09-23-2008 07:57 AM - edited 02-21-2020 10:22 AM
I have the following config and I can not get the client to pull an ip address
crypto pki trustpoint dc-ho1
enrollment mode ra
enrollment url http://10.10.20.2:80/certsrv/mscep/mscep.dll
serial-number none
fqdn HOEDTVPN.edt.net
ip-address none
password 7 0350792F532D761F1B5B4F564E30525921
subject-name O=EDT, OU=VPN, C=US, ST=Tx
revocation-check crl
rsakeypair HOEDTVPN.edt.net
auto-enroll
!
!
!
crypto pki certificate map cert_map 10
subject-name co ou = vpn
!
crypto isakmp policy 1
encr 3des
crypto isakmp client configuration group VPN
dns 10.10.20.2
wins 10.10.20.2
domain edg.net
pool hoedtvpn
acl 101
netmask 255.255.255.128
!
crypto isakmp profile VPN_client
ca trust-point dc-ho1
match certificate cert_map
client configuration address respond
client configuration group VPN
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpnclient 20
set transform-set ESP-3DES-SHA
crypto map vpnmap1 local-address GigabitEthernet0/1
crypto map vpnmap1 client configuration address respond
crypto map vpnmap1 20 ipsec-isakmp dynamic vpnclient
interface GigabitEthernet0/1
description External Interface
ip address 64.XX.XX.XXX 255.255.255.248
ip access-group 111 in
duplex auto
speed auto
media-type rj45
crypto map vpnmap1
ip local pool hoedtvpn 10.20.90.1 10.20.90.126
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.20.90.0 0.0.0.127
access-list 111 remark SDM_ACL Category=17
access-list 111 remark Auto generated by SDM for NTP (123) 10.10.20.2
access-list 111 permit udp host 10.10.20.2 eq ntp host 64.XX.xx.XXX eq ntp
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq non500-isakmp
access-list 111 permit icmp any any
access-list 111 permit tcp any any eq 22
access-list 111 permit tcp any any eq telnet
access-list 111 permit gre any any
access-list 111 permit esp any any
access-list 111 permit tcp any any eq 10000
If I assign the pool directly under isakmp it will work but does not provide the other needed attributes, dns, wins ect.
when debug I get
Sep 23 14:48:24.090: ISAKMP:(7177):attributes sent in message:
Sep 23 14:48:24.090: Address: 0.2.0.0
Sep 23 14:48:24.090: ISAKMP:(7177):No IP address pool defined for ISAKMP!
Sep 23 14:48:24.090: ISAKMP:(7177):peer does not do paranoid keepalives.
Sep 23 14:48:24.090: ISAKMP:(7177):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer 24.XXX.XX.XX)
any ideas?
09-27-2008 02:38 AM
The config lacks authorization part:
Use either ISAKMP Profile:
isakmp authorization list list-name
Or:
crypto map map-name isakmp authorization list list-name
In general, I don't like your config as it uses both crypto map EasyVPN features and ISAKMP Profile EasyVPN features. If you are able to classify all of you EasyVPN users with Profiles then don't use commands like "crypto map vpnmap1 client configuration address respond". Use ISAKMP Profile command to configure it. Or better use ISAKMP Profiles and VTI interfaces.
Also, verify that your users are classified into the correct Profile with "show cry isa sa det" or "show cry isa peers det".
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: