cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1683
Views
0
Helpful
4
Replies

Help with Cisco 870 VPN setup and Cisco easy VPN client

travis.wolfe
Level 1
Level 1

I've got a Cisco 870 (non-wireless) setup with a typical home config, broadband cable (dhcp client), DHCP server, NAT, FW, etc... I also currently have a site-to-site tunnel setup.

I use the Cisco VPN client 4.6.03.0021 on some computers on my internal network to VPN into my work. The VPN client is setup to use IPSec over UDP. I can hit our VPN end point at work and authenticate, but IKE SA negotiation fails (phase 1). This used to work before configuring the tunnel. Additionally, if I swap out the 870 for my old linksys WRT54G, VPN client works just fine.

I also removed all ACLs from the WAN int, as well as turned off the FW, but still have the problem. Everything else I use through the 870 works fine, i.e. games, IM, inet, p2p, etc... another VPN client I have that uses VPN over SSL even works fine.

What needs to be configured on the 870 to allow IKE SA to complete?

Thanks a ton to whoever can help!

4 Replies 4

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi,

following config is for cisco VPN client access with dynamic allocation and split-tunnel.

Hope this helps, please rate post if it does!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

username vpnc password 0 userpass

!

crypto isakmp client configuration group vpncg

key grouppass

dns 4.2.2.1

wins 10.59.2.10

domain domain.com

pool ip-pool

acl 108

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip nat outside

crypto map clientmap

interface vlan1

ip address 10.59.2.1 255.255.255.0

ip nat inside

!

ip local pool ip-pool 10.0.230.1 10.0.230.20

!

access-list 108 remark VPN client split tunnel

access-list 108 permit ip 10.59.2.0 0.0.0.255 10.0.230.0 0.0.0.255

Thanks for the reply. I'm a noob (working on ccna), so sorry for the next few questions...

Is there a way to implement split tunnel with a static crypto map? Also can split tunnel be implemented without AAA?

I've read a bunch about split tunnel, but haven't seen a config like what i'm running. Since the tunnel is already setup, is there a split tunnel command I can use to enable the feature for the existing tunnel? Thanks again for the help, I'll be sure to rate if I can get this working.

travis.wolfe
Level 1
Level 1

Just to be clear the site-to-site tunnel is not setup between my home and my work, it's to a completely different network. I can post the config later if that would help. Checking routes only traffic destined for the network on the other side of the tunnel should be going there. If someone could suggest a book or has a link to some info about every way a split tunnel can be implemented that would be helpful.

To help clarify, I've attached a simple diagram of configuration. I really need to get this working and appreciate any help you guys can provide.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: