Hello everybody. I am facing a serious problem in some of my clients and I need your help.It is realy important to find a solution asap!!!! All comments will be highly appreciated.
I am trying to connect via the Cisco VPN Client 5.0 to a router that is part of an already established LAN-to-LAN VPN but with no luck. I have followed the instructions from Cisco's document ---> IOS VPN(Router): Add a New L2L Tunnel or Remote Access to an Existing L2L VPN (Document ID: 107553) in order to allow Remote Access to users from all around the globe but when I am trying to connect to LAN1 from my office I get an error with Reason 412 from the Cisco VPN Client and the client doesn't give me the chance to enter any credentials. I am even unable to connect via Windows 7 and PPTP connection! I have also followed almost all the instructions from Cisco's: Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions (Document ID: 81824) but nothing changed. I still cannot connect to London router via either Cisco VPN Client or Windows PPTP connection. Let me notice that I am not interested on having access to LAN2 in Paris. I just want remote clients to be able to connect to LAN1 and Server 192.168.42.10. In addition, IPs L.L.L.L and P.P.P.P are Static IPs.
The network topology and IPs are depicted in the following image:
The settings on the VPN Client are: Group: testgroup, Password: Remote_Key
The config file from London router is the following:
aaa new-model
!
!
aaa authentication login testauth local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.42.1 192.168.42.119
ip dhcp excluded-address 192.168.42.150 192.168.42.255
!
ip dhcp pool 192.168.42.0/24
network 192.168.42.0 255.255.255.0
default-router 192.168.42.1
dns-server 195.170.0.2 195.170.2.1
!
!
ip name-server 195.170.2.1
ip name-server 195.170.0.1
ip inspect name INSPECT0 cuseeme
ip inspect name INSPECT0 dns
ip inspect name INSPECT0 ftp
ip inspect name INSPECT0 h323
ip inspect name INSPECT0 https
ip inspect name INSPECT0 icmp
ip inspect name INSPECT0 imap
ip inspect name INSPECT0 pop3
ip inspect name INSPECT0 netshow
ip inspect name INSPECT0 rcmd
ip inspect name INSPECT0 realaudio
ip inspect name INSPECT0 rtsp
ip inspect name INSPECT0 esmtp
ip inspect name INSPECT0 sqlnet
ip inspect name INSPECT0 streamworks
ip inspect name INSPECT0 tftp
ip inspect name INSPECT0 tcp
ip inspect name INSPECT0 udp
ip inspect name INSPECT0 vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel receive-window 256
!
!
!
username ***** password 7 *****
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key L2L_Key address P.P.P.P no-xauth
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group testgroup
key Remote_Key
dns 195.170.0.2
pool testpool
acl 102
crypto isakmp profile testvpnclient
match identity group testgroup
client authentication list testauth
client configuration address respond
!
!
crypto ipsec transform-set set1 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set remoteSet esp-aes 256 esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set remoteSet
set isakmp-profile testvpnclient
reverse-route
!
!
crypto map testmap 1 ipsec-isakmp
set peer P.P.P.P
set security-association lifetime seconds 28800
set transform-set set1
set pfs group5
match address 101
crypto map testmap 65535 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool vpdn
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2
!
interface Vlan1
ip address 192.168.42.1 255.255.255.0
ip access-group ETHERNET_IN in
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip nat outside
ip inspect INSPECT0 out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username ****** password 7 ********
crypto map testmap
!
interface Dialer1
no ip address
!
ip local pool vpdn 192.168.254.1 192.168.254.254
ip local pool testpool 192.168.253.1 192.168.253.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
!
ip access-list extended ETHERNET_IN
permit ip any any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
!
access-list 1 permit 192.168.42.0 0.0.0.255
access-list 100 deny ip 192.168.42.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.42.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.42.0 0.0.0.255 any
access-list 101 permit ip 192.168.42.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.42.0 0.0.0.255 192.168.253.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
password *******
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end
Any ideas about what I am doing wrong??? Thank you in advance
