04-14-2009 11:57 AM - edited 02-21-2020 04:12 PM
Hello all, I cannot get my IOS firewall to accept a client based IPSEC vpn connection. The Cisco client times out and Im never challenged for a username and password. I've verified my group and pre-shared key on the client and router. I have put my relevant config below. Any help would be greatly appreciated.
version 12.4
boot system flash:uc500-advipservicesk9-mz.124-24.T.bin
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen group radius
aaa authorization exec default local
aaa authorization network groupauthor group radius
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound icmp
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group SMOVPN
key xxxxx
dns 192.168.10.2
domain business.local
pool vpnpool
acl 108
crypto isakmp profile VPNclient
match identity group SMOVPN
client authentication list default
isakmp authorization list default
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile VPNclient
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
ip address 11.11.11.10 255.255.255.252
ip access-group outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect outbound out
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
ip local pool vpnpool 192.168.109.1 192.168.109.254
ip nat inside source list 1 interface FastEthernet0/0 overload
ip access-list extended outside_in
permit tcp object-group Yes_SMTP host 11.11.11.10 eq smtp
permit esp any host 74.143.215.138
permit udp any host 74.143.215.138 eq isakmp
permit udp any host 74.143.215.138 eq non500-isakmp
permit ahp any host 74.143.215.138
permit gre any host 74.143.215.138
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
Solved! Go to Solution.
04-14-2009 01:07 PM
Here are some suggestions:
change this:
aaa authorization network groupauthor group radius
to this
aaa authorization network groupauthor local
(unless you are using the group authorization to your radius server you need it local)
Choose on either using ISAKMP profiles, and if you choose to go with then get rid of these lines:
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
AND change the following on your isakmp profile:
crypto isakmp profile VPNclient
isakmp authorization list groupauthor
Also if you are gonna use a list for user authentication I would advise to avoid using the default list so go ahead and change this too under the isakmp profile
client authentication list userauthen.
If you go for not using isakmp profiles change the following:
no crypto isakmp profile VPNclient
crypto dynamic-map dynmap 10
no set isakmp-profile VPNclient
04-14-2009 01:07 PM
Here are some suggestions:
change this:
aaa authorization network groupauthor group radius
to this
aaa authorization network groupauthor local
(unless you are using the group authorization to your radius server you need it local)
Choose on either using ISAKMP profiles, and if you choose to go with then get rid of these lines:
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
AND change the following on your isakmp profile:
crypto isakmp profile VPNclient
isakmp authorization list groupauthor
Also if you are gonna use a list for user authentication I would advise to avoid using the default list so go ahead and change this too under the isakmp profile
client authentication list userauthen.
If you go for not using isakmp profiles change the following:
no crypto isakmp profile VPNclient
crypto dynamic-map dynmap 10
no set isakmp-profile VPNclient
04-14-2009 01:32 PM
Thanks for repsonding. OK, I am going to be using radius, so based on your comments I need to leave the aaa authorization network groupauthor group radius in. This is what I have now, but still no dice.
aaa authentication login default local
aaa authentication login userauthen group radius
aaa authorization exec default local
aaa authorization network groupauthor group radius
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group SMOVPN
key abc123
dns 192.168.10.2
domain busienss.local
pool vpnpool
acl 108
!
crypto isakmp profile VPNclient
match identity group SMOVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile VPNclient
reverse-route
!
!
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
ip address 11.11.11.10 255.255.255.252
ip access-group outside_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect outbound out
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
ip access-list extended outside_in
permit esp any host 11.11.11.10
permit udp any host 11.11.11.10 eq isakmp
permit udp any host 11.11.11.10 eq non500-isakmp
permit ahp any host 11.11.11.10
permit gre any host 11.11.11.10
access-list 108 permit ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
radius-server host 192.168.10.2 auth-port 1645 acct-port 1646 key 7 014655
04-14-2009 01:42 PM
Answer this to me please, is your radius server configured to validate user accounts as well as VPN GROUP settings? or will your router do the vpn group authentication?
04-14-2009 01:49 PM
I just want the radius server to authenticate users. I am not even getting challenged for authentication though. I don't think it is getting past phase 1
04-14-2009 01:53 PM
It does not because the router is forwarding the group authentication request to the radius server, that is why I asked to change from:
aaa authorization network groupauthor group radius
to
aaa authorization network groupauthor local.
04-14-2009 01:57 PM
You are exactly right. That got me to the username and password challenge. That part isn't working yet, but I need to investigate that a bit. Thanks for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: