So, help...
I'm unsure how to best solve my issue...
I have a 5520 acting as a VPN server... and 5505's acting as clients...
The 5505's connect fine when using "client mode" but things go sideways when I try and use NEM... Namely, they never complete a connection...
debug vpnclient shows this repeating rather fast... (this device is connected a Fios connection behind a gateway/router... (it's my test environment and it does work when I have the device setup in "vpnclient mode client-mode"...
Some of my remote sites are configured directly with a public IP (issued via DHCP) others are behind a 3rd party firewall/device that I have no control over... but again, these sites currently work as "vpnclient mode client-mode"...
VPNC INFO: Reconnect to new peer - 168.156.248.2
VPNC CLI: access-list _vpnc_acl permit ip host 10.1.10.33 host 168.156.248.2
VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl
VPNC CLI: crypto map _vpnc_cm 10 set peer 168.156.248.2
VPNC CLI: crypto map _vpnc_cm 10 set transform-set _vpnc_tset_1 _vpnc_tset_2 _vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_tset_6 _vpnc_tset_7 _vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11
VPNC CLI: crypto map _vpnc_cm 10 set security-association lifetime seconds 2147483647
VPNC CLI: crypto map _vpnc_cm 10 set security-association lifetime kilobytes 2147483647
VPNC CLI: crypto map _vpnc_cm 10 set phase1-mode aggressive
VPNC CLI: crypto map _vpnc_cm interface outside
VPNC CLI: tunnel-group 168.156.248.2 type ipsec-ra
VPNC CLI: tunnel-group 168.156.248.2 ipsec-attributes
pre-shared-key edcc
VPNC INFO: vpnc_unselect_peer()
VPNC CLI: clear configure tunnel-group
VPNC CLI: clear configure crypto map _vpnc_cm
VPNC CLI: no access-list _vpnc_acl permit ip host 10.1.10.33 host 168.156.248.2
VPNC INFO: Setting SUA state to 'idle'
The primary reason I'm trying to do this is so my server admin guy can see the clients who are behind the 5505's...
I don't know how much of the config file you need to be meaningful and I'm a bit leary of posting too much anyway...
From one of the 5505's (I'm running 8.2(3) )
dns server-group DefaultDNS
domain-name edcc.ctc.edu
access-list 110 extended permit ip any any
access-list inside_nat0_outbound extended permit ip any any
access-list outside_cryptomap_10 extended permit ip any any
...
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp enable outside
...
vpnclient server 168.156.248.2
vpnclient mode network-extension-mode
vpnclient vpngroup <group> password *****
vpnclient username <useraccount> password *****
vpnclient enable
On the 5520:
(running 8.2(5))
...
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto dynamic-map dyna 30 match address l2tp_acl
crypto dynamic-map dyna 30 set transform-set myset
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map mymap 1 match address 110
crypto map mymap 1 set peer x.x.x.68
crypto map mymap 1 set transform-set ESP-3DES-MD5
crypto map mymap 20 match address 200
crypto map mymap 20 set peer x.x.x.7
crypto map mymap 20 set transform-set ESP-AES-128-SHA
crypto map mymap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map mymap interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
...
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
...
group-policy edcc-split-tunnel internal
group-policy edcc-split-tunnel attributes
wins-server value 10.230.100.23 10.230.100.22
dns-server value 10.230.100.23 10.230.100.22
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value edcc_splitTunnelAcl
default-domain value edcc.ctc.edu
group-policy edcc-no-split-tunnel internal
group-policy edcc-no-split-tunnel attributes
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelall
group-policy DfltGrpPolicy attributes
wins-server value 10.230.100.23 10.230.100.22
dns-server value 10.230.100.23 10.230.100.22
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp enable
re-xauth enable
pfs enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value edcc_splitTunnelAcl
default-domain value edcc.ctc.edu
nac-settings value DfltGrpPolicy-nac-framework-create
group-policy l2tp-tunnel internal
group-policy l2tp-tunnel attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelall
...
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
address-pool main-edcc-pool
authentication-server-group admin LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
peer-id-validate cert
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group x.x.x.68 type ipsec-l2l
tunnel-group x.x.x.68 ipsec-attributes
pre-shared-key *****
tunnel-group outside type remote-access
tunnel-group outside general-attributes
address-pool main-edcc-pool
authentication-server-group admin LOCAL
default-group-policy edcc-split-tunnel
tunnel-group outside ipsec-attributes
pre-shared-key *****
tunnel-group edcc ppp-attributes
authentication ms-chap-v2
tunnel-group xinside type remote-access
tunnel-group xinside general-attributes
address-pool main-edcc-pool
authentication-server-group admin LOCAL
default-group-policy edcc-no-split-tunnel
tunnel-group xinside ipsec-attributes
pre-shared-key *****
tunnel-group xinside ppp-attributes
authentication ms-chap-v2
tunnel-group l2tp type remote-access
tunnel-group l2tp general-attributes
address-pool main-edcc-pool
authentication-server-group admin LOCAL
default-group-policy l2tp-tunnel
tunnel-group l2tp ipsec-attributes
pre-shared-key *****
isakmp ikev1-user-authentication none
tunnel-group l2tp ppp-attributes
authentication ms-chap-v2
tunnel-group x.x.x.7 type ipsec-l2l
tunnel-group x.x.x.7 ipsec-attributes
pre-shared-key *****
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
Any idea's? Obviously I have a few adventures here...
