Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

1841 vpn client

I have an 1841 that has a working site to site vpn tunnel....I added the config for a vpn client and nothing happens

I debugged crypto isakmp and dont even see the client trying to connect

anyone see wants wrong

version 12.4

aaa new-model

!

aaa session-id common

!

!

ip inspect name test http urlfilter

username xxxxxx privilege 15 password 7 xxxxxxxx

!

!

!

crypto isakmp policy 11

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key ciscociscoAZ address x.x.x.x no-xauth

crypto isakmp keepalive 10

!

crypto isakmp client configuration group Remote_User

key cisco

pool VPNpool

acl 150

!

!

crypto ipsec transform-set remotesite esp-3des esp-md5-hmac

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap 11 ipsec-isakmp

set peer x.x.x.x

set transform-set remotesite

match address vpn

!

!

!

interface FastEthernet0/0

ip address 192.168.12.1 255.255.255.0

ip inspect test in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address x.x.x.x 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map mymap

!

ip local pool VPNpool 192.168.50.50 192.168.50.160

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

ip nat inside source list NoNat interface FastEthernet0/1 overload

!

ip access-list extended NoNat

deny ip 192.168.12.0 0.0.0.255 192.168.9.0 0.0.0.255

deny ip 192.168.12.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended vpn

permit ip 192.168.12.0 0.0.0.255 host 10.155.102.252

!

access-list 150 permit ip 192.168.12.0 0.0.0.255 192.168.50.0 0.0.0.255

!

thanks

thanks

5 REPLIES

Re: 1841 vpn client

Try to add "reverse-route" under the dynamic crypto map.

But everything else looks ok, verify that the crypto map is applied with "sh crypto dynamic-map".

A debug crypto isakmp should show when it tries to connect, either you have not configured logging properly, or the client can not reach the router.

Community Member

Re: 1841 vpn client

Mattias

the reverse route didnt work

When I debug crypto isakmp I dont even see it trying....but I can ping outside interface from where I'm trying the client

router#sh cry dynamic-map

Crypto Map Template"dynmap" 10

No matching address list set.

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

myset,

}

does this tell you anything

thanks

Colum

Re: 1841 vpn client

Also, you are referring to the aaa groups userauthen and groupauthor but they are not defined anywhere?

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

You need something like this:

aaa authentication login userauthen local

aaa authorization network groupauthor local

If you want to use xauth with local authentication.

Community Member

Re: 1841 vpn client

You are right ...that was missing but still doesnt work...

its weird...

client log

813 11:11:24.307 07/30/07 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=CFDA79CF5F04F509 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

814 11:11:24.828 07/30/07 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=CFDA79CF5F04F509 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

its like it cant get to the outside IP

could it be the inspect/websense

Silver

Re: 1841 vpn client

Hi,

Please refer below document.

Which will guide you step by step procedure to configure client VPN.

As well as it also showing Troubleshooting.

It is well easier.

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Regards,

Dharmesh Purohit

168
Views
5
Helpful
5
Replies
CreatePlease to create content