easy vpn server configuration

Unanswered Question
May 14th, 2007

Dear All ,

I want to configure easy vpn server on cisco 3845 router , I am using cisco vpn client 4.8 , I have the username and password prompt but the connection is not established

here is the configuration

ip local pool vpntest 10.11.12.12 10.11.12.25

aaa autorization network VpN_CLIENTS local

aaa authentication login xath local

crypto isakmp policy 100

encryption 3des

authentication preshare

group 2

crypto isakmp client configuration group localgroups

key cisco

dns 12.12.12.12

pool vpntest

save-password

crypto ipsec transform-set vpnclient esp-3des esp-sha

crypto dynamic-map vpnclient 100

set transform-set vpnclient

reverse-route

crypto map vpn client configuration address respond

crypto map vpn isakmp authorization list VpN_CLIENTS

crypto map vpn 65535 ipsec-isakmp dynamic mystaticmap

crypto isakmp keepalive 30 5

crypto isakmp xauth timeout 15

crypto map vpn client authentication list xath

username demo password cisco

int multilink 1

description internet interface

crypto map vpn

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
oabduo983 Mon, 05/14/2007 - 10:38

Hi there,

The word "vpnclient" in the following command:

crypto dynamic-map vpnclient 100

has to be the same as the word "mystaticmap" in the following command:

crypto map vpn 65535 ipsec-isakmp dynamic mystaticmap

please fix this and rate this post :)

mostafaammar Mon, 05/14/2007 - 12:44

hi ,

i changed my configuration to the following and still it is not working

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 30 5

crypto isakmp xauth timeout 15

!

crypto isakmp client configuration group localgroups

key vpn

dns 17.18.19.20

pool vpntest

save-password

include-local-lan

!

!

crypto ipsec transform-set clienthost esp-3des esp-sha-hmac

!

!

crypto dynamic-map mystaticmap 1

set security-association lifetime seconds 86400

set transform-set clienthost

reverse-route

!

!

crypto map mystaticmap client authentication list xath

crypto map mystaticmap isakmp authorization list VpN_CLIENTS

crypto map mystaticmap client configuration address respond

crypto map mystaticmap 65535 ipsec-isakmp dynamic mystaticmap

aaa authentication login xath local

aaa authorization network VpN_CLIENTS local

interface Multilink1

description INTERNET

ip address 12.13.14.15 255.255.255.252

crypto map mystaticmap

ip local pool vpntest 172.20.11.12 172.20.11.50

username test password 0 test

oabduo983 Mon, 05/14/2007 - 17:48

Dear Mustafa,

I'm sorry about the confusion, but you should call your dynamic map something different than your static map. i.e change the word (mystaticmap) to something else as it conflicts with your static map...

crypto dynamic-map (mystaticmap) 1

crypto map mystaticmap 65535 ipsec-isakmp dynamic (mystaticmap)

In case this does not work, send me the logs on both the router and the client and i will analyze them for you...

Regards,

mostafaammar Mon, 05/14/2007 - 21:54

hi,

I changed the configuration to the following ,

but it is not working

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 30 5

crypto isakmp xauth timeout 15

!

crypto isakmp client configuration group localgroups

key vpn

dns 17.18.19.20

pool vpntest

save-password

!

!

crypto ipsec transform-set clienthost esp-3des esp-sha-hmac

!

!

crypto dynamic-map mymap 10

set security-association lifetime seconds 86400

set transform-set clienthost

reverse-route

!

!

crypto map mystaticmap client authentication list xath

crypto map mystaticmap isakmp authorization list VpN_CLIENTS

crypto map mystaticmap client configuration address respond

crypto map mystaticmap 65535 ipsec-isakmp dynamic mymap

aaa authentication login xath local

aaa authorization network VpN_CLIENTS local

interface Multilink1

description INTERNET

ip address 12.13.14.15 255.255.255.252

crypto map mystaticmap

ip local pool vpntest 172.20.11.12 172.20.11.50

username test password 0 test

the logs from the client are attached , for the router logs , this router is part of production network , i am turning terminal monitor on it but no messages received .

best regards ,

Attachment: 
oabduo983 Tue, 05/15/2007 - 10:44

It looks that you have an access-list blocking the connection and this access-list is applied either on the interface or on another router on the outside... your isakmp as well as esp traffic looks to be blocked...

Could you also make sure you are not running ip inspect commands and if yes, you will need to allow vpn traffic explicitly...

Plz rate this post if it is helpful!

Regards,

Actions

This Discussion