Site to Site IPSEC VTI + VPN Client on a stick

Unanswered Question
Sep 2nd, 2010
User Badges:

Hi,


Currently have a working site to site Ipsec VTI with zone-based firewall.


Now I would like to configure the router to allow remote VPN client (using a stick) to access the network behind the router.(see attached diagram)


Can the experts take a look at my configuration and advise me the problem.


Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Mon, 09/13/2010 - 06:25
User Badges:
  • Cisco Employee,

Hi Kim,


The config for the VPN part seems alright. But, there seems to be no zone-pair for Inside-Ezclient and vice versa and also for Outside-Ezclient and vice versa.


Please create zone-pairs for those as well and allow/deny necessary traffic. For Outside-Ezclient and vice versa, you will need to allow ESP and UDP 4500 as well. For Inside-Ezclient and vice versa, if you want the VPN clients to be able to access anything, a "permit ip any any" would do.


Let me know if it works.


Regards,

Prapanch

jazzlim2004 Mon, 09/13/2010 - 19:20
User Badges:

Hi,


I amended as your advise but still have the same  error below: What may be the problem?


Cisco Systems VPN Client Version 5.0.00.0340
Copyright (C) 1998-2006 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3


11     10:14:53.187  09/14/10  Sev=Warning/2    IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)


12     10:14:53.187  09/14/10  Sev=Warning/3    IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)



Thank you

Actions

This Discussion