cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
5192
Views
0
Helpful
9
Replies
SilentHunter124
Beginner

Can not connect to easy VPN Server

Hi *,

I have a little stupid problem with my easy VPN Server. I took the following configuration to configure the VPN: Click

I can successfully ping 192.168.99.1 but when I start AnyConnect (enter this IP-Address as serveraddress) on my IPhone, it first says that the server certificate is not valid (I ignore that because it is self signed..) and when I press continue it says that no connection could be established.

What can be the problem?

1 ACCEPTED SOLUTION

Accepted Solutions

It's very likely that you don't have a PAT-pool configured and just use the "overload" keyword when NATing to your outside interface. In that command you reference an ACL (or an ACL in a route-map) where you have to make sure that your VPN-pool in included in the NATed traffic.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

9 REPLIES 9
Karsten Iwen
VIP Mentor

You are using the wrong client. If you configure an EasyVPN Server, then you have to use the build-in VPN-Client on the iPhone.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi,

sorry doesn't even work. When I use the internal VPN-Client on the IPhone with the following configuration:

The Client says: "Server is not responding"!

What shall I do?

Please paste your config.


Sent from Cisco Technical Support iPad App

Current configuration : 9818 bytes

!

! Last configuration change at 20:07:58 UTC Mon May 27 2013 by donaldduck

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 10 log

security passwords min-length 6

logging buffered 1000000 errors

logging console critical

!

aaa new-model

!

aaa authentication login local_auth local

aaa authentication login vpn_authen local

aaa authorization network vpn_author local

!

aaa session-id common

!

no ip source-route

no ip gratuitous-arps

ip cef

!

!

no ip bootp server

ip domain name r1.xyz.net

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip inspect audit-trail

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect icmp

login block-for 30 attempts 5 within 60

no ipv6 cef

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN

key jeronimo

dns 8.8.8.8

domain test.vpn

pool ipsecvpn

save-password

crypto isakmp profile vi

   match identity group VPN

   client authentication list vpn_authen

   isakmp authorization list vpn_author

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set transform-vpn-1 esp-3des esp-sha-hmac

!

crypto ipsec profile ipsec-vpn-vi

set transform-set transform-vpn-1

set isakmp-profile vi

!

interface Loopback1

description Anchor for VPN VI

ip address 192.168.99.1 255.255.255.0

!

interface Virtual-Template1 type tunnel

description $FW_INSIDE$

ip unnumbered Loopback1

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsec-vpn-vi

!

interface Vlan1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

!

ip local pool ipsecvpn 192.168.99.10 192.168.99.20

ip forward-protocol nd

no ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

logging trap errors

logging facility local2

no cdp run

!

!

!

!

control-plane

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 1.de.pool.ntp.org

ntp server 0.de.pool.ntp.org

!

end

Okey I used the Cisco Configuration Professional and created a new Loopback Interface and Easy VPN Server.

Now it works. I can connect to the VPN Server via IPhone and can access the internal IP Addresses.

BUT:

How do I configure a next Hop-address for the VPN Clients in order to access all other world wide IP addresses through this VPN (which does not work at the moment)?

Add ip nat inside on the virtual-template

Add the vpn subnet to the pat pool

You mean beyond my Gi0/8 interface (which is also nat inside) I should add ip nat inside on interface Virtual-Template3 type tunnel? Okey I will do so.

But I searched my config for the pat pool and can't find any pat pool. The only pools I have is a dhcp pool and the VPN Pool.

How is the command which applies a pool as a pat pool?

It's very likely that you don't have a PAT-pool configured and just use the "overload" keyword when NATing to your outside interface. In that command you reference an ACL (or an ACL in a route-map) where you have to make sure that your VPN-pool in included in the NATed traffic.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Thank you very very very much, works like a charm

Content for Community-Ad