vpn client address assignment with certificate authentication

Unanswered Question
Sep 23rd, 2008

I have the following config and I can not get the client to pull an ip address

crypto pki trustpoint dc-ho1

enrollment mode ra

enrollment url

serial-number none

fqdn HOEDTVPN.edt.net

ip-address none

password 7 0350792F532D761F1B5B4F564E30525921

subject-name O=EDT, OU=VPN, C=US, ST=Tx

revocation-check crl

rsakeypair HOEDTVPN.edt.net





crypto pki certificate map cert_map 10

subject-name co ou = vpn


crypto isakmp policy 1

encr 3des

crypto isakmp client configuration group VPN



domain edg.net

pool hoedtvpn

acl 101



crypto isakmp profile VPN_client

ca trust-point dc-ho1

match certificate cert_map

client configuration address respond

client configuration group VPN

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map vpnclient 20

set transform-set ESP-3DES-SHA

crypto map vpnmap1 local-address GigabitEthernet0/1

crypto map vpnmap1 client configuration address respond

crypto map vpnmap1 20 ipsec-isakmp dynamic vpnclient

interface GigabitEthernet0/1

description External Interface

ip address 64.XX.XX.XXX

ip access-group 111 in

duplex auto

speed auto

media-type rj45

crypto map vpnmap1

ip local pool hoedtvpn

access-list 101 permit ip

access-list 111 remark SDM_ACL Category=17

access-list 111 remark Auto generated by SDM for NTP (123)

access-list 111 permit udp host eq ntp host 64.XX.xx.XXX eq ntp

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq non500-isakmp

access-list 111 permit icmp any any

access-list 111 permit tcp any any eq 22

access-list 111 permit tcp any any eq telnet

access-list 111 permit gre any any

access-list 111 permit esp any any

access-list 111 permit tcp any any eq 10000

If I assign the pool directly under isakmp it will work but does not provide the other needed attributes, dns, wins ect.

when debug I get

Sep 23 14:48:24.090: ISAKMP:(7177):attributes sent in message:

Sep 23 14:48:24.090: Address:

Sep 23 14:48:24.090: ISAKMP:(7177):No IP address pool defined for ISAKMP!

Sep 23 14:48:24.090: ISAKMP:(7177):peer does not do paranoid keepalives.

Sep 23 14:48:24.090: ISAKMP:(7177):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer 24.XXX.XX.XX)

any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

The config lacks authorization part:

Use either ISAKMP Profile:

isakmp authorization list list-name


crypto map map-name isakmp authorization list list-name

In general, I don't like your config as it uses both crypto map EasyVPN features and ISAKMP Profile EasyVPN features. If you are able to classify all of you EasyVPN users with Profiles then don't use commands like "crypto map vpnmap1 client configuration address respond". Use ISAKMP Profile command to configure it. Or better use ISAKMP Profiles and VTI interfaces.

Also, verify that your users are classified into the correct Profile with "show cry isa sa det" or "show cry isa peers det".



This Discussion