07-27-2007 07:48 AM - edited 03-11-2019 03:50 AM
I have an 1841 that has a working site to site vpn tunnel....I added the config for a vpn client and nothing happens
I debugged crypto isakmp and dont even see the client trying to connect
anyone see wants wrong
version 12.4
aaa new-model
!
aaa session-id common
!
!
ip inspect name test http urlfilter
username xxxxxx privilege 15 password 7 xxxxxxxx
!
!
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key ciscociscoAZ address x.x.x.x no-xauth
crypto isakmp keepalive 10
!
crypto isakmp client configuration group Remote_User
key cisco
pool VPNpool
acl 150
!
!
crypto ipsec transform-set remotesite esp-3des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map mymap client authentication list userauthen
crypto map mymap isakmp authorization list groupauthor
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 11 ipsec-isakmp
set peer x.x.x.x
set transform-set remotesite
match address vpn
!
!
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
ip inspect test in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
ip local pool VPNpool 192.168.50.50 192.168.50.160
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip nat inside source list NoNat interface FastEthernet0/1 overload
!
ip access-list extended NoNat
deny ip 192.168.12.0 0.0.0.255 192.168.9.0 0.0.0.255
deny ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended vpn
permit ip 192.168.12.0 0.0.0.255 host 10.155.102.252
!
access-list 150 permit ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255
!
thanks
thanks
07-28-2007 12:17 AM
Try to add "reverse-route" under the dynamic crypto map.
But everything else looks ok, verify that the crypto map is applied with "sh crypto dynamic-map".
A debug crypto isakmp should show when it tries to connect, either you have not configured logging properly, or the client can not reach the router.
07-30-2007 05:57 AM
Mattias
the reverse route didnt work
When I debug crypto isakmp I dont even see it trying....but I can ping outside interface from where I'm trying the client
router#sh cry dynamic-map
Crypto Map Template"dynmap" 10
No matching address list set.
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
myset,
}
does this tell you anything
thanks
Colum
07-30-2007 06:09 AM
Also, you are referring to the aaa groups userauthen and groupauthor but they are not defined anywhere?
crypto map mymap client authentication list userauthen
crypto map mymap isakmp authorization list groupauthor
You need something like this:
aaa authentication login userauthen local
aaa authorization network groupauthor local
If you want to use xauth with local authentication.
07-30-2007 07:29 AM
You are right ...that was missing but still doesnt work...
its weird...
client log
813 11:11:24.307 07/30/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=CFDA79CF5F04F509 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
814 11:11:24.828 07/30/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=CFDA79CF5F04F509 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
its like it cant get to the outside IP
could it be the inspect/websense
07-30-2007 07:32 AM
Hi,
Please refer below document.
Which will guide you step by step procedure to configure client VPN.
As well as it also showing Troubleshooting.
It is well easier.
Regards,
Dharmesh Purohit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide