 AM
Are you trying to configured easy vpn server ,, if so,, please check below link,,
I have working config,,,,
https://supportforums.cisco.com/thread/2252633
Hope this will help,.,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide