05-14-2007 03:55 AM
Dear All ,
I want to configure easy vpn server on cisco 3845 router , I am using cisco vpn client 4.8 , I have the username and password prompt but the connection is not established
here is the configuration
ip local pool vpntest 10.11.12.12 10.11.12.25
aaa autorization network VpN_CLIENTS local
aaa authentication login xath local
crypto isakmp policy 100
encryption 3des
authentication preshare
group 2
crypto isakmp client configuration group localgroups
key cisco
dns 12.12.12.12
pool vpntest
save-password
crypto ipsec transform-set vpnclient esp-3des esp-sha
crypto dynamic-map vpnclient 100
set transform-set vpnclient
reverse-route
crypto map vpn client configuration address respond
crypto map vpn isakmp authorization list VpN_CLIENTS
crypto map vpn 65535 ipsec-isakmp dynamic mystaticmap
crypto isakmp keepalive 30 5
crypto isakmp xauth timeout 15
crypto map vpn client authentication list xath
username demo password cisco
int multilink 1
description internet interface
crypto map vpn
05-14-2007 10:38 AM
Hi there,
The word "vpnclient" in the following command:
crypto dynamic-map vpnclient 100
has to be the same as the word "mystaticmap" in the following command:
crypto map vpn 65535 ipsec-isakmp dynamic mystaticmap
please fix this and rate this post :)
05-14-2007 12:44 PM
hi ,
i changed my configuration to the following and still it is not working
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group localgroups
key vpn
dns 17.18.19.20
pool vpntest
save-password
include-local-lan
!
!
crypto ipsec transform-set clienthost esp-3des esp-sha-hmac
!
!
crypto dynamic-map mystaticmap 1
set security-association lifetime seconds 86400
set transform-set clienthost
reverse-route
!
!
crypto map mystaticmap client authentication list xath
crypto map mystaticmap isakmp authorization list VpN_CLIENTS
crypto map mystaticmap client configuration address respond
crypto map mystaticmap 65535 ipsec-isakmp dynamic mystaticmap
aaa authentication login xath local
aaa authorization network VpN_CLIENTS local
interface Multilink1
description INTERNET
ip address 12.13.14.15 255.255.255.252
crypto map mystaticmap
ip local pool vpntest 172.20.11.12 172.20.11.50
username test password 0 test
05-14-2007 05:48 PM
Dear Mustafa,
I'm sorry about the confusion, but you should call your dynamic map something different than your static map. i.e change the word (mystaticmap) to something else as it conflicts with your static map...
crypto dynamic-map (mystaticmap) 1
crypto map mystaticmap 65535 ipsec-isakmp dynamic (mystaticmap)
In case this does not work, send me the logs on both the router and the client and i will analyze them for you...
Regards,
05-14-2007 09:54 PM
hi,
I changed the configuration to the following ,
but it is not working
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 30 5
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group localgroups
key vpn
dns 17.18.19.20
pool vpntest
save-password
!
!
crypto ipsec transform-set clienthost esp-3des esp-sha-hmac
!
!
crypto dynamic-map mymap 10
set security-association lifetime seconds 86400
set transform-set clienthost
reverse-route
!
!
crypto map mystaticmap client authentication list xath
crypto map mystaticmap isakmp authorization list VpN_CLIENTS
crypto map mystaticmap client configuration address respond
crypto map mystaticmap 65535 ipsec-isakmp dynamic mymap
aaa authentication login xath local
aaa authorization network VpN_CLIENTS local
interface Multilink1
description INTERNET
ip address 12.13.14.15 255.255.255.252
crypto map mystaticmap
ip local pool vpntest 172.20.11.12 172.20.11.50
username test password 0 test
the logs from the client are attached , for the router logs , this router is part of production network , i am turning terminal monitor on it but no messages received .
best regards ,
05-15-2007 10:44 AM
It looks that you have an access-list blocking the connection and this access-list is applied either on the interface or on another router on the outside... your isakmp as well as esp traffic looks to be blocked...
Could you also make sure you are not running ip inspect commands and if yes, you will need to allow vpn traffic explicitly...
Plz rate this post if it is helpful!
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide