08-22-2002 04:37 AM - edited 02-21-2020 12:01 PM
I have the above configuration and followed to the tee the tech note:
http://www.cisco.com/warp/customer/471/ios-unity.html
I can now connect, prompted for username/password, get assigned an address and my client says its encrypting the correct packets, but none are returning.
Any ideas? I am wondering if I have to do anything with NAT here as I have before but nothing I see in the tech notes say anything about this. Great notes for PIX's not so great for IOS.
The IOS version is 12.2.11T1
Here is part of the config-keys are there but removed for security
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ******
pool vpnpool
acl 150
crypto ipsec transform-set remotes esp-3des esp-sha-hmac
!
crypto dynamic-map dyn-remotes 1
set transform-set remotes
!
!
crypto map remotes client authentication list vpnauth
crypto map remotes isakmp authorization list groupauthor
crypto map remotes client configuration address initiate
crypto map remotes client configuration address respond
crypto map remotes 1 ipsec-isakmp dynamic dyn-remotes
Thanks in advance for the help
Aaron
08-23-2002 11:38 AM
I have been playing around with 3.6 client and 12.2(8)T5 and 12.2(11)T on a 2611 and have similar problems. Have followed examples on CCO and found that despite having the encrypt/decrypt counters going up on the client, the router refuses to send back any encrypted traffic. Despite seeing spi info for both inbound and outbound connections AND these counters incrementing, my sniffer doesn`t see any esp coming back from the router. In fact the client in my case is sending 2 pings: 1 is esp and encrypted and 1 is clear icmp. This points to a major bug. I wonder if anyone at Cisco has actually put a sniffer on these connections coz they`d realise that despite everything looking correct, it doesn`t work. Even doing a sh cryp engine conn active shows everything working hunkey dorey with counters increasing but....the sniffer never lies and it definately ain`t working! Best of luck with your endeavours but I don`t think any amount of tinkering with your config will change matters
Andy
08-28-2002 03:30 AM
Thanks for your help
08-28-2002 02:44 PM
Hi there - I posted my question on the newsgroup comp.dcom.sys.cisco a couple of days ago on and came back with an answer that solved my problem - try putting the new command "reverse route injection" under your dynamic-crypto map. This may not solve your problem but I was sure I had configured everything correctly, and I hadn`t!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide