12-30-2011 04:20 PM
using CCP 2.1 I was trying to assign the ip address to the new loopback interface when I did a show ip interface br it showed the interface unassigned
Virtual-Access1 unassigned YES unset down down
Loopback1 unassigned YES TFTP up up
Virtual-Template2 unassigned NO TFTP down down
here is the code that the ccp created
interface Loopback1
no shutdown
ip address 10.69.241.0 255.255.255.0
exit
So I tried to add the ip address thru the console
MyRouter(config)#interface loopback1
MyRouter(config-if)#no shutdown
MyRouter(config-if)#ip address 10.69.241.0 255.255.255.0
Bad mask /24 for address 10.69.241.0
MyRouter(config-if)#
What am I doing wrong?
Thanks
Tom
Solved! Go to Solution.
01-02-2012 06:41 PM
Connection using the Cisco VPN client (version 5.0.07.0440 64-bit binary on Windows 7 Ultimate) gets one to your password prompt after initially specifiying your 72.88.223.20 public IP and the TGCSVPN group with tgcsvpn01 group password. A valid username and password would be required to successfully complete login authentication and validate your VPN setup.
12-30-2011 06:33 PM
I changed it to 10.69.241.0 255.0.0.0 and it accepted it now show ip interface brief
Virtual-Access1 unassigned YES unset down down
Loopback1 10.69.241.0 YES manual up up
Virtual-Template2 10.69.241.0 YES TFTP down down
does Virtual-template2 need to be up or does it come up when a client accesses the router?
Also I am still not able to get any clients connected
Tom
12-31-2011 09:07 AM
I guess ESAYVPN Server is not so EASY maybe they should change the name
No one can connect my remote users do not connect here is my running config can anyone see anything wrong?
Show crypto isakmp sa show nothing but I think thats because no one can connect am i right?
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username
no username cisco
Replace
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
User Access Verification
Username: netman
Password:
MyRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
MyRouter#show config
Using 6108 out of 131072 bytes
!
! Last configuration change at 21:16:45 EST Fri Dec 30 2011 by netman
! NVRAM config last updated at 21:16:48 EST Fri Dec 30 2011 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 192.168.69.15 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 loc
al
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 group sdm-vpn-server-group-1 lo
cal
aaa authorization network ciscocp_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip cef
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01 nvram:IOS-Self-Sig#3302.cer
username netman privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
group 2
!
crypto isakmp client configuration group TGCSVPN
key tgcsvpn01
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our
pool SDM_POOL_1
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group TGCSVPN
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
interface Loopback1
ip address 10.69.241.0 255.0.0.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 72.88.223.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.70.75 192.168.70.99
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
!
ip access-list extended denyDHCP
deny udp any any eq bootpc
deny udp any any eq bootps
permit ip any any
!
ip radius source-interface BVI1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
no cdp run
radius-server host 192.168.69.15 auth-port 1645 acct-port 1646
!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username
no username cisco
Replace
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175152
ntp server 141.165.5.137
end
MyRouter#
Happy new year everyone
I hope someone out there can figure this out for me
I am new to VPN on a cisco so I need all the help I can get
I have document 112037 that I used to guide me thru the setup using CCP 2.1
Command line changes would be the best for me
Thanks
Tom
12-31-2011 12:26 PM
Hi Thomas ,
Happy new Year , Easy is a strange word , can you please provide the following :
debug cry isa
and try to connect from any client to the router using the vpn client ?
the virtual interface will become up when you connect successfully .
cheers.
12-31-2011 12:30 PM
Mohammad
thank you so much
One question I never ran debug before
when I issue the debug cry isa where do I get the information from
I guess I must first stop the debug but where is the information keep and how to I get to it what command?
and also how to stop debug?
thanks
Tom
12-31-2011 12:53 PM
you should see it on the terminal , if you are connecting using a telnet/ssh session then use the following command before enabling debugs :
terminal monitor
to stop debugs use the following command :
un all
cheers.
12-31-2011 02:16 PM
Mohammad
MyRouter#terminal monitor
MyRouter#debug crypto isakmp
Crypto ISAKMP debugging is on
MyRouter#debug crypto ipsec
Crypto IPSEC debugging is on
MyRouter#
I tried to connect and received no information
I am using a Windows vista laptop and a windows 7 desktop both using Network and sharing center with a VPN connection setup
I should not need to install anything else right? I should not need any vpn client software?
Think maybe you could try to vpn in?
You have the address in my config above
Let me know if you get anywhere
Tom
12-31-2011 02:53 PM
Happy new YEar Thomas .
i connected using CISCO VPN CLIENT software to the router and i was able to see the username/password prompt . so VPN is workong .
you need to use the following software :
cisco vpn client .
01-01-2012 06:37 AM
Mohammad
Thanks
Been trying to download the client but having issues I can logon on to this site but my logon does not work for the download site very strange
Do you have links to a 64bit version and a 32 bit version?
Thakns
Tom
01-01-2012 10:29 AM
Hi Thomas ,
the only way to download the client is to login and then try the download , you may need to check your CCOID .
cheers.
01-01-2012 10:43 AM
Mohammad
Thanks
I do not have a ccoid
Any way I can get a copy without having one?
Or do I need to purchase the software they should give it away for free
Tom
01-01-2012 11:37 AM
Hi Thomas .
to be able to download this software , you have to login using a valid CCOID and download it .
HTH
Mohammad.
01-02-2012 05:55 AM
mohammad
If you have time could you try to connect to my vpn again
I want to do a show crypto isakmp sa
So I can see what it looks like when someone is connected
Also I posted a RSA PEM PKCS12 question if you can take a look at that also
Let me know when you connect
Thanks
Tom
01-02-2012 06:50 AM
Tom,
Have you tried to set up a CCO (Cisco Connection Online is the old name used on cisco.com) ID? You don't need to have a service contract to have a userid.
AFAIK the Cisco VPN Client software is free of charge. Using it will keep you off the rabbit hole of Shrewsoft etc. Creating a connection in the Cisco client will generate a *.pcf file that can be distributed to users to allow them to connect with fewer steps (i.e., without having to type in the gateway IP etc.).
BTW you should be using preshared key authentication, not certificate-based.
01-02-2012 06:59 AM
Marvin
No I do not know about CCO, how do I go about getting the Cisco VPN software for free
Do you have links that you can post?
BTW I believe I have preshared defined I choose that when I used ccp to define EASYVPN server
Tom
Marvin
I just did a search on CCO and every link I find brings me right back to the new cisco site and requires a service contract to download the vpn client
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide