cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
343
Views
0
Helpful
1
Replies

vpn client address assignment with certificate authentication

jdedon
Level 1
Level 1

I have the following config and I can not get the client to pull an ip address

crypto pki trustpoint dc-ho1

enrollment mode ra

enrollment url http://10.10.20.2:80/certsrv/mscep/mscep.dll

serial-number none

fqdn HOEDTVPN.edt.net

ip-address none

password 7 0350792F532D761F1B5B4F564E30525921

subject-name O=EDT, OU=VPN, C=US, ST=Tx

revocation-check crl

rsakeypair HOEDTVPN.edt.net

auto-enroll

!

!

!

crypto pki certificate map cert_map 10

subject-name co ou = vpn

!

crypto isakmp policy 1

encr 3des

crypto isakmp client configuration group VPN

dns 10.10.20.2

wins 10.10.20.2

domain edg.net

pool hoedtvpn

acl 101

netmask 255.255.255.128

!

crypto isakmp profile VPN_client

ca trust-point dc-ho1

match certificate cert_map

client configuration address respond

client configuration group VPN

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map vpnclient 20

set transform-set ESP-3DES-SHA

crypto map vpnmap1 local-address GigabitEthernet0/1

crypto map vpnmap1 client configuration address respond

crypto map vpnmap1 20 ipsec-isakmp dynamic vpnclient

interface GigabitEthernet0/1

description External Interface

ip address 64.XX.XX.XXX 255.255.255.248

ip access-group 111 in

duplex auto

speed auto

media-type rj45

crypto map vpnmap1

ip local pool hoedtvpn 10.20.90.1 10.20.90.126

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.20.90.0 0.0.0.127

access-list 111 remark SDM_ACL Category=17

access-list 111 remark Auto generated by SDM for NTP (123) 10.10.20.2

access-list 111 permit udp host 10.10.20.2 eq ntp host 64.XX.xx.XXX eq ntp

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq non500-isakmp

access-list 111 permit icmp any any

access-list 111 permit tcp any any eq 22

access-list 111 permit tcp any any eq telnet

access-list 111 permit gre any any

access-list 111 permit esp any any

access-list 111 permit tcp any any eq 10000

If I assign the pool directly under isakmp it will work but does not provide the other needed attributes, dns, wins ect.

when debug I get

Sep 23 14:48:24.090: ISAKMP:(7177):attributes sent in message:

Sep 23 14:48:24.090: Address: 0.2.0.0

Sep 23 14:48:24.090: ISAKMP:(7177):No IP address pool defined for ISAKMP!

Sep 23 14:48:24.090: ISAKMP:(7177):peer does not do paranoid keepalives.

Sep 23 14:48:24.090: ISAKMP:(7177):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer 24.XXX.XX.XX)

any ideas?

1 Reply 1

ovt
Level 4
Level 4

The config lacks authorization part:

Use either ISAKMP Profile:

isakmp authorization list list-name

Or:

crypto map map-name isakmp authorization list list-name

In general, I don't like your config as it uses both crypto map EasyVPN features and ISAKMP Profile EasyVPN features. If you are able to classify all of you EasyVPN users with Profiles then don't use commands like "crypto map vpnmap1 client configuration address respond". Use ISAKMP Profile command to configure it. Or better use ISAKMP Profiles and VTI interfaces.

Also, verify that your users are classified into the correct Profile with "show cry isa sa det" or "show cry isa peers det".

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: