08-09-2008 12:54 PM
I have configured an IOS based easy VPN on a 2811 router am having problem connecting to my office network using the VPN clients. It does not connect, I use SDM to configure the easy vpn server and I configured every thing necessary.
Please if any one has a working easy vpn server configs please kindly send it to sameoj@gmail.com so that I can compare it with what I have and see where my mistake lies.
Please reply thanks.
08-09-2008 08:51 PM
if u can just post ur config here to find out what is misconfigured or missing
08-10-2008 02:33 AM
08-10-2008 02:55 AM
u need to add the folowing command
but befor that read the link included bellow
crypto isakmp policy 1
authentication pre-share
hash sha
encryption 3des
no crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set myset
crypto map SDM_CMAP_1 client authentication list test
crypto map SDM_CMAP_1 isakmp authorization list test
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
no ip nat inside source list 1 pool TRAVANT overload
access-list 100 deny ip 172.x.x.x 255.255.255.x [put here ur vpn pool range with mask]
access-list 100 permit ip 172.x.x.x 0.0.0.255 any
ip nat inside source list 100 pool TRAVANT overload
interface FastEthernet0/1
no crypto map smap
crypto map SDM_CMAP_1
and creat atleast one username and password
username vpnuser password cisco123
and the folowing link will guid u step - by step
good luck
please, if helpful Rate
08-13-2008 04:22 AM
08-13-2008 04:50 AM
oluwaseyi
i have fixed the configurations errors that u have made
and u seem u didnt follow the changes that i posted above
any way
just look at the attached file
any thing not in that file
u have do remove it from ur router with no the the command
and ur vpn and NAT config should look like what is in the attached file
and let me know if didnt work
but make it as the attached file
please, if helpful rate
08-18-2008 05:33 AM
I have made the changes like you said and removed all the configs that are not in the attachment you sent to me.
I loaded my router with your attached configs and did a test to the VPN server via a remote Cisco VPN client, yet it did not work, here is what I have on the router now, please see below.
Someone should please simulate it and let me know where I got it wrong.
The issue I have is that whenever I use my VPN client to connect, it doesn`t
connect, below is the output from my VPN server router, 2811; someone should
please tell me where I got it wrong, if you can simulate, please go ahead and
let me know where I got it wrong.
Thanks in advance.
Cheers.
Using 2619 out of 245752 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
--More-- ip cef
!
!
ip ips po max-events 100
no ftp-server write-enable
!
!
!
username xxxxx password 0 xxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 20
no crypto isakmp ccm
!
crypto isakmp client configuration group default
key 6 XXXXXX
dns X.X.X.X X.X.X.X
domain xxxxxxxxxxxx.com
--More-- pool SDM_POOL_1
acl 100
max-users 10
max-logins 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
crypto dynamic-map dmap 10
reverse-route
!
crypto dynamic-map xxxxvpn-dymap 1
reverse-route
!
!
!
crypto map MYCMAP 65535 ipsec-isakmp dynamic xxxvpn-dymap
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
--More-- crypto map SDM_CMAP_1 isakmp authorization
list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address initiate
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map smap 5 ipsec-isakmp dynamic dmap
!
!
!
interface FastEthernet0/0
description connection to LAN
ip address X.X.X.X 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed auto
!
interface FastEthernet0/1
description connection to internet$ETH-LAN$
ip address X.X.X.X 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex full
--More-- speed auto
crypto map SDM_CMAP_1
!
ip local pool vpnpool 192.168.3.50 192.168.3.70
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip http server
ip http secure-server
ip nat pool TRAVANT X.X.X.X netmask 255.255.255.0
ip nat inside source list 1 pool xxxxx overload
ip nat inside source static X.X.X.X X.X.X.X
ip nat inside source static tcp X.X.X.X 25 X.X.X.X 25 extendable
ip nat inside source static tcp X.X.X.X 80 X.X.X.X 80 extendable
ip nat inside source static tcp X.X.X.X 110 X.X.X.X 110 extendable
!
access-list 1 permit any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip X.X.X.X 0.0.0.255 any
!
!
control-plane
!
--More-- !
!
line con 0
password trv
line aux 0
line vty 0 4
password tre
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
xxxxxxx#
08-18-2008 05:44 AM
remove the following line
crypto map MYCMAP 65535 ipsec-isakmp dynamic xxxvpn-dymap
with
no crypto map MYCMAP 65535 ipsec-isakmp dynamic xxxvpn-dymap
and add the following line instead:
crypto map MYCMAP 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
also check the NATing config i have sent you prevously
especiially the deny statement in the ACL with
do it as i have done
and good luck
please, if helpful Rate
08-18-2008 06:01 AM
Are removing this line in the config and replacing it with the other one will make the VPN work? Please kindly simulate and let me know if it will work this time,thanks.
08-18-2008 06:10 AM
sorry the one i sent u dosnt relate because u already not using that map
keep ur config as above and do the nating as bellow
no ip nat pool xxxxxxx 217.14.90.8 217.14.90.8 netmask 255.255.255.0
no ip nat inside source list 1 pool xxxxxxx overload
ip nat inside source list 110 interface fastethernet 0/1 overload
ip nat inside source static 172.16.3.2 217.14.90.8
ip nat inside source static tcp 172.16.3.2 25 217.14.90.9 25 extendable
ip nat inside source static tcp 172.16.3.2 80 217.14.90.9 80 extendable
ip nat inside source static tcp 172.16.3.2 100 217.14.90.9 110 extendable
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 172.16.3.0 0.0.0.255 any
access-list 110 deny ip 172.16.3.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 permit ip 172.16.3.0 0.0.0.255 any
and in the vpn client put the group name as default
and the password as the key u have put to that group
good luck
before u make the vpn connection make sure u can ping the outside interface of the router from the client computer
08-18-2008 06:22 AM
My question is that will this new config work?
Will I be able to connect to the VPN server via the VPN client?
Did you test it before sending my these configs?
Please confirm cos once it works, I promise to rate it very high.
Am going to test today,thanks in advance cheers.
08-18-2008 06:28 AM
first i am not dong this to get rated
secondly it should work
if u do it and try to have allok at the following link a s a refrence
good luck
08-20-2008 03:54 AM
I have configured has you said but it did not work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: