IOS IPSEC VPN client configuration Issue

Answered Question
Apr 14th, 2009
User Badges:

Hello all, I cannot get my IOS firewall to accept a client based IPSEC vpn connection. The Cisco client times out and Im never challenged for a username and password. I've verified my group and pre-shared key on the client and router. I have put my relevant config below. Any help would be greatly appreciated.


version 12.4

boot system flash:uc500-advipservicesk9-mz.124-24.T.bin


aaa new-model

!

!

aaa authentication login default local

aaa authentication login userauthen group radius

aaa authorization exec default local

aaa authorization network groupauthor group radius


ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound icmp


crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group SMOVPN

key xxxxx

dns 192.168.10.2

domain business.local

pool vpnpool

acl 108


crypto isakmp profile VPNclient

match identity group SMOVPN

client authentication list default

isakmp authorization list default

client configuration address respond

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac


crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile VPNclient

reverse-route

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap


interface FastEthernet0/0

ip address 11.11.11.10 255.255.255.252

ip access-group outside_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect outbound out

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap


ip local pool vpnpool 192.168.109.1 192.168.109.254


ip nat inside source list 1 interface FastEthernet0/0 overload


ip access-list extended outside_in

permit tcp object-group Yes_SMTP host 11.11.11.10 eq smtp

permit esp any host 74.143.215.138

permit udp any host 74.143.215.138 eq isakmp

permit udp any host 74.143.215.138 eq non500-isakmp

permit ahp any host 74.143.215.138

permit gre any host 74.143.215.138


access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255


access-list 108 permit ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

Correct Answer by Ivan Martinon about 8 years 2 months ago

Here are some suggestions:


change this:


aaa authorization network groupauthor group radius


to this


aaa authorization network groupauthor local

(unless you are using the group authorization to your radius server you need it local)


Choose on either using ISAKMP profiles, and if you choose to go with then get rid of these lines:


crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond


AND change the following on your isakmp profile:


crypto isakmp profile VPNclient

isakmp authorization list groupauthor


Also if you are gonna use a list for user authentication I would advise to avoid using the default list so go ahead and change this too under the isakmp profile


client authentication list userauthen.


If you go for not using isakmp profiles change the following:



no crypto isakmp profile VPNclient


crypto dynamic-map dynmap 10

no set isakmp-profile VPNclient


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Ivan Martinon Tue, 04/14/2009 - 13:07
User Badges:
  • Cisco Employee,

Here are some suggestions:


change this:


aaa authorization network groupauthor group radius


to this


aaa authorization network groupauthor local

(unless you are using the group authorization to your radius server you need it local)


Choose on either using ISAKMP profiles, and if you choose to go with then get rid of these lines:


crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond


AND change the following on your isakmp profile:


crypto isakmp profile VPNclient

isakmp authorization list groupauthor


Also if you are gonna use a list for user authentication I would advise to avoid using the default list so go ahead and change this too under the isakmp profile


client authentication list userauthen.


If you go for not using isakmp profiles change the following:



no crypto isakmp profile VPNclient


crypto dynamic-map dynmap 10

no set isakmp-profile VPNclient


joneschw1 Tue, 04/14/2009 - 13:32
User Badges:

Thanks for repsonding. OK, I am going to be using radius, so based on your comments I need to leave the aaa authorization network groupauthor group radius in. This is what I have now, but still no dice.


aaa authentication login default local

aaa authentication login userauthen group radius

aaa authorization exec default local

aaa authorization network groupauthor group radius


crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group SMOVPN

key abc123

dns 192.168.10.2

domain busienss.local

pool vpnpool

acl 108

!

crypto isakmp profile VPNclient

match identity group SMOVPN

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile VPNclient

reverse-route

!

!

crypto map clientmap 10 ipsec-isakmp dynamic dynmap


interface FastEthernet0/0

ip address 11.11.11.10 255.255.255.252

ip access-group outside_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect outbound out

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap


ip access-list extended outside_in

permit esp any host 11.11.11.10

permit udp any host 11.11.11.10 eq isakmp

permit udp any host 11.11.11.10 eq non500-isakmp

permit ahp any host 11.11.11.10

permit gre any host 11.11.11.10


access-list 108 permit ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255


radius-server host 192.168.10.2 auth-port 1645 acct-port 1646 key 7 014655



Ivan Martinon Tue, 04/14/2009 - 13:42
User Badges:
  • Cisco Employee,

Answer this to me please, is your radius server configured to validate user accounts as well as VPN GROUP settings? or will your router do the vpn group authentication?

joneschw1 Tue, 04/14/2009 - 13:49
User Badges:

I just want the radius server to authenticate users. I am not even getting challenged for authentication though. I don't think it is getting past phase 1

Ivan Martinon Tue, 04/14/2009 - 13:53
User Badges:
  • Cisco Employee,

It does not because the router is forwarding the group authentication request to the radius server, that is why I asked to change from:


aaa authorization network groupauthor group radius


to


aaa authorization network groupauthor local.

joneschw1 Tue, 04/14/2009 - 13:57
User Badges:

You are exactly right. That got me to the username and password challenge. That part isn't working yet, but I need to investigate that a bit. Thanks for your help.

Actions

This Discussion