cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1018
Views
0
Helpful
12
Replies

Easy VPN Server

sameoj1881
Level 1
Level 1

I have configured an IOS based easy VPN on a 2811 router am having problem connecting to my office network using the VPN clients. It does not connect, I use SDM to configure the easy vpn server and I configured every thing necessary.

Please if any one has a working easy vpn server configs please kindly send it to sameoj@gmail.com so that I can compare it with what I have and see where my mistake lies.

Please reply thanks.

12 Replies 12

Marwan ALshawi
VIP Alumni
VIP Alumni

if u can just post ur config here to find out what is misconfigured or missing

Hi

I have attached my config, please kindly let me know where and what I configured wrong,thanks.

u need to add the folowing command

but befor that read the link included bellow

crypto isakmp policy 1

authentication pre-share

hash sha

encryption 3des

no crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set myset

crypto map SDM_CMAP_1 client authentication list test

crypto map SDM_CMAP_1 isakmp authorization list test

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

no ip nat inside source list 1 pool TRAVANT overload

access-list 100 deny ip 172.x.x.x 255.255.255.x [put here ur vpn pool range with mask]

access-list 100 permit ip 172.x.x.x 0.0.0.255 any

ip nat inside source list 100 pool TRAVANT overload

interface FastEthernet0/1

no crypto map smap

crypto map SDM_CMAP_1

and creat atleast one username and password

username vpnuser password cisco123

and the folowing link will guid u step - by step

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml

good luck

please, if helpful Rate

Hi,

I have downloaded the guide and configured the VPN using SDM as stated but it still did not work can you please take a look at my configs and let me know where the mistake lies,please reply thanks.

oluwaseyi

i have fixed the configurations errors that u have made

and u seem u didnt follow the changes that i posted above

any way

just look at the attached file

any thing not in that file

u have do remove it from ur router with no the the command

and ur vpn and NAT config should look like what is in the attached file

and let me know if didnt work

but make it as the attached file

please, if helpful rate

I have made the changes like you said and removed all the configs that are not in the attachment you sent to me.

I loaded my router with your attached configs and did a test to the VPN server via a remote Cisco VPN client, yet it did not work, here is what I have on the router now, please see below.

Someone should please simulate it and let me know where I got it wrong.

The issue I have is that whenever I use my VPN client to connect, it doesn`t

connect, below is the output from my VPN server router, 2811; someone should

please tell me where I got it wrong, if you can simulate, please go ahead and

let me know where I got it wrong.

Thanks in advance.

Cheers.

Using 2619 out of 245752 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xxxxxxxxxxxx

!

boot-start-marker

boot-end-marker

!

no logging buffered

!

aaa new-model

!

!

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization network sdm_vpn_group_ml_1 local

aaa session-id common

ip subnet-zero

!

!

--More-- ip cef

!

!

ip ips po max-events 100

no ftp-server write-enable

!

!

!

username xxxxx password 0 xxxxxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 20

no crypto isakmp ccm

!

crypto isakmp client configuration group default

key 6 XXXXXX

dns X.X.X.X X.X.X.X

domain xxxxxxxxxxxx.com

--More-- pool SDM_POOL_1

acl 100

max-users 10

max-logins 10

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

crypto dynamic-map dmap 10

reverse-route

!

crypto dynamic-map xxxxvpn-dymap 1

reverse-route

!

!

!

crypto map MYCMAP 65535 ipsec-isakmp dynamic xxxvpn-dymap

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

--More-- crypto map SDM_CMAP_1 isakmp authorization

list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address initiate

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

crypto map smap 5 ipsec-isakmp dynamic dmap

!

!

!

interface FastEthernet0/0

description connection to LAN

ip address X.X.X.X 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex full

speed auto

!

interface FastEthernet0/1

description connection to internet$ETH-LAN$

ip address X.X.X.X 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex full

--More-- speed auto

crypto map SDM_CMAP_1

!

ip local pool vpnpool 192.168.3.50 192.168.3.70

ip classless

ip route 0.0.0.0 0.0.0.0 X.X.X.X

ip http server

ip http secure-server

ip nat pool TRAVANT X.X.X.X netmask 255.255.255.0

ip nat inside source list 1 pool xxxxx overload

ip nat inside source static X.X.X.X X.X.X.X

ip nat inside source static tcp X.X.X.X 25 X.X.X.X 25 extendable

ip nat inside source static tcp X.X.X.X 80 X.X.X.X 80 extendable

ip nat inside source static tcp X.X.X.X 110 X.X.X.X 110 extendable

!

access-list 1 permit any

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip X.X.X.X 0.0.0.255 any

!

!

control-plane

!

--More-- !

!

line con 0

password trv

line aux 0

line vty 0 4

password tre

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

xxxxxxx#

remove the following line

crypto map MYCMAP 65535 ipsec-isakmp dynamic xxxvpn-dymap

with

no crypto map MYCMAP 65535 ipsec-isakmp dynamic xxxvpn-dymap

and add the following line instead:

crypto map MYCMAP 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

also check the NATing config i have sent you prevously

especiially the deny statement in the ACL with

do it as i have done

and good luck

please, if helpful Rate

Are removing this line in the config and replacing it with the other one will make the VPN work? Please kindly simulate and let me know if it will work this time,thanks.

sorry the one i sent u dosnt relate because u already not using that map

keep ur config as above and do the nating as bellow

no ip nat pool xxxxxxx 217.14.90.8 217.14.90.8 netmask 255.255.255.0

no ip nat inside source list 1 pool xxxxxxx overload

ip nat inside source list 110 interface fastethernet 0/1 overload

ip nat inside source static 172.16.3.2 217.14.90.8

ip nat inside source static tcp 172.16.3.2 25 217.14.90.9 25 extendable

ip nat inside source static tcp 172.16.3.2 80 217.14.90.9 80 extendable

ip nat inside source static tcp 172.16.3.2 100 217.14.90.9 110 extendable

!

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip 172.16.3.0 0.0.0.255 any

access-list 110 deny ip 172.16.3.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 110 permit ip 172.16.3.0 0.0.0.255 any

and in the vpn client put the group name as default

and the password as the key u have put to that group

good luck

before u make the vpn connection make sure u can ping the outside interface of the router from the client computer

My question is that will this new config work?

Will I be able to connect to the VPN server via the VPN client?

Did you test it before sending my these configs?

Please confirm cos once it works, I promise to rate it very high.

Am going to test today,thanks in advance cheers.

first i am not dong this to get rated

secondly it should work

if u do it and try to have allok at the following link a s a refrence

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

good luck

I have configured has you said but it did not work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: