VPN Client config

Answered Question
Aug 19th, 2008
User Badges:

Hi,

How to configure VPN Client in Cisco router and let me know the sample configuration.

Regards,


Correct Answer by Marwan ALshawi about 8 years 10 months ago

the config looks ok now


but as i told u

o the client vpn software there is group name and password

put the group name as admin and pasword as admin 123


once the phase one of the vpn setup done u will be prompted to enter username and password in this stage use one of the username and password u created such as


manju and pass cisco


good luck


please, if helpful rate


and let me know if worked or not

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ntmanjunath Tue, 08/19/2008 - 23:08
User Badges:

Hi,


Can you please give simple configuration for VPN client? This would be more complicated.

Just for two to three user can access.


Regards


Marwan ALshawi Wed, 08/20/2008 - 00:01
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

RTRA(config)# aaa new-model (1)

RTRA(config)# aaa authentication login vpnclient local

RTRA(config)# aaa authorization network localgroups local

RTRA(config)# username user1 secret user1

RTRA(config)# username user2 secret user2

RTRA(config)# username vpnuser secret 12345

RTRA(config)# crypto isakmp policy 10

RTRA(config-isakmp)# encryption aes 128

RTRA(config-isakmp)# hash sha

RTRA(config-isakmp)# authentication pre-share

RTRA(config-isakmp)# group 2

RTRA(config-isakmp)# exit

RTRA(config)# crypto isakmp keepalive 20 3

RTRA(config)# ip local pool pool1 192.168.0.200 192.168.0.219


RTRA(config)# ip access-list extended splitremote

RTRA(config-ext-nacl)# permit ip 192.168.0.0 0.0.0.255 any

RTRA(config-ext-nacl)# exit


RTRA(config)# crypto isakmp client configuration group admin

RTRA(config-isakmp-group)# key admin123

RTRA(config-isakmp-group)# pool pool1

RTRA(config-isakmp-group)# domain cisco.com



RTRA(config-isakmp-group)# acl splitremote


RTRA(config-isakmp-group)# exit


RTRA(config)# crypto ipsec transform-set clienttransform esp-aes esp-sha-hmac

RTRA(cfg-crypto-tran)# exit

RTRA(config)# crypto dynamic-map dynmap 10

RTRA(config-crypto-m)# set transform-set clienttransform

RTRA(config-crypto-m)# exit

RTRA(config)# crypto map mymap client authentication list vpnclient

RTRA(config)# crypto map mymap isakmp authorization list localgroups

RTRA(config)# crypto map mymap client configuration address respond

RTRA(config)# crypto map mymap 1000 ipsec-isakmp dynamic dynmap

RTRA(config)# interface Ethernet0/0

RTRA(config-if)# description Local LAN

RTRA(config-if)# ip address 192.168.0.1 255.255.255.0


just change the ip addresses to ur IPs


if u need any more details post it here


if helpful Rate



ntmanjunath Wed, 08/20/2008 - 01:49
User Badges:

HI


When I try to connect VPN Client its shows the below said reason.


reson 414 failed to establish a TCP Connection


Usename admin

password admin123


MY ROUTER CONFIGURATION


sh run

Building configuration...


Current configuration : 1405 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-DELHI

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

!

aaa new-model

!

!

aaa authentication login vpnclient local

!

!

aaa session-id common

ip cef


!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

username manju secret 5 $1$mMhL$NYG27PsAEJ3vUB6CwoqGs.

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp keepalive 203

!

crypto isakmp client configuration group admin

key admin123

domain cisco.com

pool pool1

acl splitremote

!

!

crypto ipsec transform-set client esp-aes esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set client

!

!

crypto map mymap client authentication list vpnclient

crypto map mymap isakmp authorization list localgroup

crypto map mymap client configuration address respond

crypto map mymap 1000 ipsec-isakmp dynamic dynmap

!

!

!

!

interface FastEthernet0

ip address 10.97.37.212 255.255.255.0

speed auto

!

interface Serial0

description AIRTEL-BANG [192.168.10.2]

ip address 192.168.10.1 255.255.255.252

!

ip local pool pool1 10.97.37.0 10.97.37.210

!

!

no ip http server

no ip http secure-server

!

ip access-list extended splitremote

permit ip 10.97.0.0 0.0.0.255 any

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 3

line vty 4

password cisco


ntmanjunath Wed, 08/20/2008 - 03:11
User Badges:

The error is while connecting to router

"remote peer is no longer responding"

please check the above said configure and confirm the problem.

Marwan ALshawi Wed, 08/20/2008 - 04:09
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

change the following

the adress pool


do:

no ip local pool pool1 10.97.37.0 10.97.37.210

then


ip local pool pool1 192.168.1.1 192.168.1.110


now do the following

username vpnuser password vpn123


now when u configure cisco client vpn there is option to put the host IP which is outside router IP

and there is place to put group name and password

there where u put group name admin password admin123


then when u connect u will get a popup window ask you for username and password

put the one we have just created vpnuser and pass vpn123

u can creat more users


u need to add the following inorder to make th authentication and authorization


aaa new-model

aaa authentication login vpnclient local

aaa authorization network localgroups local


and the FINAL IMORTANT thing is to APPLY the crypto vpn map to the interface u gonna connect to i will assume u the serial interface


interface Serial0

crypto map mymap


check it make sure all the comments are done properly then let me know


good luck


and if helpful rate






ntmanjunath Wed, 08/20/2008 - 05:49
User Badges:

its not connecting and its shows in the router.

*Mar 3 05:31:27.633: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode

failed with peer at 10.97.37.83


reg,

Marwan ALshawi Wed, 08/20/2008 - 16:31
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

can u post ur router config after the last change and tell me what u did u put on the on vpn client

ntmanjunath Wed, 08/20/2008 - 19:37
User Badges:

Hi,


Am using this setup for only testing VPN connection in my test lab. My local LAN IP network is 10.97.37.0/24 in the same LAN I connected one PC (IP 10.97.37.83) and installed VPN client software.

Am using for VPN client user name is admin and password is admin123.

I used pool1 10.97.37.1 10.97.37.210 network since am using the same.

Please go through my last change configuration.


AIRTEL-DELHI#sh run

Building configuration...


Current configuration : 1514 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname AIRTEL-DELHI

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

enable secret xxx

enable password xxx

!

aaa new-model

!

!

aaa authentication login vpnclient local

aaa authorization network localgroups local

!


aaa session-id common

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

username manju password 0 cisco

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp keepalive 203


crypto isakmp client configuration group admin

key admin123

domain cisco.com

pool pool1

acl splitremote

!

!

crypto ipsec transform-set client esp-aes esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set client

!

!

crypto map mymap client authentication list vpnclient

crypto map mymap isakmp authorization list localgroup

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface FastEthernet0

ip address 10.97.37.212 255.255.255.0

speed auto

crypto map mymap

!

interface Serial0

description AIRTEL-BANG [192.168.10.2]

ip address 192.168.10.1 255.255.255.252

!

ip local pool pool1 10.97.37.1 10.97.37.210

!

!

no ip http server

no ip http secure-server

!

ip access-list extended splitremote

permit ip 10.97.37.0 0.0.0.255 any

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 3

line vty 4

password cisco

!

end



Correct Answer
Marwan ALshawi Wed, 08/20/2008 - 20:04
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

the config looks ok now


but as i told u

o the client vpn software there is group name and password

put the group name as admin and pasword as admin 123


once the phase one of the vpn setup done u will be prompted to enter username and password in this stage use one of the username and password u created such as


manju and pass cisco


good luck


please, if helpful rate


and let me know if worked or not

ntmanjunath Wed, 08/20/2008 - 21:52
User Badges:

Hi,


Thanks for your support...there was a command in my router "multilink bundle-name authenticated" due to that its not working, after removing the same its working fine now....


Bye

Marwan ALshawi Wed, 08/20/2008 - 22:13
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

cool i glad its working now :)

Actions

This Discussion