Easy VPN Server

Unanswered Question
Aug 9th, 2008
User Badges:

I have configured an IOS based easy VPN on a 2811 router am having problem connecting to my office network using the VPN clients. It does not connect, I use SDM to configure the easy vpn server and I configured every thing necessary.


Please if any one has a working easy vpn server configs please kindly send it to [email protected] so that I can compare it with what I have and see where my mistake lies.

Please reply thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 08/09/2008 - 20:51
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

if u can just post ur config here to find out what is misconfigured or missing



Marwan ALshawi Sun, 08/10/2008 - 02:55
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015


u need to add the folowing command

but befor that read the link included bellow


crypto isakmp policy 1

authentication pre-share

hash sha

encryption 3des


no crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2


crypto ipsec transform-set myset esp-3des esp-sha-hmac


crypto dynamic-map SDM_DYNMAP_1 1

set transform-set myset




crypto map SDM_CMAP_1 client authentication list test

crypto map SDM_CMAP_1 isakmp authorization list test

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1


no ip nat inside source list 1 pool TRAVANT overload


access-list 100 deny ip 172.x.x.x 255.255.255.x [put here ur vpn pool range with mask]

access-list 100 permit ip 172.x.x.x 0.0.0.255 any


ip nat inside source list 100 pool TRAVANT overload


interface FastEthernet0/1


no crypto map smap

crypto map SDM_CMAP_1


and creat atleast one username and password


username vpnuser password cisco123


and the folowing link will guid u step - by step


http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml



good luck


please, if helpful Rate

sameoj1881 Wed, 08/13/2008 - 04:22
User Badges:

Hi,

I have downloaded the guide and configured the VPN using SDM as stated but it still did not work can you please take a look at my configs and let me know where the mistake lies,please reply thanks.



Marwan ALshawi Wed, 08/13/2008 - 04:50
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

oluwaseyi


i have fixed the configurations errors that u have made

and u seem u didnt follow the changes that i posted above

any way

just look at the attached file

any thing not in that file

u have do remove it from ur router with no the the command

and ur vpn and NAT config should look like what is in the attached file

and let me know if didnt work

but make it as the attached file


please, if helpful rate




Attachment: 
sameoj1881 Mon, 08/18/2008 - 05:33
User Badges:

I have made the changes like you said and removed all the configs that are not in the attachment you sent to me.


I loaded my router with your attached configs and did a test to the VPN server via a remote Cisco VPN client, yet it did not work, here is what I have on the router now, please see below.


Someone should please simulate it and let me know where I got it wrong.


The issue I have is that whenever I use my VPN client to connect, it doesn`t

connect, below is the output from my VPN server router, 2811; someone should

please tell me where I got it wrong, if you can simulate, please go ahead and

let me know where I got it wrong.


Thanks in advance.




Cheers.



Using 2619 out of 245752 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xxxxxxxxxxxx

!

boot-start-marker

boot-end-marker

!

no logging buffered

!

aaa new-model

!

!

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization network sdm_vpn_group_ml_1 local

aaa session-id common

ip subnet-zero

!

!

--More-- ip cef

!

!

ip ips po max-events 100

no ftp-server write-enable

!

!

!

username xxxxx password 0 xxxxxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 20

no crypto isakmp ccm

!

crypto isakmp client configuration group default

key 6 XXXXXX

dns X.X.X.X X.X.X.X

domain xxxxxxxxxxxx.com

--More-- pool SDM_POOL_1

acl 100

max-users 10

max-logins 10

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

crypto dynamic-map dmap 10

reverse-route

!

crypto dynamic-map xxxxvpn-dymap 1

reverse-route

!

!

!

crypto map MYCMAP 65535 ipsec-isakmp dynamic xxxvpn-dymap

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

--More-- crypto map SDM_CMAP_1 isakmp authorization

list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address initiate

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

crypto map smap 5 ipsec-isakmp dynamic dmap

!

!

!

interface FastEthernet0/0

description connection to LAN

ip address X.X.X.X 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex full

speed auto

!

interface FastEthernet0/1

description connection to internet$ETH-LAN$

ip address X.X.X.X 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex full

--More-- speed auto

crypto map SDM_CMAP_1

!

ip local pool vpnpool 192.168.3.50 192.168.3.70

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.X.X

ip http server

ip http secure-server

ip nat pool TRAVANT X.X.X.X netmask 255.255.255.0

ip nat inside source list 1 pool xxxxx overload

ip nat inside source static X.X.X.X X.X.X.X

ip nat inside source static tcp X.X.X.X 25 X.X.X.X 25 extendable

ip nat inside source static tcp X.X.X.X 80 X.X.X.X 80 extendable

ip nat inside source static tcp X.X.X.X 110 X.X.X.X 110 extendable

!

access-list 1 permit any

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip X.X.X.X 0.0.0.255 any

!

!

control-plane

!

--More-- !

!

line con 0

password trv

line aux 0

line vty 0 4

password tre

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

xxxxxxx#



Marwan ALshawi Mon, 08/18/2008 - 05:44
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

remove the following line

crypto map MYCMAP 65535 ipsec-isakmp dynamic xxxvpn-dymap


with

no crypto map MYCMAP 65535 ipsec-isakmp dynamic xxxvpn-dymap



and add the following line instead:

crypto map MYCMAP 65535 ipsec-isakmp dynamic SDM_DYNMAP_1


also check the NATing config i have sent you prevously

especiially the deny statement in the ACL with

do it as i have done


and good luck


please, if helpful Rate

sameoj1881 Mon, 08/18/2008 - 06:01
User Badges:

Are removing this line in the config and replacing it with the other one will make the VPN work? Please kindly simulate and let me know if it will work this time,thanks.

Marwan ALshawi Mon, 08/18/2008 - 06:10
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

sorry the one i sent u dosnt relate because u already not using that map

keep ur config as above and do the nating as bellow


no ip nat pool xxxxxxx 217.14.90.8 217.14.90.8 netmask 255.255.255.0


no ip nat inside source list 1 pool xxxxxxx overload



ip nat inside source list 110 interface fastethernet 0/1 overload




ip nat inside source static 172.16.3.2 217.14.90.8

ip nat inside source static tcp 172.16.3.2 25 217.14.90.9 25 extendable

ip nat inside source static tcp 172.16.3.2 80 217.14.90.9 80 extendable

ip nat inside source static tcp 172.16.3.2 100 217.14.90.9 110 extendable

!

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip 172.16.3.0 0.0.0.255 any


access-list 110 deny ip 172.16.3.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 110 permit ip 172.16.3.0 0.0.0.255 any


and in the vpn client put the group name as default

and the password as the key u have put to that group


good luck


before u make the vpn connection make sure u can ping the outside interface of the router from the client computer

sameoj1881 Mon, 08/18/2008 - 06:22
User Badges:

My question is that will this new config work?


Will I be able to connect to the VPN server via the VPN client?


Did you test it before sending my these configs?


Please confirm cos once it works, I promise to rate it very high.


Am going to test today,thanks in advance cheers.

sameoj1881 Wed, 08/20/2008 - 03:54
User Badges:

I have configured has you said but it did not work.

Actions

This Discussion