Hello,

First thanks for your answer. I would like to know if you have a sample because i am working with the one of MOVIAN and it didn't work. I already changed the parameter in the configuration but it's still the same.

Thanks,

Nicolas

I can't at the moment as I am out of the country, but the Movian example worked for me. It's a very simple example, but it's a good place to start. Which part in particualar is not working. Is the client prompting you for a password?

For now if you could post your config I might be able to see a problem. Next week when I'm back at the office I can get you my example, but I don't think you want to wait that long.

Good luck.

Hello,

Really thanks for your help. I have anyway time to wait since this is a project.

Here is my configuration:

Regards,

Nicolas

pix# sh conf

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxxx encrypted

passwd xxxxx encrypted

hostname pix

domain-name vpn.vtx.ch

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 80 permit ip 10.5.1.0 255.255.255.0 10.5.1.0 255.255.255.0

access-list 100 permit tcp 10.5.1.0 255.255.255.0 10.5.0.0 255.255.0.0 eq telnet

access-list 100 permit tcp 10.5.1.0 255.255.255.0 10.5.0.0 255.255.0.0 eq www

pager lines 24

logging console debugging

logging buffered debugging

logging trap debugging

logging history debugging

logging host outside 212.147.1.1

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

icmp permit 10.5.1.0 255.255.255.0 inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 212.147.0.220 255.255.255.0

ip address inside 10.5.1.254 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool movianpool 10.5.1.118-10.5.1.121

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address intf2 0.0.0.0

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 80

nat (inside) 0 10.5.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 212.147.0.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server partnerauth protocol radius

aaa-server partnerauth (outside) host xxxxx yyyyy timeout 5

no snmp-server location

no snmp-server contact

snmp-server community xxxxx

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt noproxyarp inside

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local movianpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 8000

vpngroup Certicom address-pool movianpool

vpngroup Certicom dns-server 10.5.1.12

vpngroup Certicom wins-server 10.5.1.12

vpngroup Certicom default-domain vpn.vtx.ch

vpngroup Certicom split-tunnel 80

vpngroup Certicom idle-time 1800

vpngroup Certicom password xxxxx

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxx

pix#

Ok I see something that could be the problem. It might be your local ip pool. I have yet to get a pool to work inside my existing inside subnet. I usually set it to something like 192.168.xx.1-192.168.xx.100. Then change your access-list 80 to reflect that change. It would look like "access-list 80 permit 10.5.1.0 255.255.255.0 192.168.xx.0 255.255.255.0".

Also get rid of "nat (inside) 0 10.5.1.0 255.255.255.0 0 0" It is conflicting with the nat above it which you need.

Have you been prompted for your password when you try to connect? This is very important to know.

The other thing I noticed is your RADIUS server is on the outside. I would not do that as RADIUS I believe is sent in clear text. Also you may want increase the timeout on RADIUS as well.

Hopefully this helps.

Pete

Hello,

I'm gonna try with an internal Radius, and modificate the configuration. I will let you know if anything is alright.

Thanks,

Nicolas

I forgot to tell you that i didn't have the prompt for password. So i'm going to look for that too.

Regards,

Nicolas