concentrator site to site vpn problem

Unanswered Question
Aug 14th, 2007
User Badges:

have recently downloaded a document from the cisco website

that states that you can configure a 3000 vpn concentrator

to set up a lan to lan vpn from from a pix firewall that

gets its outside address from dhcp.


apparently to get this to work you have to configure the

concentrators Base Group like this


on the General tab


Tunneling Protocols = IPSec


on the IPSec tab


Tunnel Type = Remote Access


Authentication = None


and set the Default Preshared Key (in this case its cisco123)


i've set the Base Group to use IPsec SA ESP-3DES-MD5

which in turn uses the IKE-3DES-MD5 IKE Proposal

which match the phase 1 and phase 2 in the configuration

of the pix firewall


PIX CONFIG


interface ethernet0 100full

ip address outside 192.168.2.1 255.255.255.0


interface ethernet1 100full

ip address inside 192.168.1.1 255.255.255.0


access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0


access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0


nat (inside) 1 192.168.1.0 255.255.255.0

global (outside) 1 interface


nat (inside) 0 access-list 101


route outside 0.0.0.0 0.0.0.0 192.168.2.2


crypto ipsec transform-set REMOTE_VPN esp-3des esp-md5-hmac


sysopt connection permit-ipsec


crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address 102

crypto map vpn 10 set peer 192.168.2.2

crypto map vpn 10 set transform-set REMOTE_VPN


crypto map vpn interface outside


isakmp enable outside

isakmp identity address

isakmp key cisco123 address 192.168.2.2 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400


after all this i am unable to get a tunnel to come up


from the Live Event Log on the concentrator

i get this output when attempting to connect


24 08/14/2007 16:43:50.350 SEV=4 AUTH/9 RPT=4 192.168.2.1

Authentication failed: Reason = No active server found

handle = 3, server = (none), user = VPNC_Base_Group


i've included the output from debug crypto isakmp

on the firewall on an attachment as its a bit long


any ideas on why i am unable to establish a tunnel

will be appreciated.


Regards


Melvyn Brown


ps i know the config states that the pix has a static address

but i used this config when setting up a similar thing into

a pix 515 and it worked perfectly.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion