Currently I'm using Cisco VPN client software to connect to a remote IPSec server on the workstations.
I want to to configure IPSec client on Cisco 2600 router which connects to the remote IPSec server so the workstations can access VPN subnet without using VPN software.
Anyone can guide me on how to configure IPSec client on the router?
Solved! Go to Solution.
I think it is because the encryption and hash algorithm doesn't match? Because when I connect from the Cisco VPN Client software I can see that the encryption is 128-bit AES and authentication is hmac-sha1.
But from the router log it is:
*Jan 19 14:32:34.868: ISAKMP: encryption 3DES-CBC
*Jan 19 14:32:34.868: ISAKMP: hash MD5
How do I change the encryption parameters?
Sorry for my late responce I am a bit ill.
I have checked the logs and did small repro. To me it looks like the server is not supporting NEM:
This is from VPN server with NEM disabled:
Nov 30 00:13:56 [IKEv1 DEBUG]: Group = gsa3mle3, Username = cisco, IP = 10.10.10.2, MODE_CFG: Received request for DHCP hostname for DDNS is: R1!
Nov 30 00:13:56 [IKEv1]: Group = gsa3mle3, Username = cisco, IP = 10.10.10.2, Hardware Client connection rejected! Network Extension Mode is not allowed for this group!
*Mar 1 00:45:56.387: ISAKMP:(1007): sending packet to 10.10.10.13 my_port 500 peer_port 500 (I) CONF_ADDR
*Mar 1 00:45:56.439: ISAKMP (0:1007): received packet from 10.10.10.13 dport 500 sport 500 Global (I) CONF_ADDR
*Mar 1 00:45:56.439: DGVPN:crypt_iv after decrypt, sa:650BE464
*Mar 1 00:45:56.443:
*Mar 1 00:45:56.443: ISAKMP: Information packet contents (flags 1, len 92):
*Mar 1 00:45:56.447: HASH payload
*Mar 1 00:45:56.447: DELETE payload
*Mar 1 00:45:56.459: ISAKMP: Information packet contents (flags 1, len 80):
*Mar 1 00:45:56.459: HASH payload
*Mar 1 00:45:56.459: DELETE payload
*Mar 1 00:45:56.459: DGVPN: crypt_iv after encrypt, sa:650BE464
Change it to client mode and try it.
Are you using Cisco Easy VPN on your central site? what are you using? (router, ASA,)
I saw your are using subinterfaces to setup your enviroment, I don´t really recommend that, you should to use 2 physical interfaces to setup correctly the remote VPN on your Cisco 2600.