Problem to configure VPN

Unanswered Question
Dec 17th, 2007

Hi All,

I am having a problem in configuring a dynamic VPN in my pix which has the 7.2 version of ios but i am able to work with same configuration in the pix whch has 6.3 version i just want a user from outside my network using the vpn client access the resource inside my network below is my configuration is it ok are should i need to do anything more? please advice me.

ip local pool vpnpool1

crypto dynamic-map map2 20 set transform-set guatemala1

crypto map map1 20 ipsec-isakmp dynamic map2

crypto ipsec transform-set guatemala1 esp-aes-256 esp-sha-hmac

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup Guatemalavpn address-pool vpnpool1

vpngroup Guatemalavpn split-tunnel inside_nat0_outbound

vpngroup Guatemalavpn idle-time 36000

vpngroup Guatemalavpn password xxxxxxx

access-list outside_acl permit tcp

route outside

access-list inside_nat0_outbound extended permit ip any

access-list inside_nat0_outbound extended permit ip

access-list 102 permit ip

nat (inside) 0 access-list inside_nat0_outbound

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Tue, 12/18/2007 - 01:00

Hi Uday

6.3 and 7.2 are slightly different. First issue the following command.

isakmp enable outside


group-policy Guatemalavpn internal

group-policy Guatemalavpn attributes

vpn-idle-timeout 36000

vpn-session-timeout 10080

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 102

tunnel-group Guatemalavpn type ipsec-ra

tunnel-group Guatemalavpn general-attributes

address-pool vpnpool1

authentication-server-group LOCAL

default-group-policy Guatemalavpn

tunnel-group Guatemalavpn ipsec-attributes

pre-shared-key typeyourpresharedkeyhere


udayashankarsg Tue, 12/18/2007 - 01:22

Should i use your command after my command

if i enter following command i will get some error message

vpngroup Guatemalavpn address-pool vpnpool1

vpngroup Guatemalavpn split-tunnel inside_nat0_outbound

vpngroup Guatemalavpn idle-time 36000

vpngroup Guatemalavpn password cisco123

udayashankarsg Tue, 12/18/2007 - 01:23

this is the error message

WARNING: the 'vpngroup' command has been deprecated, and will be converted to the corresponding tunnel-group and group-policy syntax

ERROR: ip pool vpnpool1 is not defined.

udayashankarsg Tue, 12/18/2007 - 01:50

if i try to connect after the configuration

the cisco vpn client asks for the Authentication after providing the local username and password of the pix and also i tried with username as Guatemalavpn and password as my preshared key i am get eroor saying

secured vpn connection terminated locally by the client reson 403 unable to caoonect security gateway

husycisco Tue, 12/18/2007 - 01:51

vpngroup is changed as tunnel-group in 7.x IOS. So dont use vpngroup and use my config instead. Rest of the config is OK.

When it asks you a username and password, submit a username password that you created in pix. For example following command creates a user

username uday password 1234 priv 1


udayashankarsg Tue, 12/18/2007 - 02:21

I am still having the same error and the below command is not working.

tunnel-group Guatemalavpn type ipsec-ra

husycisco Tue, 12/18/2007 - 02:27


What error do you encounter when you type

tunnel-group Guatemalavpn type ipsec-ra

Posting your running config would be helpful

husycisco Tue, 12/18/2007 - 03:41

Type the following in their respective order in configure terminal mode

tunnel-group Guatemalavpn general-attributes

authentication-server-group LOCAL

udayashankarsg Wed, 12/19/2007 - 20:20

Do i have any problem with my crypto map command because when i type i get following error.

crypto map map1 20 ipsec-isakmp dynamic map2

WARNING: dynamic map has incomplete entries


This Discussion