07-26-2007 01:09 PM
I've got a Cisco 870 (non-wireless) setup with a typical home config, broadband cable (dhcp client), DHCP server, NAT, FW, etc... I also currently have a site-to-site tunnel setup.
I use the Cisco VPN client 4.6.03.0021 on some computers on my internal network to VPN into my work. The VPN client is setup to use IPSec over UDP. I can hit our VPN end point at work and authenticate, but IKE SA negotiation fails (phase 1). This used to work before configuring the tunnel. Additionally, if I swap out the 870 for my old linksys WRT54G, VPN client works just fine.
I also removed all ACLs from the WAN int, as well as turned off the FW, but still have the problem. Everything else I use through the 870 works fine, i.e. games, IM, inet, p2p, etc... another VPN client I have that uses VPN over SSL even works fine.
What needs to be configured on the 870 to allow IKE SA to complete?
Thanks a ton to whoever can help!
07-26-2007 01:38 PM
Hi,
following config is for cisco VPN client access with dynamic allocation and split-tunnel.
Hope this helps, please rate post if it does!
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
username vpnc password 0 userpass
!
crypto isakmp client configuration group vpncg
key grouppass
dns 4.2.2.1
wins 10.59.2.10
domain domain.com
pool ip-pool
acl 108
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
ip nat outside
crypto map clientmap
interface vlan1
ip address 10.59.2.1 255.255.255.0
ip nat inside
!
ip local pool ip-pool 10.0.230.1 10.0.230.20
!
access-list 108 remark VPN client split tunnel
access-list 108 permit ip 10.59.2.0 0.0.0.255 10.0.230.0 0.0.0.255
07-30-2007 05:46 PM
Thanks for the reply. I'm a noob (working on ccna), so sorry for the next few questions...
Is there a way to implement split tunnel with a static crypto map? Also can split tunnel be implemented without AAA?
I've read a bunch about split tunnel, but haven't seen a config like what i'm running. Since the tunnel is already setup, is there a split tunnel command I can use to enable the feature for the existing tunnel? Thanks again for the help, I'll be sure to rate if I can get this working.
07-31-2007 05:48 AM
Just to be clear the site-to-site tunnel is not setup between my home and my work, it's to a completely different network. I can post the config later if that would help. Checking routes only traffic destined for the network on the other side of the tunnel should be going there. If someone could suggest a book or has a link to some info about every way a split tunnel can be implemented that would be helpful.
08-01-2007 05:54 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: