Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1114
Views
0
Helpful
6
Replies

Terminating VPN client on 871W

Go to solution
erikisme1
Level 1
Level 1

‎01-11-2010 07:16 AM

Hi,

I tried to install EasyVPN on a cisco 871W through SDM. The purpose is to terminate client VPNs, authenticating them with with an external Radius/AD (on a local subnet). I set up IAS on a win2003 AD server and checked the accounts.

SDM was missing out the 'crypto map' chunk of config. After adding this in the CLI it still did not work.So EasyVPN is not as easy at is seems...

Could someone with some knowledge of VPN and IPsec and so on please take a look at this config? Perhaps it gives me a clue to what i have done wrong (which with no doubt must be the case).

Thanks,

Erik

==

aaa new-model
!
aaa group server radius rad_eap
server 10.128.7.5 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa authorization network sdm_vpn_group_ml_1 local
aaa accounting network acct_methods
action-type start-stop
group rad_acct
!
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-1278336536
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1278336536
revocation-check none
rsakeypair TP-self-signed-1278336536
!
!
crypto pki certificate chain TP-self-signed-1278336536
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323738 33333635 3336301E 170D3039 31303237 32313237
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373833
33363533 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81008B56 5902F5DF FCE1A56E 45956514 3A63350E 1767EF73 FEC6CD16 7E982A82
B0AF8546 ABB3D35A B7C3A7E3 37A02103 3ACCB34A 8B655C97 F103DBD5 9AAEFEFC
4EFC398B 0C8B6BE5 AD3E568E 6CB69F87 CBCA0785 EAED0A28 726F2F0A B0B0453E
32E6B3B7 861F87FA 222197DD 3410D8A9 35939E9B CBF95F20 B8DA6ADE BF460F5C
BF8F0203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
551D1104 16301482 12444341 4E495430 302E6361 6E2D6974 2E657530 1F060355
1D230418 30168014 84C9223E 661B2EB4 5BAB0B0E 1BE3A27A 64B3AEB0 301D0603
551D0E04 16041484 C9111E66 1B2EB45B AB0B0E1B E3A27A64 B3AEB030 0D06092A
864886F7 0D010104 05000381 81002F4A F3E4AF9D 8693B599 70EC1F1A D2995276
17E3583A 46C749F9 38743E6F F5E60478 5B9B5091 E944C689 7BA6DCA2 94D2FBD3
AFDE4500 A0A3644E 603A852D 55ED7A87 93501D5C 1662DAED 3FFFEC5A F1C38ED4
E0787561 BA5C14A3 6D065FCF 7DBDEBB6 9186C2D9 AA253FBF A9E38BC3 342C3AC9
2BEF6821 E4C50277 493AD5B6 2AFE
quit
dot11 syslog
!
ip source-route
!
!
ip dhcp excluded-address 10.128.1.250 10.128.1.254
ip dhcp excluded-address 10.128.150.250 10.128.150.254
ip dhcp excluded-address 10.128.7.0 10.128.7.100
ip dhcp excluded-address 10.128.7.250 10.128.7.254
!
ip dhcp pool VLAN30-GUEST
import all
network 10.128.1.0 255.255.255.0
default-router 10.128.1.254
dns-server 10.128.7.5
netbios-name-server 10.128.7.5
domain-name aaa.com
lease 4
!
ip dhcp pool VLAN20-STAFF
import all
network 10.128.150.0 255.255.255.0
default-router 10.128.150.254
dns-server 10.128.7.5
netbios-name-server 10.128.7.5
domain-name aaa.com
lease 4
!
ip dhcp pool VLAN10-SERVERS
import all
network 10.128.7.0 255.255.255.0
default-router 10.128.7.254
dns-server 10.128.7.5
netbios-name-server 10.128.7.5
domain-name aaa.com
lease 4
!
!
ip cef
no ip domain lookup
ip domain name aaa.com
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
!
!
username xxxx privilege 15 secret 5 xxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key xxxx
pool SDM_POOL_1
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface Loopback0
ip address 10.128.201.1 255.255.255.255
crypto map SDM_CMAP_1
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 20
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 30
!
interface FastEthernet4
no ip address
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dot11Radio0
no ip address
shutdown
no dot11 extension aironet
!
interface Vlan1
ip address AAA.BBB.CCC.177 255.255.255.240
no ip redirects
no ip proxy-arp
ip nat outside
no ip virtual-reassembly
no autostate
hold-queue 100 out
!
interface Vlan10
description SERVER
no ip address
ip nat inside
no ip virtual-reassembly
no autostate
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Vlan20
description STAFF
no ip address
ip nat inside
no ip virtual-reassembly
no autostate
bridge-group 20
bridge-group 20 spanning-disabled
!
interface Vlan30
description GUEST
no ip address
ip nat inside
no ip virtual-reassembly
no autostate
bridge-group 30
bridge-group 30 spanning-disabled
!
interface Dialer1
mtu 1492
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect MYFW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxx password 7 xxxxx
!
interface BVI10
description Bridge to server network
ip address 10.128.7.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BVI20
description Bridge to Staff network
ip address 10.128.150.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface BVI30
description Bridge to Guests Network
ip address 10.128.1.254 255.255.255.0
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http secure-ciphersuite 3des-ede-cbc-sha
ip http secure-client-auth
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 101 interface Vlan1 overload
ip nat inside source static tcp 10.128.7.1 25 AAA.BBB.CCC.178 25 extendable
ip nat inside source static tcp 10.128.7.1 80 AAA.BBB.CCC.178 80 extendable
ip nat inside source static tcp 10.128.7.1 443 AAA.BBB.CCC.178 443 extendable
ip nat inside source static tcp 10.128.7.1 8333 AAA.BBB.CCC.178 8333 extendable
ip nat inside source static tcp 10.128.7.2 25 AAA.BBB.CCC.179 25 extendable
ip nat inside source static tcp 10.128.7.2 80 AAA.BBB.CCC.179 80 extendable
ip nat inside source static tcp 10.128.7.2 443 AAA.BBB.CCC.179 443 extendable
ip nat inside source static tcp 10.128.7.2 8333 AAA.BBB.CCC.179 8333 extendable
ip nat inside source static tcp 10.128.7.3 25 AAA.BBB.CCC.180 25 extendable
ip nat inside source static tcp 10.128.7.3 80 AAA.BBB.CCC.180 80 extendable
ip nat inside source static tcp 10.128.7.3 443 AAA.BBB.CCC.180 443 extendable
ip nat inside source static tcp 10.128.7.3 8333 AAA.BBB.CCC.180 8333 extendable
ip nat inside source static tcp 10.128.7.4 25 AAA.BBB.CCC.181 25 extendable
ip nat inside source static tcp 10.128.7.4 80 AAA.BBB.CCC.181 80 extendable
ip nat inside source static tcp 10.128.7.4 443 AAA.BBB.CCC.181 443 extendable
ip nat inside source static tcp 10.128.7.4 8333 AAA.BBB.CCC.181 8333 extendable
ip nat inside source static tcp 10.128.7.5 25 AAA.BBB.CCC.182 25 extendable
ip nat inside source static tcp 10.128.7.5 80 AAA.BBB.CCC.182 80 extendable
ip nat inside source static tcp 10.128.7.5 443 AAA.BBB.CCC.182 443 extendable
ip nat inside source static tcp 10.128.7.5 8333 AAA.BBB.CCC.182 8333 extendable
ip nat inside source static tcp 10.128.7.6 25 AAA.BBB.CCC.183 25 extendable
ip nat inside source static tcp 10.128.7.6 80 AAA.BBB.CCC.183 80 extendable
ip nat inside source static tcp 10.128.7.6 443 AAA.BBB.CCC.183 443 extendable
ip nat inside source static tcp 10.128.7.6 8333 AAA.BBB.CCC.183 8333 extendable
ip nat inside source static tcp 10.128.7.7 25 AAA.BBB.CCC.184 25 extendable
ip nat inside source static tcp 10.128.7.7 80 AAA.BBB.CCC.184 80 extendable
ip nat inside source static tcp 10.128.7.7 443 AAA.BBB.CCC.184 443 extendable
ip nat inside source static tcp 10.128.7.7 8333 AAA.BBB.CCC.184 8333 extendable
ip nat inside source static tcp 10.128.7.8 25 AAA.BBB.CCC.185 25 extendable
ip nat inside source static tcp 10.128.7.8 80 AAA.BBB.CCC.185 80 extendable
ip nat inside source static tcp 10.128.7.8 443 AAA.BBB.CCC.185 443 extendable
ip nat inside source static tcp 10.128.7.8 8333 AAA.BBB.CCC.185 8333 extendable
ip nat inside source static tcp 10.128.7.9 25 AAA.BBB.CCC.186 25 extendable
ip nat inside source static tcp 10.128.7.9 80 AAA.BBB.CCC.186 80 extendable
ip nat inside source static tcp 10.128.7.9 443 AAA.BBB.CCC.186 443 extendable
ip nat inside source static tcp 10.128.7.9 8333 AAA.BBB.CCC.186 8333 extendable
ip nat inside source static tcp 10.128.7.10 25 AAA.BBB.CCC.187 25 extendable
ip nat inside source static tcp 10.128.7.10 80 AAA.BBB.CCC.187 80 extendable
ip nat inside source static tcp 10.128.7.10 443 AAA.BBB.CCC.187 443 extendable
ip nat inside source static tcp 10.128.7.10 8333 AAA.BBB.CCC.187 8333 extendable
ip nat inside source static tcp 10.128.7.11 25 AAA.BBB.CCC.188 25 extendable
ip nat inside source static tcp 10.128.7.11 80 AAA.BBB.CCC.188 80 extendable
ip nat inside source static tcp 10.128.7.11 443 AAA.BBB.CCC.188 443 extendable
ip nat inside source static tcp 10.128.7.11 8333 AAA.BBB.CCC.188 8333 extendable
ip nat inside source static tcp 10.128.7.12 25 AAA.BBB.CCC.189 25 extendable
ip nat inside source static tcp 10.128.7.12 80 AAA.BBB.CCC.189 80 extendable
ip nat inside source static tcp 10.128.7.12 443 AAA.BBB.CCC.189 443 extendable
ip nat inside source static tcp 10.128.7.12 8333 AAA.BBB.CCC.189 8333 extendable
!
ip access-list extended Guest-ACL
deny ip any 10.128.7.0 0.0.0.255
deny ip any 10.128.150.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 10.128.7.0 0.0.0.255
access-list 1 permit 10.128.150.0 0.0.0.255
access-list 1 permit 10.128.1.0 0.0.0.255
access-list 2 permit 10.0.0.0 0.255.255.255
access-list 2 deny any
access-list 101 permit ip 10.128.7.0 0.0.0.255 any
access-list 101 permit ip 10.128.150.0 0.0.0.255 any
access-list 101 permit ip 10.128.1.0 0.0.0.255 any
dialer-list 1 protocol ip list 1
!
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.128.7.5 auth-port 1645 acct-port 1646 key 7 xxxxx
radius-server vsa send accounting
!
control-plane
!
bridge 10 route ip
bridge 20 route ip
bridge 30 route ip
banner motd ^
******************** Unauthorized access strictly forbidden ****************
******************** All access attempts will be logged !! ***************

^
!
line con 0
password 7 xxxx
no modem enable
line aux 0
line vty 0 4
access-class 2 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server aaa.bbb.ccc.ddd
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yamramos.tueme
Level 1
Level 1
In response to erikisme1

‎01-13-2010 07:46 AM

Erik,

The pool of addresses that you are talking about is it to be assigned to the client or to the Router's public interface???  If you wan to configure your vpn client software point to an FQDN instead of an IP address you can do that as long as you can ensure that the name you use is resolved by a DNS.

The range of addresses that can be asigned to your Dialer interface will depend on your ISP.

- Yamil

View solution in original post

0 Helpful
6 Replies 6

Go to solution
yamramos.tueme
Level 1
Level 1

‎01-11-2010 09:44 AM

Taking a look into your configuration, it looks like you are missing to add the transform-set into the dynamic map.  Once you have that done you should attach the crypto map into the interface that the client is pointint to.  Loopbacks are not supported to land vpn tunnels, so you should apply it into a different interface and try it again.

Also as an additional comment, right now you are using the "sdm_vpn_xauth_ml_1" list to authenticate your vpn users; and this group is defined as local.  If you want to use your Radius server, you should switch to the group "rad_eap".  As a suggestion you can first try to make it working authenticating locally and then just switch to your Radius Server.

0 Helpful

Go to solution
erikisme1
Level 1
Level 1
In response to yamramos.tueme

‎01-12-2010 01:59 AM

Thanks for your reply!!

You write:"Once you have that done you should attach the crypto map into the interface that the client is pointint to.  Loopbacks are not supported to land vpn tunnels, so you should apply it into a different interface and try it again.".

SDM suggests using BVI10. This, however, is an inside interface. Does this give need to any special adjustments in the NAT rules?

Erik

**edit**

Possibly i'd better use the dialer1 interface since this is an outside interface.

E.

0 Helpful

Go to solution
yamramos.tueme
Level 1
Level 1
In response to erikisme1

‎01-12-2010 08:10 AM

If your clients are going to access with the VPN Client coming from the Internet, you can try attaching the crypto map into the Dialer interface as it is your Default Gateway.  The IP address of the interface you attach the crypto map to, it should be the one you configure in your vpn client software.

Cheers,

- Yamil

0 Helpful

Go to solution
erikisme1
Level 1
Level 1
In response to yamramos.tueme

‎01-13-2010 02:44 AM

You wote:"The IP address of the interface you attach the crypto map to, it should be the one you configure in your vpn client software."

Is there a way to use a pool of addresses that will be automatically assigned, with other info like dns and so?

And in the case of the Dialer interface, in what range should these addresses be?

--Erik

0 Helpful

Go to solution
yamramos.tueme
Level 1
Level 1
In response to erikisme1

‎01-13-2010 07:46 AM

Erik,

The pool of addresses that you are talking about is it to be assigned to the client or to the Router's public interface???  If you wan to configure your vpn client software point to an FQDN instead of an IP address you can do that as long as you can ensure that the name you use is resolved by a DNS.

The range of addresses that can be asigned to your Dialer interface will depend on your ISP.

- Yamil

0 Helpful

Go to solution
erikisme1
Level 1
Level 1
In response to yamramos.tueme

‎01-14-2010 05:03 AM

Thanks Yamil for helping out!

--Erik

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents