07-01-2013 12:38 PM - edited 03-10-2019 08:36 PM
We're provisioning a 2821 with IOS 15.1(4)M5 ADVSECURITYK9 for Easy VPN/classic client access. Everything works fine with local authentication.
When we switch to radius authentication, the router sends the group name to the radius server instead of prompting the client for a username/password. I can see the transaction complete in both Windows event logs and IOS debug. How do I force the client to prompt for user credentials as it does when local authentication is specified instead of using group information in the radius transaction?
I'm a firewall guy and have done this hundreds of times with PIX/ASA configs and never seen a similar issue switching to radius for authentication.
radius debug:
*Jul 1 19:20:57.509: RADIUS/ENCODE(0000007E):Orig. component type = VPN IPSEC
*Jul 1 19:20:57.509: RADIUS: AAA Unsupported Attr: interface [210] 13
*Jul 1 19:20:57.509: RADIUS: 31 39 32 2E 31 36 38 2E 31 36 38 [ 192.168.168]
*Jul 1 19:20:57.509: RADIUS(0000007E): Config NAS IP: 0.0.0.0
*Jul 1 19:20:57.509: RADIUS(0000007E): Config NAS IPv6:
*Jul 1 19:20:57.509: RADIUS/ENCODE(0000007E): acct_session_id: 93
*Jul 1 19:20:57.509: RADIUS(0000007E): sending
*Jul 1 19:20:57.509: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.50
*Jul 1 19:20:57.509: RADIUS(0000007E): Send Access-Request to 192.168.1.50:1645 id 1645/22, len 110
*Jul 1 19:20:57.509: RADIUS: authenticator 72 23 FE 6B 78 D0 90 B9 - B2 A2 8C A9 32 E8 95 7E
*Jul 1 19:20:57.509: RADIUS: User-Name [1] 13 "vpn_admin"
*Jul 1 19:20:57.509: RADIUS: User-Password [2] 18 *
*Jul 1 19:20:57.509: RADIUS: Calling-Station-Id [31] 14 "x.x.x.x"
*Jul 1 19:20:57.509: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jul 1 19:20:57.509: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jul 1 19:20:57.509: RADIUS: NAS-Port [5] 6 1
*Jul 1 19:20:57.509: RADIUS: NAS-Port-Id [87] 15 "192.168.168.1"
*Jul 1 19:20:57.509: RADIUS: Service-Type [6] 6 Outbound [5]
*Jul 1 19:20:57.513: RADIUS: NAS-IP-Address [4] 6 192.168.1.1
*Jul 1 19:20:57.513: RADIUS(0000007E): Sending a IPv4 Radius Packet
*Jul 1 19:20:57.513: RADIUS(0000007E): Started 5 sec timeout
*Jul 1 19:20:57.529: RADIUS: Received from id 1645/22 192.168.1.50:1645, Access-Reject, len 20
*Jul 1 19:20:57.529: RADIUS: authenticator C0 F7 22 93 F4 D2 61 12 - 4F 9D E8 2B A8 24 48 31
*Jul 1 19:20:57.529: RADIUS(0000007E): Received from id 1645/22
*Jul 1 19:20:57.585: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from x.x.x.x was not encrypted and it should've been.
Windows Event Log:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: NULL SID
Account Name: vpn_admin
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\vpn_admin
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: x.x.x.x
NAS:
NAS IPv4 Address: 192.168.1.1
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: 1
RADIUS Client:
Client Friendly Name: admin_router
Client IP Address: 192.168.1.1
Authentication Details:
Connection Request Policy Name: Client VPN
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: admin-server.HTMUA.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 16
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
relevant router config:
aaa new-model
!
!
aaa authentication login default group radius
aaa authentication login aaa-authent-vpn local
aaa authentication login aaa-authent-radius-vpn group radius
aaa authorization network aaa-author-vpn local
aaa authorization network aaa-author-radius-vpn group radius
crypto isakmp client configuration group vpn_admin
key ****
domain domain.local
pool adminvpn
acl operations_network
crypto isakmp profile vpn_admin_profile
match identity group vpn_admin
client authentication list aaa-authent-radius-vpn
isakmp authorization list aaa-author-radius-vpn
client configuration address respond
client configuration group vpn_admin
virtual-template 2
crypto ipsec transform-set vpnclient esp-3des esp-sha-hmac
crypto ipsec profile vpn-client-profile-admin
set transform-set vpnclient
set isakmp-profile vpn_admin_profile
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn-client-profile-admin
ip local pool adminvpn 192.168.101.1 192.168.101.250
ip access-list extended operations_network
permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
radius-server host 192.168.1.50 key ****
07-01-2013 01:25 PM
One addition:
RADIUS authentication works perfectly for command line login.
*Jul 1 20:25:39.833: RADIUS/ENCODE(00000080): ask "Password: "
*Jul 1 20:25:39.833: RADIUS/ENCODE(00000080): send packet; GET_PASSWORD
*Jul 1 20:25:43.093: RADIUS/ENCODE(00000080):Orig. component type = Exec
*Jul 1 20:25:43.093: RADIUS: AAA Unsupported Attr: interface [210] 6
*Jul 1 20:25:43.093: RADIUS: 74 74 79 35 [ tty5]
*Jul 1 20:25:43.093: RADIUS/ENCODE(00000080): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jul 1 20:25:43.093: RADIUS(00000080): Config NAS IP: 0.0.0.0
*Jul 1 20:25:43.093: RADIUS(00000080): Config NAS IPv6:
*Jul 1 20:25:43.093: RADIUS/ENCODE(00000080): acct_session_id: 95
*Jul 1 20:25:43.093: RADIUS(00000080): sending
*Jul 1 20:25:43.093: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.50
*Jul 1 20:25:43.093: RADIUS(00000080): Send Access-Request to 192.168.1.50:1645 id 1645/26, len 70
*Jul 1 20:25:43.093: RADIUS: authenticator D5 50 F6 21 F4 31 22 E1 - 51 53 62 9B 78 3E 5D 60
*Jul 1 20:25:43.093: RADIUS: User-Name [1] 6 "ray"
*Jul 1 20:25:43.097: RADIUS: User-Password [2] 18 *
*Jul 1 20:25:43.097: RADIUS: NAS-Port [5] 6 515
*Jul 1 20:25:43.097: RADIUS: NAS-Port-Id [87] 8 "tty515"
*Jul 1 20:25:43.097: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jul 1 20:25:43.097: RADIUS: NAS-IP-Address [4] 6 192.168.1.1
*Jul 1 20:25:43.097: RADIUS(00000080): Sending a IPv4 Radius Packet
*Jul 1 20:25:43.097: RADIUS(00000080): Started 5 sec timeout
*Jul 1 20:25:43.105: RADIUS: Received from id 1645/26 192.168.1.50:1645, Access-Accept, len 102
*Jul 1 20:25:43.105: RADIUS: authenticator 39 2F 0C 7E D1 5A F3 A0 - B1 42 6F BE 66 24 B6 F2
*Jul 1 20:25:43.105: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Jul 1 20:25:43.105: RADIUS: Service-Type [6] 6 Framed [2]
*Jul 1 20:25:43.105: RADIUS: Class [25] 46
*Jul 1 20:25:43.105: RADIUS: 6B 35 05 EE 00 00 01 37 00 01 02 00 C0 A8 01 32 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 76 75 CE 16 DB 84 00 00 00 00 00 00 00 1A [ k572vu]
*Jul 1 20:25:43.105: RADIUS: Vendor, Microsoft [26] 12
*Jul 1 20:25:43.105: RADIUS: MS-Link-Util-Thresh[14] 6
*Jul 1 20:25:43.105: RADIUS: 00 00 00 32 [ 2]
*Jul 1 20:25:43.105: RADIUS: Vendor, Microsoft [26] 12
*Jul 1 20:25:43.105: RADIUS: MS-Link-Drop-Time-L[15] 6
*Jul 1 20:25:43.105: RADIUS: 00 00 00 78 [ x]
*Jul 1 20:25:43.105: RADIUS(00000080): Received from id 1645/26
*Jul 1 20:25:43.105: RADIUS: Constructed " ppp negotiate"
07-02-2013 12:23 AM
Hello,
Use the aaa authentication login command with the group group-name method to specify a subset of RADIUS or TACACS+ servers to use as the login authentication method. To specify and define the group name and the members of the group, use the aaa group server command. For example, use the aaa group server command to first define the members of group loginrad:
aaa group server radius loginrad
server 172.16.2.3
server 172.16.2 17
server 172.16.2.32
This command specifies RADIUS servers 172.16.2.3, 172.16.2.17, and 172.16.2.32 as members of the group loginrad.
To specify group loginrad as the method of user authentication at login when no other method list has been defined, enter the following command:
aaa authentication login default group loginrad
Before you can use a group name as the login authentication method, you need to enable communication with the RADIUS or TACACS+ security server.
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfathen.html
07-02-2013 08:24 AM
I updated the configuration with the following and the behavior does not change. The VPN client still does not prompt for user credentials:
aaa group server radius radius-group
server 192.168.1.50
!
aaa authentication login default group radius-group
aaa authentication login aaa-authent-vpn local
aaa authentication login aaa-authent-radius-vpn group radius-group
aaa authorization network aaa-author-vpn local
aaa authorization network aaa-author-radius-vpn group radius-group
Debug shows the router is still sending the group name
*Jul 2 15:14:52.096: RADIUS/ENCODE(00000092):Orig. component type = VPN IPSEC
*Jul 2 15:14:52.096: RADIUS: AAA Unsupported Attr: interface [210] 13
*Jul 2 15:14:52.096: RADIUS: 31 39 32 2E 31 36 38 2E 31 36 38 [ 192.168.168]
*Jul 2 15:14:52.096: RADIUS(00000092): Config NAS IP: 0.0.0.0
*Jul 2 15:14:52.096: RADIUS(00000092): Config NAS IPv6:
*Jul 2 15:14:52.096: RADIUS/ENCODE(00000092): acct_session_id: 113
*Jul 2 15:14:52.096: RADIUS(00000092): sending
*Jul 2 15:14:52.096: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.50
*Jul 2 15:14:52.096: RADIUS(00000092): Send Access-Request to 192.168.1.50:1645 id 1645/36, len 110
*Jul 2 15:14:52.096: RADIUS: authenticator 33 44 75 64 5F 29 68 3B - FD 9C 45 07 EB DF BD D1
*Jul 2 15:14:52.096: RADIUS: User-Name [1] 13 "vpn_admin"
*Jul 2 15:14:52.096: RADIUS: User-Password [2] 18 *
*Jul 2 15:14:52.096: RADIUS: Calling-Station-Id [31] 14 "x.x.x.x"
*Jul 2 15:14:52.100: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jul 2 15:14:52.100: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jul 2 15:14:52.100: RADIUS: NAS-Port [5] 6 1
*Jul 2 15:14:52.100: RADIUS: NAS-Port-Id [87] 15 "192.168.168.1"
*Jul 2 15:14:52.100: RADIUS: Service-Type [6] 6 Outbound [5]
*Jul 2 15:14:52.100: RADIUS: NAS-IP-Address [4] 6 192.168.1.1
*Jul 2 15:14:52.100: RADIUS(00000092): Sending a IPv4 Radius Packet
*Jul 2 15:14:52.100: RADIUS(00000092): Started 5 sec timeout
*Jul 2 15:14:52.124: RADIUS: Received from id 1645/36 192.168.1.50:1645, Access-Reject, len 20
*Jul 2 15:14:52.124: RADIUS: authenticator D5 FF 76 4A 66 79 C5 EB - 16 9B 1B 32 57 88 50 AE
07-02-2013 09:30 AM
Ray,
Is that possible for you to remove "client configuration group vpn_admin" from the vpn_admin_profile and test again.
~BR
Jatin Katyal
**Do rate helpful posts**
07-02-2013 11:48 AM
Removing the "client configuration group" line causes phase 1 negoation to fail.
The group information is correct as the VPN client can connect when the authentication and authorization lines are changed back to reference local.
The abbreviated router debug follows:
*Jul 2 18:02:46.024: ISAKMP (0): received packet from x.x.x.x dport 500 sport 54555 Global (N) NEW SA
*Jul 2 18:02:46.024: ISAKMP: Created a peer struct for x.x.x.x, peer port 54555
*Jul 2 18:02:46.024: ISAKMP: New peer created peer = 0x48EBBDB8 peer_handle = 0x8000004C
*Jul 2 18:02:46.024: ISAKMP: Locking peer struct 0x48EBBDB8, refcount 1 for crypto_isakmp_process_block
*Jul 2 18:02:46.028: ISAKMP: local port 500, remote port 54555
*Jul 2 18:02:46.028: ISAKMP:(0):insert sa successfully sa = 49086238
*Jul 2 18:02:46.028: ISAKMP:(0): processing SA payload. message ID = 0
*Jul 2 18:02:46.028: ISAKMP:(0): processing ID payload. message ID = 0
*Jul 2 18:02:46.028: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : vpn_admin
protocol : 17
port : 500
length : 19
*Jul 2 18:02:46.028: ISAKMP:(0):: peer matches vpn_admin_profile profile
*Jul 2 18:02:46.028: ISAKMP:(0):Setting client config settings 48B63CC4
*Jul 2 18:02:46.028: ISAKMP:(0):(Re)Setting client xauth list and state
*Jul 2 18:02:46.028: ISAKMP/xauth: initializing AAA request
*Jul 2 18:02:46.028: ISAKMP AAA: NAS Port Id is set to 192.168.168.1
*Jul 2 18:02:46.028: ISAKMP:(0):AAA: Nas Port ID set to 192.168.168.1.
*Jul 2 18:02:46.028: ISAKMP/aaa: unique id = 153
*Jul 2 18:02:46.028: ISAKMP:(0): processing vendor id payload
*Jul 2 18:02:46.028: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Jul 2 18:02:46.028: ISAKMP:(0): vendor ID is XAUTH
*Jul 2 18:02:46.028: ISAKMP:(0): processing vendor id payload
*Jul 2 18:02:46.028: ISAKMP:(0): vendor ID is DPD
*Jul 2 18:02:46.028: ISAKMP:(0): processing vendor id payload
*Jul 2 18:02:46.028: ISAKMP:(0): processing IKE frag vendor id payload
*Jul 2 18:02:46.028: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Jul 2 18:02:46.028: ISAKMP:(0): processing vendor id payload
*Jul 2 18:02:46.028: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jul 2 18:02:46.028: ISAKMP:(0): vendor ID is NAT-T v2
*Jul 2 18:02:46.028: ISAKMP:(0): processing vendor id payload
*Jul 2 18:02:46.028: ISAKMP:(0): vendor ID is Unity
*Jul 2 18:02:46.028: ISAKMP:(0): Authentication by xauth preshared
...
*Jul 2 18:02:46.032: ISAKMP:(0):Checking ISAKMP transform 9 against priority 30 policy
*Jul 2 18:02:46.032: ISAKMP: encryption 3DES-CBC
*Jul 2 18:02:46.032: ISAKMP: hash SHA
*Jul 2 18:02:46.032: ISAKMP: default group 2
*Jul 2 18:02:46.032: ISAKMP: auth XAUTHInitPreShared
*Jul 2 18:02:46.032: ISAKMP: life type in seconds
*Jul 2 18:02:46.032: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jul 2 18:02:46.032: ISAKMP:(0):atts are acceptable. Next payload is 3
...
*Jul 2 18:02:46.068: ISAKMP:(0):ISAKMP/tunnel: setting up tunnel vpn_admin pw request
*Jul 2 18:02:46.068: ISAKMP:(0):ISAKMP/tunnel: Tunnel vpn_admin PW Request successfully sent to AAA
*Jul 2 18:02:46.068: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jul 2 18:02:46.068: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT
*Jul 2 18:02:46.068: RADIUS/ENCODE(00000099):Orig. component type = VPN IPSEC
*Jul 2 18:02:46.068: RADIUS: AAA Unsupported Attr: interface [210] 13
*Jul 2 18:02:46.068: RADIUS: 31 39 32 2E 31 36 38 2E 31 36 38 [ 192.168.168]
*Jul 2 18:02:46.068: RADIUS(00000099): Config NAS IP: 0.0.0.0
*Jul 2 18:02:46.068: RADIUS(00000099): Config NAS IPv6:
*Jul 2 18:02:46.068: RADIUS/ENCODE(00000099): acct_session_id: 120
*Jul 2 18:02:46.068: RADIUS(00000099): sending
*Jul 2 18:02:46.068: RADIUS/ENCODE: Best Local IP-Address 192.168.1.1 for Radius-Server 192.168.1.50
*Jul 2 18:02:46.068: RADIUS(00000099): Send Access-Request to 192.168.1.50:1645 id 1645/41, len 110
*Jul 2 18:02:46.068: RADIUS: authenticator 7B 4D 82 F7 17 B8 DD 21 - 3A EA AB C0 3C EC CC F3
*Jul 2 18:02:46.068: RADIUS: User-Name [1] 13 "vpn_admin"
*Jul 2 18:02:46.068: RADIUS: User-Password [2] 18 *
...
The client debug follows:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
4662 13:50:49.368 07/02/13 Sev=Info/4 CM/0x63100002
Begin connection process
4663 13:50:49.415 07/02/13 Sev=Info/4 CM/0x63100004
Establish secure connection
4664 13:50:49.415 07/02/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"
4665 13:50:49.425 07/02/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.
4666 13:50:49.443 07/02/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
4667 13:50:49.456 07/02/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
4668 13:50:49.608 07/02/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x
4669 13:50:49.608 07/02/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
4670 13:50:49.608 07/02/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
4671 13:50:49.608 07/02/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
4672 13:50:49.608 07/02/13 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
4673 13:50:49.608 07/02/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
4674 13:50:49.608 07/02/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
4675 13:50:49.622 07/02/13 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified
4676 13:50:49.622 07/02/13 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
4677 13:50:49.622 07/02/13 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:915)
4678 13:50:49.622 07/02/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to x.x.x.x
4679 13:50:49.622 07/02/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to x.x.x.x
4680 13:50:49.622 07/02/13 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)
4681 13:50:49.622 07/02/13 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=E59FE4870EACCEA2 R_Cookie=FF0E635DD9F7AFC2) reason = DEL_REASON_IKE_NEG_FAILED
4682 13:50:49.622 07/02/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
4683 13:50:49.622 07/02/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
4684 13:50:50.519 07/02/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E59FE4870EACCEA2 R_Cookie=FF0E635DD9F7AFC2) reason = DEL_REASON_IKE_NEG_FAILED
4685 13:50:50.519 07/02/13 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_IKE_NEG_FAILED"
4686 13:50:50.519 07/02/13 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
4687 13:50:50.533 07/02/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
4688 13:50:50.534 07/02/13 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
4689 13:50:50.543 07/02/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
4690 13:50:50.543 07/02/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
4691 13:50:50.543 07/02/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
4692 13:50:50.543 07/02/13 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
07-09-2013 09:52 AM
Solved by TAC.
Since Microsoft NPS RADIUS does not support storage of shared secret, changed the isakmp authorization line to use local authentication
crypto isakmp profile vpn_admin_profile
match identity group vpn_admin
client authentication list aaa-authent-radius-vpn
isakmp authorization list aaa-author-vpn
My original configuration also had to be modified as the VPN client does not accept a transform set using 3des and sha
crypto ipsec transform-set vpnclient esp-aes esp-sha-hmac
07-09-2013 10:16 AM
I see...authorization from local database. Thanks for sharing.
~BR
Jatin Katyal
**Do rate helpful posts**
07-11-2013 01:38 PM
Good neighbor policy: always update every forum post you made with the answer so the next guy looking can find it.
07-11-2013 01:42 PM
Completely Agree I'm sure this will help a lot of community members in future.
~BR
Jatin Katyal
**Do rate helpful posts**
06-24-2014 12:51 PM
If only this lonely post were easier to find!
Many thanks for posting the solution
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: