01-14-2003 11:49 AM - edited 02-21-2020 12:16 PM
Hello, I would like to know if anyone can give me a quick and dirty explanation of a dynamic vpn config using a pre-shared key. The way I see it I must: 1) set an isakmp policy, 2) set isakmp key and address, 3) set isakmp client config 4) set transfer set, 5) specify dynamic crypto map template, 6) apply config changes to outside interface........
Can some one correct the errors in my methodology??
Many thanks
RJ
01-15-2003 12:36 PM
Hi RJ,
You approach is the same. But actual implementation really depends on the VPN paltform that you are using. The configuration will be different if you are configuring an IOS router or a pix Firewall for the client VPN tunnels
http://www.cisco.com/warp/public/471/ios-unity.html
http://www.cisco.com/warp/public//110/pix3000.html
Jazib
01-15-2003 02:47 PM
Thanks for the prompt reply. I am attempting this config on a 1720 - so an IOS router. I am assuming that as the first link you provided states, I do not "absolutely" need to name the group as stated in the link - or specify the same password?? Ditto for the user "cisco" with password "cisco"??
Also, my router's running config does not contain the directive "aaa authorization network groupauthor local" to use the local database to allow users to access network services. Is this absolutely required?
I can supply my run config for a more detailed analysis.
RJ
01-15-2003 05:15 PM
RJ,
You are right. You don't have to use the same groupname, group password or even the same username, user password.
As far as aaa authorization is concerned, you have to have that. Make sure that you add "aaa new-model" first before you add the aaa authorization command
Hope that helps
Jazib
01-20-2003 01:29 PM
Thank you for the help. Results of my foray follow.
I added the vpn directives outlined in the first link you sent me but the dynamic vpn did not function and the static vpn we have went down. It seems that we can only apply one cryptomap to an interface.
I am including the cmds I input and debug results.
---------------------------------------------------------------------------------------------------------
These are the cmds (in order) that I entered:
aaa authorization network groupauthor local
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpn
key xxxxxxxxxxxxxxx
dns 172.16.1.10
wins 172.16.1.20
domain xxxxxxxxx
pool ippool
crypto ipsec transform-set destset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set destset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
(config-if)# crypto map clientmap
---------------------------------------------------------------------------------------------------------
These I used to determine what was happening after the config was modified:
debug isakmp
debug engine
debug ipsec
---------------------------------------------------------------------------------------------------------
After modifications my run config looked like this:
Cisco1720#
*Feb 28 19:18:30.331 EST: %SYS-5-CONFIG_I: Configured from console by sh run
Building configuration...
Current configuration : 4808 bytes
!
version 12.2
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Cisco1720
!
boot system flash c1700-k9o3sy7-mz.122-8.T1.bin
boot system flash
logging buffered 16384 notifications
no logging monitor
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 5
enable password 7
bytesusername mickey password xxxxxxxxxxxxxxxxxx
memory-size iomem 20
clock timezone EST -5
clock summer-time EDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip name-server xxxxxxxxxxxxxx
ip dhcp excluded-address xxxxxxxxxxxxxxxxxxxxxx
ip dhcp excluded-address xxxxxxxxxxxxxxxxxxxx
!
ip dhcp pool 1
network xxxxxxxxxxxxxxxx
domain-name bellnexxia.net
default-router xxxxxxxxxxxxxxxx
dns-server xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
ip inspect audit-trail
ip inspect max-incomplete low 300
ip inspect max-incomplete high 1000
ip inspect one-minute high 600
ip inspect udp idle-time 7200
ip inspect dns-timeout 7
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 10
ip inspect tcp synwait-time 35
ip inspect tcp max-incomplete host 50 block-time 1
ip inspect name rcmd timeout 15
ip inspect name cuseeme timeout 20
ip inspect name smtp timeout 120
ip inspect name tftp timeout 60
ip inspect name realaudio timeout 120
ip inspect name streamworks timeout 120
ip inspect name tcp timeout 7200
ip inspect name udp timeout 7200
ip audit notify log
ip audit po max-events 100
vpdn-group pppoe
!
!
crypto isakmp policy 1
authentication pre-share
lifetime 300
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxx address xxxxxxxxxxxxx
!
crypto xxxxxxxxxxxxxxxxxx
dns 172.16.1.10
wins 172.16.1.20
domain xxxxxxxxxxx
pool ippool
!
!
crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac
crypto ipsec transform-set destset esp-3des esp-sha-hmac
!
crypto dynamic-map cm-cryptomap 10
set transform-set cm-transformset-1
!
crypto dynamic-map dynmap 10
set transform-set destset
!
!
crypto map cm-cryptomap 1 ipsec-isakmp
set peer xxxxxxxxxxxxxxxxxxxx
set transform-set cm-transformset-1
match address 115
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
description connected to Internet
ip address xxxxxxxxxxxxxxxxxxxxxxxxxx
ip access-group 125 in
ip mtu 1492
ip nat outside
ip inspect destina out
no ip route-cache
no ip mroute-cache
no keepalive
half-duplex
crypto map clientmap
!
interface FastEthernet0
description connected to EthernetLAN
ip address xxxxxxxxxxxxxxxxxxxxxx0
ip nat inside
ip tcp adjust-mss 1452
speed auto
!
router rip
version 2
network xxxxxxxxxxxx no auto-summary
!
ip local pool ippool xxxxxxxxxxxxxxxxxxxxx
ip nat inside source route-map nonat interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxxxxxx
ip route xxxxxxxxxxxxxxxxxxxxxx
ip route xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
no ip http server
ip pim bidir-enable
!
!
logging .5
access-list 1 permit.0.0.255
access-list 101 deny ip
access-list 101 deny ip
access-list 101 permit ip \
access-list 101 permit ip
access-list 101 deny ip 0.0.0.31
access-list 101 deny ip.0 0.0.0.255 209. 0.0.0.31
access-list 101 permit ip 100.0 0.0.0.255 any
access-list 115 permit ip.100.0 0.0.0.255 0.0.0.31
access-list 115 permit ip.100.0 0.0.0.255 0.0.0.63
access-list 115 deny ip.100.0 0.0.0.255 host.107
access-list 115 deny ip.0 0.0.0.255 host.47
access-list 115 permit ip.0 0.0.0.255 2090.0.0.31
access-list 115 permit ip 192.168.100.0 0.0.0.2550.31
access-list 115 deny ip 192.1.100.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 101
!
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password 7
line aux 0
line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxA
!
no scheduler allocate
end
--------------------------------------------------------------------------------------------------------
Debug results follow:
*Feb 28 19:13:25.479 EST: ISAKMP: local port 500, remote port 500
*Feb 28 19:13:25.483 EST: ISAKMP (0:1): processing SA payload. message ID = 0
*Feb 28 19:13:25.483 EST: ISAKMP (0:1): processing ID payload. message ID = 0
*Feb 28 19:13:25.483 EST: ISAKMP (0:1): processing vendor id payload
*Feb 28 19:13:25.483 EST: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major
*Feb 28 19:13:25.483 EST: ISAKMP (0:1): vendor ID is XAUTH
*Feb 28 19:13:25.483 EST: ISAKMP (0:1): processing vendor id payload
*Feb 28 19:13:25.483 EST: ISAKMP (0:1): vendor ID is DPD
*Feb 28 19:13:25.483 EST: ISAKMP (0:1): processing vendor id payload
*Feb 28 19:13:25.487 EST: ISAKMP (0:1): vendor ID is Unity
*Feb 28 19:13:25.487 EST: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy
*Feb 28 19:13:25.487 EST: ISAKMP: encryption 3DES-CBC
*Feb 28 19:13:25.487 EST: ISAKMP: hash SHA
*Feb 28 19:13:25.487 EST: ISAKMP: default group 2
*Feb 28 19:13:25.487 EST: ISAKMP: auth XAUTHInitPreShared
*Feb 28 19:13:25.487 EST: ISAKMP: life type in seconds
*Feb 28 19:13:25.487 EST: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Feb 28 19:13:25.491 EST: ISAKMP (0:1): Encryption algorithm offered does not match policy!
*Feb 28 19:13:25.491 EST: ISAKMP (0:1): atts are not acceptable. Next payload is 3
*Feb 28 19:13:25.491 EST: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 1 policy
*Feb 28 19:13:25.491 EST: ISAKMP: encryption 3DES-CBC
*Feb 28 19:13:25.491 EST: ISAKMP: hash MD5
*Feb 28 19:13:25.491 EST: ISAKMP: default group 2
*Feb 28 19:13:25.491 EST: ISAKMP: auth XAUTHInitPreShared
*Feb 28 19:13:25.491 EST: ISAKMP: life type in seconds
*Feb 28 19:13:25.491 EST: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Feb 28 19:13:25.495 EST: ISAKMP (0:1): Encryption algorithm offered does not match policy!
*Feb 28 19:13:25.495 EST: ISAKMP (0:1): atts are not acceptable. Next payload is 3
*Feb 28 19:13:25.495 EST: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 1 policy
*Feb 28 19:13:25.495 EST: ISAKMP: encryption 3DES-CBC
*Feb 28 19:13:25.495 EST: ISAKMP: hash SHA
*Feb 28 19:13:25.495 EST: ISAKMP: default group 2
*Feb 28 19:13:25.495 EST: ISAKMP: auth pre-share
*Feb 28 19:13:25.495 EST: ISAKMP: life type in seconds
*Feb 28 19:13:25.495 EST: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Feb 28 19:13:25.499 EST: ISAKMP (0:1): Encryption algorithm offered does not match policy!
*Feb 28 19:13:25.499 EST: ISAKMP (0:1): atts are not acceptable. Next payload is 3
*Feb 28 19:13:25.499 EST: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 1 policy
*Feb 28 19:13:25.499 EST: ISAKMP: encryption 3DES-CBC
*Feb 28 19:13:25.499 EST: ISAKMP: hash MD5
*Feb 28 19:13:25.499 EST: ISAKMP: default group 2
*Feb 28 19:13:25.499 EST: ISAKMP: auth pre-share
*Feb 28 19:13:25.499 EST: ISAKMP: life type in seconds
*Feb 28 19:13:25.499 EST: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Feb 28 19:13:25.503 EST: ISAKMP (0:1): Encryption algorithm offered does not match policy!
*Feb 28 19:13:25.503 EST: ISAKMP (0:1): atts are not acceptable. Next payload is 3
*Feb 28 19:13:25.503 EST: ISAKMP (0:1): Checking ISAKMP transform 5 against priority 1 policy
--------------------------------------------------------------------------------------------------------
Once I applied the changes to the interface my static vpn fell and the configured dynamic vpn did not work.
Is there a limit to the number of crypto maps I can apply to an interface?
The term "atts" - does it apply to client attributes?
Thanks again for the help.
RJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide