cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
357
Views
0
Helpful
6
Replies
qasimkhans
Beginner

Site to Site and Site to Client VPN

HI all,

         i setup Site to Site VPN which is working fine. then i setup Site to Client VPN which also worked fine but Site to Site VPN get disconnected. if i remove following 3 lines on Site to Client VPN then Site to Site VPN start working.

crypto map vpn client authentication list vpnuser

crypto map vpn isakmp authorization list groupauthor

crypto map vpn client configuration address respond

here is my full Config. kindly suggest.

crypto isakmp policy 9

encr 3des

authentication pre-share

group 2

crypto isakmp key Cisco address 203.13.x.x

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.10.15

domain ic.com

pool ippool

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set CISCOSET esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set CISCOSET

!

!

!

crypto map vpn client authentication list vpnuser

crypto map vpn isakmp authorization list groupauthor

crypto map vpn client configuration address respond

crypto map vpn 1 ipsec-isakmp

set peer 203.13.x.x

set transform-set CISCOSET

match address acl_ncsvpn

crypto map vpn 10 ipsec-isakmp dynamic dynmap

ip local pool ippool 10.10.10.1 10.10.10.10

ip access-list extended acl_internet

deny   ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255

deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_natisp1

deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_natisp2

deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_ncsvpn

permit ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255

ip access-list extended acl_vpn

permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255



1 ACCEPTED SOLUTION

Accepted Solutions
Amita Tiwari
Beginner

Please try the follwoing command

crypto isakmp key Cisco address 203.13.x.x no-xauth

and then give it a try

View solution in original post

6 REPLIES 6
Amita Tiwari
Beginner

Please try the follwoing command

crypto isakmp key Cisco address 203.13.x.x no-xauth

and then give it a try

View solution in original post

Thanks, I worked . here i have question, i setup local user "test" to connect vpn. how i can setup router to authencate Users from Active Directory for VPN connectivity. thanks in advance.

Set up a radius server on the Windows box...what version server are you running? I have some good walkthroughs.

I am using Windows Standard 2008 R2

http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/

I've used that to configure the Windows side before with success.

What Cisco device did you want to configure this on?

I have Router 3845. i setup Radius following by link you gave me. when i try to login on router it does not login and i get following message on my Radius server's Event log.

"A RADIUS message was received from the invalid RADIUS client IP address 50.200.x.x"

50.200.x.x is my router public IP and 192.168.10.1 is private IP. i provided my router private IP in Raduis Config. please see the attched file of radius config. when i try to enter my AC user name and password in Client VPN it also does not authenticate my user.

here is my router config.

aaa new-model

!

!

aaa group server radius ITCDC001

server-private 192.168.10.15 key 7 142713181F132539207A636D754A

!

aaa authentication login default group ITCDC001 local

aaa authentication login vpnuser local

aaa authorization network groupauthor local

crypto isakmp policy 9

encr 3des

authentication pre-share

group 2

crypto isakmp key NetGearCisco address 203.13.x.x no-xauth

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.10.15

domain itc.com

pool ippool

acl acl_vpn

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set CISCOSET esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set CISCOSET

!

!

!

crypto map vpn client authentication list vpnuser

crypto map vpn isakmp authorization list groupauthor

crypto map vpn client configuration address respond

crypto map vpn 1 ipsec-isakmp

set peer 203.13.x.x

set transform-set CISCOSET

match address acl_ncsvpn

crypto map vpn 10 ipsec-isakmp dynamic dynmap

Content for Community-Ad