06-01-2003 02:45 PM - edited 02-21-2020 12:34 PM
hi,
i've tried to configure a vpn-service for both ios-ios-link and ios-vpn~client-link after binding the dynamic-map for the vpn-clients, the ios-devices can't (re)-connect to the server (they can't establish a sa - established sa's from ios-devices are lost after timeout [debugging the sa shows that the policy (56/group1/presh-auth) which should match is denied from the server).
after deleting the dynamic-map-entry for the soft-clients from the crypto-map, the ios-clients works fine again.
i'm using rel. 12.2.8(T8). is this a misconfiguration (below) or a problem with the release ??
regards
stefan
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname runner
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn-user local
aaa authentication ppp default local
aaa authorization network default local
aaa authorization network vpn-group local
aaa session-id common
enable password ENABLE
!
username USER password PASSWORD
!
ip subnet-zero
ip tcp path-mtu-discovery
ip domain-name mydom.com
ip name-server 145.253.2.11
!
vpdn enable
!
isdn switch-type basic-net3
!
crypto isakmp policy 3
hash md5
authentication pre-share
lifetime 360
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
!
crypto isakmp key PRESH-KEY-FOR-IOS address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 11
!
crypto isakmp client configuration group vpn-user
key PRESH-KEY-FOR-VPN-CLIENT
pool CLIENT-VPN
!
!
crypto ipsec transform-set IOS-SET esp-des esp-md5-hmac
crypto ipsec transform-set CLIENT-SET esp-des esp-md5-hmac
!
crypto dynamic-map vpn-dyn-map 10
set security-association lifetime kilobytes 6000
set transform-set CLIENT-SET
!
crypto dynamic-map iosmap 10
set security-association lifetime seconds 420
set transform-set IOS-SET
!
!
crypto map vpn-map client authentication list vpn-user
crypto map vpn-map isakmp authorization list vpn-group
crypto map vpn-map client configuration address respond
crypto map vpn-map 10 ipsec-isakmp dynamic vpn-dyn-map
crypto map vpn-map 20 ipsec-isakmp dynamic iosmap
!
# i've also changed the position of the dynamic-maps,
# ...the ios-connection failed
!
!
interface Ethernet0
ip address 200.100.10.1 255.255.255.252
no cdp enable
crypto map vpn-map
!
interface Ethernet1
ip address 10.100.0.1 255.255.0.0
ip directed-broadcast
ip mtu 1492
!
interface BRI0
no ip address
shutdown
isdn switch-type basic-net3
!
ip local pool CLIENT-VPN 192.168.2.249 192.168.2.250
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 192.168.2.0 255.255.255.0 Ethernet0
no ip http server
ip pim bidir-enable
!
!
access-list 135 permit ip any 192.168.2.0 0.0.0.255
access-list 136 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
line con 0
line vty 0 4
line vty 5 15
!
end
06-01-2003 08:31 PM
Hi Stefan,
Sorry, I couldn't make out if the above is the configuration on the client side or the IOS side. If you don't mind can you mention the devices, the IOS releases used on both sides and the VPN related configs on both sides for which the case fails. This will help in debugging your cases faster.
Keep us posted.
Naveen
06-01-2003 11:58 PM
the previous posted configuration is the vpn-server, 16 cisco1751 connect via dsl to the server in a hub-and-spoke configuration (below is the ios-client config)
server:
cisco 2621 (60416K/5120K)
c2600-ik8s-mz.122-8.T8.bin
client:
cisco 1751 (39322K/9830K)
c1700-k8o3sv3y7-mz.122-4.XM3.bin
soft-client:
vpn-client v4.0
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn-ios-client
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
!
username callback-dialstring "" password
username privilege 5 password
memory-size iomem 20
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip tcp path-mtu-discovery
ip telnet source-interface FastEthernet0/0
ip tftp source-interface FastEthernet0/0
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
isdn switch-type basic-net3
!
!
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key PRESH-KEY-FOR-IOS address 200.100.10.1
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set vpnset esp-des esp-md5-hmac
!
crypto map vpn 1 ipsec-isakmp
set peer 200.100.10.1
set security-association lifetime seconds 150
set transform-set vpnset
match address 115
!
!
!
!
interface Ethernet0/0
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/0
ip address 10.1.201.254 255.255.255.0
ip helper-address 10.101.104.255
ip helper-address 10.100.255.255
ip directed-broadcast
ip nat inside
speed auto
!
!
interface Dialer1
bandwidth 768
ip address negotiated
ip directed-broadcast
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1300
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username password 7
ppp ipcp dns request
crypto map vpn
!
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 10
ip route 0.0.0.0 0.0.0.0 Dialer10 20
no ip http server
ip pim bidir-enable
!
!
!
logging trap debugging
logging source-interface FastEthernet0/0
logging 10.100.0.1
access-list 10 permit 10.1.201.0 0.0.0.255
access-list 11 permit 10.100.0.0 0.1.255.255
access-list 115 permit ip 10.1.201.0 0.0.0.255 10.100.0.0 0.1.255.255
access-list 115 deny ip 10.1.201.0 0.0.0.255 any
access-list 120 deny ip 10.1.201.0 0.0.0.255 10.100.0.0 0.1.255.255
access-list 120 permit ip 10.1.201.0 0.0.0.255 any
dialer-list 1 protocol ip list
!
route-map nonat permit 10
match ip address 120
!
call rsvp-sync
!
dial-peer cor custom
!
!
!
banner motd ^C
^C
privilege exec level 5 show
privilege exec level 5 ping
!
line con 0
line aux 0
line vty 0 4
access-class 5 in
line vty 5 15
!
no scheduler allocate
ntp clock-period 17179934
ntp source FastEthernet0/0
ntp server 10.100.0.1
end
06-02-2003 02:58 AM
in the meantime i've added the statement "no-xauth" in the following line
crypto isakmp key PRESH-KEY-FOR-IOS address 0.0.0.0 0.0.0.0 no-xauth
... now my ios-clients works proper, ... but the "Processing of Aggressive mode failed" for my soft-clients (x-auth is skipped for them too) : (
all my clients get negotiated provider pool-addresses ... ???
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide