Solved: IOS IPSEC VPN client configuration Issue

joneschw1 · ‎04-14-2009

Hello all, I cannot get my IOS firewall to accept a client based IPSEC vpn connection. The Cisco client times out and Im never challenged for a username and password. I've verified my group and pre-shared key on the client and router. I have put my relevant config below. Any help would be greatly appreciated.

version 12.4

boot system flash:uc500-advipservicesk9-mz.124-24.T.bin

aaa new-model

!

aaa authentication login default local

aaa authentication login userauthen group radius

aaa authorization exec default local

aaa authorization network groupauthor group radius

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound icmp

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group SMOVPN

key xxxxx

dns 192.168.10.2

domain business.local

pool vpnpool

acl 108

crypto isakmp profile VPNclient

match identity group SMOVPN

client authentication list default

isakmp authorization list default

client configuration address respond

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile VPNclient

reverse-route

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0

ip address 11.11.11.10 255.255.255.252

ip access-group outside_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect outbound out

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

ip local pool vpnpool 192.168.109.1 192.168.109.254

ip nat inside source list 1 interface FastEthernet0/0 overload

ip access-list extended outside_in

permit tcp object-group Yes_SMTP host 11.11.11.10 eq smtp

permit esp any host 74.143.215.138

permit udp any host 74.143.215.138 eq isakmp

permit udp any host 74.143.215.138 eq non500-isakmp

permit ahp any host 74.143.215.138

permit gre any host 74.143.215.138

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 10.1.1.0 0.0.0.255

access-list 108 permit ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

Ivan Martinon · ‎04-14-2009

Here are some suggestions:

change this:

aaa authorization network groupauthor group radius

to this

aaa authorization network groupauthor local

(unless you are using the group authorization to your radius server you need it local)

Choose on either using ISAKMP profiles, and if you choose to go with then get rid of these lines:

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

AND change the following on your isakmp profile:

crypto isakmp profile VPNclient

isakmp authorization list groupauthor

Also if you are gonna use a list for user authentication I would advise to avoid using the default list so go ahead and change this too under the isakmp profile

client authentication list userauthen.

If you go for not using isakmp profiles change the following:

no crypto isakmp profile VPNclient

crypto dynamic-map dynmap 10

no set isakmp-profile VPNclient

View solution in original post

Ivan Martinon · ‎04-14-2009

Here are some suggestions:

change this:

aaa authorization network groupauthor group radius

to this

aaa authorization network groupauthor local

(unless you are using the group authorization to your radius server you need it local)

Choose on either using ISAKMP profiles, and if you choose to go with then get rid of these lines:

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

AND change the following on your isakmp profile:

crypto isakmp profile VPNclient

isakmp authorization list groupauthor

Also if you are gonna use a list for user authentication I would advise to avoid using the default list so go ahead and change this too under the isakmp profile

client authentication list userauthen.

If you go for not using isakmp profiles change the following:

no crypto isakmp profile VPNclient

crypto dynamic-map dynmap 10

no set isakmp-profile VPNclient

joneschw1 · ‎04-14-2009

Thanks for repsonding. OK, I am going to be using radius, so based on your comments I need to leave the aaa authorization network groupauthor group radius in. This is what I have now, but still no dice.

aaa authentication login default local

aaa authentication login userauthen group radius

aaa authorization exec default local

aaa authorization network groupauthor group radius

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group SMOVPN

key abc123

dns 192.168.10.2

domain busienss.local

pool vpnpool

acl 108

!

crypto isakmp profile VPNclient

match identity group SMOVPN

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile VPNclient

reverse-route

!

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0

ip address 11.11.11.10 255.255.255.252

ip access-group outside_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect outbound out

ip virtual-reassembly

duplex auto

speed auto

crypto map clientmap

ip access-list extended outside_in

permit esp any host 11.11.11.10

permit udp any host 11.11.11.10 eq isakmp

permit udp any host 11.11.11.10 eq non500-isakmp

permit ahp any host 11.11.11.10

permit gre any host 11.11.11.10

access-list 108 permit ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 108 permit ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

radius-server host 192.168.10.2 auth-port 1645 acct-port 1646 key 7 014655

Ivan Martinon · ‎04-14-2009

Answer this to me please, is your radius server configured to validate user accounts as well as VPN GROUP settings? or will your router do the vpn group authentication?

joneschw1 · ‎04-14-2009

I just want the radius server to authenticate users. I am not even getting challenged for authentication though. I don't think it is getting past phase 1

Ivan Martinon · ‎04-14-2009

It does not because the router is forwarding the group authentication request to the radius server, that is why I asked to change from:

aaa authorization network groupauthor group radius

to

aaa authorization network groupauthor local.

joneschw1 · ‎04-14-2009

You are exactly right. That got me to the username and password challenge. That part isn't working yet, but I need to investigate that a bit. Thanks for your help.