Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
721
Views
0
Helpful
6
Replies

Site to Site and Site to Client VPN

Go to solution
qasimkhans
Level 1
Level 1

‎05-23-2013 10:50 AM

HI all,

         i setup Site to Site VPN which is working fine. then i setup Site to Client VPN which also worked fine but Site to Site VPN get disconnected. if i remove following 3 lines on Site to Client VPN then Site to Site VPN start working.

crypto map vpn client authentication list vpnuser

crypto map vpn isakmp authorization list groupauthor

crypto map vpn client configuration address respond

here is my full Config. kindly suggest.

crypto isakmp policy 9

encr 3des

authentication pre-share

group 2

crypto isakmp key Cisco address 203.13.x.x

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.10.15

domain ic.com

pool ippool

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set CISCOSET esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set CISCOSET

!

!

!

crypto map vpn client authentication list vpnuser

crypto map vpn isakmp authorization list groupauthor

crypto map vpn client configuration address respond

crypto map vpn 1 ipsec-isakmp

set peer 203.13.x.x

set transform-set CISCOSET

match address acl_ncsvpn

crypto map vpn 10 ipsec-isakmp dynamic dynmap

ip local pool ippool 10.10.10.1 10.10.10.10

ip access-list extended acl_internet

deny   ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255

deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_natisp1

deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_natisp2

deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 any

ip access-list extended acl_ncsvpn

permit ip 192.168.0.0 0.0.255.255 192.168.4.0 0.0.0.255

ip access-list extended acl_vpn

permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255



Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amita Tiwari
Level 1
Level 1

‎05-24-2013 05:33 AM

Please try the follwoing command

crypto isakmp key Cisco address 203.13.x.x no-xauth

and then give it a try

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Amita Tiwari
Level 1
Level 1

‎05-24-2013 05:33 AM

Please try the follwoing command

crypto isakmp key Cisco address 203.13.x.x no-xauth

and then give it a try

0 Helpful

Go to solution
qasimkhans
Level 1
Level 1
In response to Amita Tiwari

‎05-24-2013 07:58 AM

Thanks, I worked . here i have question, i setup local user "test" to connect vpn. how i can setup router to authencate Users from Active Directory for VPN connectivity. thanks in advance.

0 Helpful

Go to solution
Anthony.Herman
Level 1
Level 1
In response to qasimkhans

‎05-24-2013 09:50 AM

Set up a radius server on the Windows box...what version server are you running? I have some good walkthroughs.

0 Helpful

Go to solution
qasimkhans
Level 1
Level 1
In response to Anthony.Herman

‎05-24-2013 09:56 AM

I am using Windows Standard 2008 R2

0 Helpful

Go to solution
Anthony.Herman
Level 1
Level 1
In response to qasimkhans

‎05-24-2013 11:03 AM

http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/

I've used that to configure the Windows side before with success.

What Cisco device did you want to configure this on?

0 Helpful

Go to solution
qasimkhans
Level 1
Level 1
In response to Anthony.Herman

‎05-24-2013 11:34 AM

I have Router 3845. i setup Radius following by link you gave me. when i try to login on router it does not login and i get following message on my Radius server's Event log.

"A RADIUS message was received from the invalid RADIUS client IP address 50.200.x.x"

50.200.x.x is my router public IP and 192.168.10.1 is private IP. i provided my router private IP in Raduis Config. please see the attched file of radius config. when i try to enter my AC user name and password in Client VPN it also does not authenticate my user.

here is my router config.

aaa new-model

!

!

aaa group server radius ITCDC001

server-private 192.168.10.15 key 7 142713181F132539207A636D754A

!

aaa authentication login default group ITCDC001 local

aaa authentication login vpnuser local

aaa authorization network groupauthor local

crypto isakmp policy 9

encr 3des

authentication pre-share

group 2

crypto isakmp key NetGearCisco address 203.13.x.x no-xauth

!

crypto isakmp client configuration group vpnclient

key cisco123

dns 192.168.10.15

domain itc.com

pool ippool

acl acl_vpn

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set CISCOSET esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set CISCOSET

!

!

!

crypto map vpn client authentication list vpnuser

crypto map vpn isakmp authorization list groupauthor

crypto map vpn client configuration address respond

crypto map vpn 1 ipsec-isakmp

set peer 203.13.x.x

set transform-set CISCOSET

match address acl_ncsvpn

crypto map vpn 10 ipsec-isakmp dynamic dynmap

Preview file
161 KB
0 Helpful
Customers Also Viewed These Support Documents