Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2489
Views
0
Helpful
5
Replies

vpn ipsec amd linux client

Antonio_1_2
Level 1
Level 1

‎10-07-2009 08:31 AM - edited ‎02-21-2020 04:21 PM

Hi,

I have confugured IPSEC VPN server on Cisco 7200 and both Windows and Linux clients (with Cisco VPN client) are able to connect and everything works perfectely.

But when I configure feature "group-lock" under "crypto isakmp client configuration group" then only Windows clients are still able to connect and Linux connections are refused. Ofcourse I tried using the same account on Windows and Linux.

Has anyone encountered such problem.

Or Is there maybe known issue or bug when group-lock feature is used with Linux client?

regards,

A

Labels:
0 Helpful
5 Replies 5

auraza
Cisco Employee
Cisco Employee

‎10-09-2009 01:52 PM

You're using the same group and accounts to log in I'm assuming. The only difference being the OS, correct?

What do the router debugs show when you do this?

debug cry isa

debug cry ips

0 Helpful

Antonio_1_2
Level 1
Level 1
In response to auraza

‎10-12-2009 01:09 AM

Hi,

Yes that is correct. I'm using the same accounts and the only difference is OS.

group_name: TEST_VPN, key: test

xauth:

username: test@TEST_VPN

password: test

debugs for both Windows and Linux are in the attachment. For LINUX there is message: User Authentication in this group failed.

Also I heve to point out that Linux client is able to connect if I just remove "group-lock" from configuration, (so Linux are definitely using good parameters).

Regards,

A

Preview file
27 KB
0 Helpful

Antonio_1_2
Level 1
Level 1
In response to Antonio_1_2

‎10-15-2009 08:02 AM

Nobody has experience with this issue?

A.

0 Helpful

jiaowenbin
Level 1
Level 1

‎10-10-2009 12:40 AM

According to cisco ios command reference :

The group-lock command attribute is used to check if a user attempting to connect to a group belongs to this group. This attribute is used in conjunction with the extended authentication (Xauth) username. The user name must include the group to which it belongs. The group is then matched against the VPN group name (ID_KEY_ID) that is passed during the Internet Key Exchange (IKE). If the groups do not match, then the client connection is terminated.

To allow the extended authentication (Xauth) username to be entered when preshared key authentication is used with IKE, use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode.

i think you can resolve your problem after reading above words

0 Helpful

Antonio_1_2
Level 1
Level 1
In response to jiaowenbin

‎10-12-2009 01:12 AM

Hi,

I'm not having problem with configuring the group lock feature. My problem is that using the same accounts Windows clients are able to connect and Linux clients are not. And it has been testes on 20 different clients (Windows / Linux)

regards,

A

0 Helpful
Customers Also Viewed These Support Documents