Thank you for that Karsten.

I have another problem now though as although I can use my mobile phone to connect to the VPN using the 3G network, when I go to work and use their Wifi or use my work desktop and configure a VPN adapter connection in Windows, I cannot connect to my VPN.

My work must be blocking certain required ports on their firewall.

However, I do use a VPN connection from my work desktop for other services by using the Shrewsoft VPN client software.

In the details of the connection I can see that my client PC is being auto configured using ike config pull.

Also, the authentication method is Mutual PSK + XAuth

So, can I create a VPN configuration on my Cisco router that uses these protocols?

EZVPN seems to use some of these protocols so do you think this may be my best way forward?

Thanks again.

Thank you for your help.

I'll give that a try.

Cheers.

When I use your example 3 configuration from the link, I then use my Android mobile using VpnCilla client which is known to work, but I cannot connect.

I get these debug messages:

ISAKMP:(0):Proposed key length does not match policy

ISAKMP:(0):atts are not acceptable. Next payload is 3

ISAKMP:(0):Hash algorithm offered does not match policy!

ISAKMP:(0):atts are not acceptable. Next payload is 3

In the client I have tried entering the clear text key of cisco, the crypto keyring preshared key, and also the isakmp client configuration key, but no luck.

Any ideas?

I just realized that that was not the example I wanted to post ... But doesn't matter. First, from example 3 you dont need the keyring commands, just delete them.

crypto isakmp profile ISAKMP-PROFILE

  no keyring EZVPN-KEYRING

no crypto keyring EZVPN-KEYRING

Then, I don't know VPNcilla, but can you control the Phase1-parameters in the client? Then set them to the following:

• AES 128
• SHA-1
• DH-Group2
• Pre-Shared-Key
• Lifetime 86400s

If you can also specify the Phase2-parameters, use

• AES 128
• SHA-1

The error message points to parameters that are different on both ends.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten

I'm now using the Shrew Soft VPN client on my Windows PC at work. I've configured the client as recommended and the VPN connects but I cannot ping the router on its private address and I cannot connect to the console using SSH.

When I go to command line and run ipconfig, the VPN adapter has got the IP address I defined in the settings below, but it has no gateway settings assigned.

I have not configured DHCP for the VPN, but can I set the gateway details manually like I set the IP address?

Also, a while after connection, Shrew Soft VPN client reports failed security associations as shown below:

One other thing, I did not use the split tunnel access list from your config as I did not understand why it should be used and it does not appear in Cisco's documentation for configuring EZVPN.

Below is the complete Shrew Soft VPN client configuration.

Thanks for all your help so far.

General

hostname:

Port: 500

Local Host

Address Method: Use a virtual adapter and assigned address

MTU: 1380

Address:

Client

NAT Traversal: enabled

NAT Traversal Port: 4500

Keep-alive packet rate: 15 secs

IKE Fragmentation: enable

Maximum packet size: 540 Bytes

Other Options

Dead Peer Detection: enabled

ISAKMP Failure Notifications: enabled

Name Resolution

All disabled

Authetication

Method: Mutual PSK

Local Identity

Identification Type: IP Address

Use a discovered local host address: enabled

Remote Identity

Identification Type: IP Address

Use a discovered remote host address: enabled

Credentials

Pre Shared Key: cisco

Phase 1

Exchange Type: aggressive

DH Exchange: group 2

Cipher Algorithm: auto

Hash Algorithm: auto

Key Life Time limt: 86400 Secs

Phase 2

Transform Algorithm: auto

HMAC Algorithm: auto

PFS Exchange: auto

Compress Algorithm: disabled

Key Life Time limit: 3600 secs

Policy

Policy Generation Level: auto

Obtain Topology Automatically or Tunnel All: enabled

Just an update, I figured out how to get my VPN working a few weeks back....and here is the relevant config in case anyone else wants to set this up.

aaa authentication login default local
aaa authentication login authen local
aaa authorization network default none
aaa authorization network author local
aaa session-id common
!
username vpnconnect secret your_password
!
! VPN client connects using one of these policies where compatible in order of encryption strength
!
crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN-CONNECT
 key 6 your_key
 dns 8.8.8.8
 pool VPNPOOL
 max-users 1
crypto isakmp profile ISAKMP-PROFILE
   match identity group VPN-CONNECT
   client authentication list authen
   isakmp authorization list author
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set TSET
interface Virtual-Template1 type tunnel
 ip unnumbered your_internet_gateway_interface
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROFILE
!
ip local pool VPNPOOL 192.168.1.54
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface your_internet_gateway_interface overload
!
access-list 10 remark Stop VPN traffic from being NATed
access-list 10 deny   192.168.1.54

And you set up your VPN client software as per the following sceen grab.

The only issue I have now is how to get split tunnelling working, as when I connect my PC to the VPN, I can no longer get on the Internet from that PC.

Any ideas?