I guess ESAYVPN Server is not so EASY maybe they should change the name

No one can connect my remote users do not connect here is my running config can anyone see anything wrong?

Show crypto isakmp sa show nothing but I think thats because no one can connect am i right?

-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------

User Access Verification

Username: netman
Password:

MyRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

MyRouter#show config
Using 6108 out of 131072 bytes
!
! Last configuration change at 21:16:45 EST Fri Dec 30 2011 by netman
! NVRAM config last updated at 21:16:48 EST Fri Dec 30 2011 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 192.168.69.15 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 loc
al
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 group sdm-vpn-server-group-1 lo
cal
aaa authorization network ciscocp_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01 nvram:IOS-Self-Sig#3302.cer
username netman privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
group 2
!
crypto isakmp client configuration group TGCSVPN
key tgcsvpn01
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our
pool SDM_POOL_1
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group TGCSVPN
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
interface Loopback1
ip address 10.69.241.0 255.0.0.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 72.88.223.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.70.75 192.168.70.99
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
!
ip access-list extended denyDHCP
deny   udp any any eq bootpc
deny   udp any any eq bootps
permit ip any any
!
ip radius source-interface BVI1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
no cdp run
radius-server host 192.168.69.15 auth-port 1645 acct-port 1646
!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175152
ntp server 141.165.5.137
end

MyRouter#

Happy new year everyone

I hope someone out there can figure this out for me

I am new to VPN on a cisco so I need all the help I can get

I have document 112037 that I used to guide me thru the setup  using CCP 2.1

Command line changes would be the best for me

Thanks

Tom

Hi Thomas ,

Happy new Year , Easy is a strange word ,  can you please provide the following :

debug cry isa

and try to connect from any client to the router using the vpn client ?

the virtual interface will become up when you connect successfully .

cheers.

Mohammad

thank you so much

One question I never ran debug before

when I issue the debug cry isa where do I get the information from

I guess I must first stop the debug  but where is the information keep and how to I get to it what command?

and also how to stop debug?

thanks

Tom

you should see it on the terminal , if you are connecting using a telnet/ssh session then use the following command before enabling debugs :

terminal monitor

to stop debugs use the following command :

un all

cheers.

Mohammad

MyRouter#terminal monitor

MyRouter#debug crypto isakmp

Crypto ISAKMP debugging is on

MyRouter#debug crypto ipsec

Crypto IPSEC debugging is on

MyRouter#

I tried to connect and received no information

I am using a Windows vista laptop and a windows 7 desktop both using Network and sharing center with a VPN connection setup

I should not need to install anything else right?  I should not need any vpn client software?

Think maybe you could try to vpn in?

You have the address in my config above

Let me know if you get anywhere

Tom

Mohammad

Thanks

Been trying to download the client but having issues I can logon on to this site but my logon does not work for the download site very strange

Do you have links to a 64bit version and a 32 bit version?

Thakns

Tom

Hi Thomas ,

the only way to download the client is to login and then try the download , you may need to check your CCOID .

cheers.

Mohammad

Thanks

I do not have a ccoid

Any way I can get a copy without having one?

Or do I need to purchase the software they should give it away for free

Tom

Hi Thomas .

to be able to download this software , you have to login using a valid CCOID and download it .

HTH

Mohammad.

mohammad

If you have time could you try to connect to my vpn again

I want to do a show crypto isakmp sa

So I can see what it looks like when someone is connected

Also I posted a RSA  PEM PKCS12 question if you can take a look at that also

Let me know when you connect

Thanks

Tom

Tom,

Have you tried to set up a CCO (Cisco Connection Online is the old name used on cisco.com) ID? You don't need to have a service contract to have a userid.

AFAIK the Cisco VPN Client software is free of charge. Using it will keep you off the rabbit hole of Shrewsoft etc. Creating a connection in the Cisco client will generate a *.pcf file that can be distributed to users to allow them to connect with fewer steps (i.e., without having to type in the gateway IP etc.).

BTW you should be using preshared key authentication, not certificate-based.

Marvin

No I do not know about CCO, how do I go about getting the Cisco VPN software for free

Do you have links that you can post?

BTW I believe I have preshared defined I choose that when I used ccp to define EASYVPN server

Tom

Marvin

I just did a search on CCO and every link I find brings me right back to the new cisco site and requires a service contract to download the vpn client