12-28-2011 02:14 PM
EASYVPN on my cisco 851 wga k9 not suer if it is working or not
did this??
MY VLAN1 is unassigned in the past it had ip address of BVI1
MyRouter#show ip int brief
Interface IP-Address OK? Method Status Prot
ocol
Dot11Radio0 unassigned YES TFTP up up
Dot11Radio0.1 unassigned YES unset up up
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up down
FastEthernet4 72.88.223.20 YES NVRAM up up
Vlan1 unassigned YES NVRAM up up
NVI0 unassigned YES unset up up
BVI1 192.168.69.1 YES NVRAM up up
Virtual-Dot11Radio0 unassigned YES TFTP down down
Virtual-Dot11Radio0.1 unassigned YES unset down down
Virtual-Template1 72.88.223.20 YES TFTP down down
Virtual-Access1 unassigned YES unset down down
MyRouter#
Any ideas
Tom
12-28-2011 04:34 PM
Hi
Do a Show Crypto iskamp sa should say QM_IDLE
Rich
12-28-2011 11:48 PM
Hello Tom,
The virtual-access interface should be up but as Richard said, you should check "show crypto isa sa" to see if there is any output. If you see QM_IDLE, it means phase1 is up and we need to have a look at "show crypto ips sa" to see if phase2 came up.
The best would be if you could attach your configuration and possibly the following debugs: debug crypto isa and debug crypto ipsec.
Warm Regards,
Rose
12-29-2011 03:40 AM
Richard/Rose
Thanks for the responce
MyRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
MyRouter#show crypto ips sa
MyRouter#debug crypto isa
Crypto ISAKMP debugging is on
MyRouter#debug crypto ipsec
Crypto IPSEC debugging is on
How do I stop debug?
Here is my config
MyRouter#show config
Using 5935 out of 131072 bytes
!
! Last configuration change at 10:17:09 EST Tue Dec 27 2011 by netman
! NVRAM config last updated at 10:17:10 EST Tue Dec 27 2011 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 192.168.69.15 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 loc
al
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 group sdm-vpn-server-group-1 lo
cal
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
ip cef
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01 nvram:IOS-Self-Sig#3302.cer
username netman privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group TGCSVPN
key ourvpn
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our
pool SDM_POOL_1
max-users 10
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group WGP-1
match identity group WGP-2
match identity group ACCTG
match identity group CSVC
match identity group TGCSVPN
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 72.88.223.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.70.75 192.168.70.99
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
!
ip access-list extended denyDHCP
deny udp any any eq bootpc
deny udp any any eq bootps
permit ip any any
!
ip radius source-interface BVI1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
no cdp run
radius-server host 192.168.69.15 auth-port 1645 acct-port 1646
!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username
no username cisco
Replace
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175148
ntp server 141.165.5.137
end
MyRouter#
See anything wrong?
Thanks Tom
12-29-2011 11:58 AM
Hi
I Dont see the Crypto Map and also not one attached to an interface
Rich
12-29-2011 12:12 PM
Rich
MyRouter#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
MyRouter#show crypto ips sa
MyRouter#
I did these two commands but the second one does not show anything is that what you mean?
If so what do I need to do ?
Am I missing code? if so what do I need to add
You need more info let me know
Thanks
Tom
12-29-2011 12:20 PM
Hi
You need
crypto map MY VPN 1 ipsec-isakmp
set peer 10.1.1.1 9 (The IP Addr of other end of the tunnel)
set transform-set ESP-3DES-SHA (your transform set)
match address 101 ( create access-list for intresting traffic for the VPN)
Remeber you settings will need to match you transforset at the other end
Then apply you crypto-map to an interface i.e.
interface atm0.1
crypto map MY VPN
Try that
Rich
12-29-2011 12:56 PM
Richard
This is a little of my head I am new to VPN on a cisco
But maybe if I tell you a little more you might know what I need
I have some laptop and desktop users from there homes that need to VPN to my network
I used CCP to install EASYVPN
The crypto commands in my config have some of the info you asked for
Not sure where to go here
Thanks
Tom
12-29-2011 01:20 PM
Hi
Look at this doc explains everything
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080af314a.shtml
Rich
12-29-2011 01:28 PM
Richard
I am using a cisco 851 anyconnect not support on this router
I am using EASYVPN
Is this the same info?
Tom
12-29-2011 01:30 PM
Tom,
I believe Rich was thinking about a site-site VPN. In that case, your would need the bits he mentioned.
You have user-based VPN setup. Unless and until a user actually connects via VPN, you will not see any ISAKMP Security Associations (SAs).
Here is typical output from a VPN device (an ASA in this case):
asa-1/pri/act# sh cry isakmp sa
Active SA: 10
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 10
1 IKE Peer: x.x.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: x.x.x.x
Type : user Role : responder
Rekey : no State : AM_ACTIVE
Notice two types: L2L (LAN to LAN) and user.
In your case, you would only expect to see a user type of SA with State AM_ACTIVE for each user successfully connected via VPN. If no users are connected, the command will not return any output.
So to answer your initial question - you need to first fire up a client VPN session and then check your device.
12-29-2011 02:08 PM
12-29-2011 02:45 PM
Marvin
Thanks
Now I need to find a test machine can you connect to a vpn site if you are already logged onto a windows domain server?
Tom
12-29-2011 03:37 PM
You're welcome.
Generally speaking one can launch a VPN when logged in on a PC that is a member of a Windows domain. You might want to check if Windows firewall is on, especially if the client is running Windows 7. It can sometimes cause issues.
However, it is always possible that the domain has imposed policies to prevent just about anything. By default that generally wouldn't be the case though.
Either way, just give it a try and go from there. It can't hurt.
12-29-2011 04:11 PM
Marvin
Thanks
I just read Richards last post above he pointed me to a link and I think I might have configured this incorrectly
looking into how to correct this
I use Kaspersky internet security windows firewall is disable but kaspersky has a firewall
Would be nice to have someone knowledgeable to test with
I was trying to take my laptop off the domain but am having an issue logging on locally
Reading thru this now
http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b34d1f.shtml
on the
Authentication method
Next
:
Specify
used for authenticating the VPN clients. Here, Pre−shared Keys is theauthentication method used. Click PAGE
I selected a pre exisitng interface should have done what is on that page
No i need to figure how to back this out
Any way to remove existing EASY VPN config so I can redo the setup looks like the doc shows a few things that I do incorrectly
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide