I have confugured IPSEC VPN server on Cisco 7200 and both Windows and Linux clients (with Cisco VPN client) are able to connect and everything works perfectely.
But when I configure feature "group-lock" under "crypto isakmp client configuration group" then only Windows clients are still able to connect and Linux connections are refused. Ofcourse I tried using the same account on Windows and Linux.
Has anyone encountered such problem.
Or Is there maybe known issue or bug when group-lock feature is used with Linux client?
You're using the same group and accounts to log in I'm assuming. The only difference being the OS, correct?
What do the router debugs show when you do this?
debug cry isa
debug cry ips
Yes that is correct. I'm using the same accounts and the only difference is OS.
group_name: TEST_VPN, key: test
debugs for both Windows and Linux are in the attachment. For LINUX there is message: User Authentication in this group failed.
Also I heve to point out that Linux client is able to connect if I just remove "group-lock" from configuration, (so Linux are definitely using good parameters).
According to cisco ios command reference :
The group-lock command attribute is used to check if a user attempting to connect to a group belongs to this group. This attribute is used in conjunction with the extended authentication (Xauth) username. The user name must include the group to which it belongs. The group is then matched against the VPN group name (ID_KEY_ID) that is passed during the Internet Key Exchange (IKE). If the groups do not match, then the client connection is terminated.
To allow the extended authentication (Xauth) username to be entered when preshared key authentication is used with IKE, use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode.
i think you can resolve your problem after reading above words
I'm not having problem with configuring the group lock feature. My problem is that using the same accounts Windows clients are able to connect and Linux clients are not. And it has been testes on 20 different clients (Windows / Linux)