Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Dynamic VPN config

Hello, I would like to know if anyone can give me a quick and dirty explanation of a dynamic vpn config using a pre-shared key. The way I see it I must: 1) set an isakmp policy, 2) set isakmp key and address, 3) set isakmp client config 4) set transfer set, 5) specify dynamic crypto map template, 6) apply config changes to outside interface........

Can some one correct the errors in my methodology??

Many thanks

RJ

4 REPLIES
Bronze

Re: Dynamic VPN config

Hi RJ,

You approach is the same. But actual implementation really depends on the VPN paltform that you are using. The configuration will be different if you are configuring an IOS router or a pix Firewall for the client VPN tunnels

http://www.cisco.com/warp/public/471/ios-unity.html

http://www.cisco.com/warp/public//110/pix3000.html

Jazib

Community Member

Re: Dynamic VPN config

Thanks for the prompt reply. I am attempting this config on a 1720 - so an IOS router. I am assuming that as the first link you provided states, I do not "absolutely" need to name the group as stated in the link - or specify the same password?? Ditto for the user "cisco" with password "cisco"??

Also, my router's running config does not contain the directive "aaa authorization network groupauthor local" to use the local database to allow users to access network services. Is this absolutely required?

I can supply my run config for a more detailed analysis.

RJ

Bronze

Re: Dynamic VPN config

RJ,

You are right. You don't have to use the same groupname, group password or even the same username, user password.

As far as aaa authorization is concerned, you have to have that. Make sure that you add "aaa new-model" first before you add the aaa authorization command

Hope that helps

Jazib

Community Member

Re: Dynamic VPN config

Thank you for the help. Results of my foray follow.

I added the vpn directives outlined in the first link you sent me but the dynamic vpn did not function and the static vpn we have went down. It seems that we can only apply one cryptomap to an interface.

I am including the cmds I input and debug results.

---------------------------------------------------------------------------------------------------------

These are the cmds (in order) that I entered:

aaa authorization network groupauthor local

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group vpn

key xxxxxxxxxxxxxxx

dns 172.16.1.10

wins 172.16.1.20

domain xxxxxxxxx

pool ippool

crypto ipsec transform-set destset esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10

set transform-set destset

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

(config-if)# crypto map clientmap

---------------------------------------------------------------------------------------------------------

These I used to determine what was happening after the config was modified:

debug isakmp

debug engine

debug ipsec

---------------------------------------------------------------------------------------------------------

After modifications my run config looked like this:

Cisco1720#

*Feb 28 19:18:30.331 EST: %SYS-5-CONFIG_I: Configured from console by sh run

Building configuration...

Current configuration : 4808 bytes

!

version 12.2

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname Cisco1720

!

boot system flash c1700-k9o3sy7-mz.122-8.T1.bin

boot system flash

logging buffered 16384 notifications

no logging monitor

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

enable secret 5

enable password 7

bytesusername mickey password xxxxxxxxxxxxxxxxxx

memory-size iomem 20

clock timezone EST -5

clock summer-time EDT recurring

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

ip name-server xxxxxxxxxxxxxx

ip dhcp excluded-address xxxxxxxxxxxxxxxxxxxxxx

ip dhcp excluded-address xxxxxxxxxxxxxxxxxxxx

!

ip dhcp pool 1

network xxxxxxxxxxxxxxxx

domain-name bellnexxia.net

default-router xxxxxxxxxxxxxxxx

dns-server xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

ip inspect audit-trail

ip inspect max-incomplete low 300

ip inspect max-incomplete high 1000

ip inspect one-minute high 600

ip inspect udp idle-time 7200

ip inspect dns-timeout 7

ip inspect tcp idle-time 7200

ip inspect tcp finwait-time 10

ip inspect tcp synwait-time 35

ip inspect tcp max-incomplete host 50 block-time 1

ip inspect name rcmd timeout 15

ip inspect name cuseeme timeout 20

ip inspect name smtp timeout 120

ip inspect name tftp timeout 60

ip inspect name realaudio timeout 120

ip inspect name streamworks timeout 120

ip inspect name tcp timeout 7200

ip inspect name udp timeout 7200

ip audit notify log

ip audit po max-events 100

vpdn-group pppoe

!

!

crypto isakmp policy 1

authentication pre-share

lifetime 300

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxxx address xxxxxxxxxxxxx

!

crypto xxxxxxxxxxxxxxxxxx

dns 172.16.1.10

wins 172.16.1.20

domain xxxxxxxxxxx

pool ippool

!

!

crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac

crypto ipsec transform-set destset esp-3des esp-sha-hmac

!

crypto dynamic-map cm-cryptomap 10

set transform-set cm-transformset-1

!

crypto dynamic-map dynmap 10

set transform-set destset

!

!

crypto map cm-cryptomap 1 ipsec-isakmp

set peer xxxxxxxxxxxxxxxxxxxx

set transform-set cm-transformset-1

match address 115

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface Ethernet0

description connected to Internet

ip address xxxxxxxxxxxxxxxxxxxxxxxxxx

ip access-group 125 in

ip mtu 1492

ip nat outside

ip inspect destina out

no ip route-cache

no ip mroute-cache

no keepalive

half-duplex

crypto map clientmap

!

interface FastEthernet0

description connected to EthernetLAN

ip address xxxxxxxxxxxxxxxxxxxxxx0

ip nat inside

ip tcp adjust-mss 1452

speed auto

!

router rip

version 2

network xxxxxxxxxxxx no auto-summary

!

ip local pool ippool xxxxxxxxxxxxxxxxxxxxx

ip nat inside source route-map nonat interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxxxxxx

ip route xxxxxxxxxxxxxxxxxxxxxx

ip route xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

no ip http server

ip pim bidir-enable

!

!

logging .5

access-list 1 permit.0.0.255

access-list 101 deny ip

access-list 101 deny ip

access-list 101 permit ip \

access-list 101 permit ip

access-list 101 deny ip 0.0.0.31

access-list 101 deny ip.0 0.0.0.255 209. 0.0.0.31

access-list 101 permit ip 100.0 0.0.0.255 any

access-list 115 permit ip.100.0 0.0.0.255 0.0.0.31

access-list 115 permit ip.100.0 0.0.0.255 0.0.0.63

access-list 115 deny ip.100.0 0.0.0.255 host.107

access-list 115 deny ip.0 0.0.0.255 host.47

access-list 115 permit ip.0 0.0.0.255 2090.0.0.31

access-list 115 permit ip 192.168.100.0 0.0.0.2550.31

access-list 115 deny ip 192.1.100.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 101

!

snmp-server community public RO

!

line con 0

exec-timeout 0 0

password 7

line aux 0

line vty 0 4

exec-timeout 30 0

password 7 xxxxxxxxxxxxxxA

!

no scheduler allocate

end

--------------------------------------------------------------------------------------------------------

Debug results follow:

*Feb 28 19:13:25.479 EST: ISAKMP: local port 500, remote port 500

*Feb 28 19:13:25.483 EST: ISAKMP (0:1): processing SA payload. message ID = 0

*Feb 28 19:13:25.483 EST: ISAKMP (0:1): processing ID payload. message ID = 0

*Feb 28 19:13:25.483 EST: ISAKMP (0:1): processing vendor id payload

*Feb 28 19:13:25.483 EST: ISAKMP (0:1): vendor ID seems Unity/DPD but bad major

*Feb 28 19:13:25.483 EST: ISAKMP (0:1): vendor ID is XAUTH

*Feb 28 19:13:25.483 EST: ISAKMP (0:1): processing vendor id payload

*Feb 28 19:13:25.483 EST: ISAKMP (0:1): vendor ID is DPD

*Feb 28 19:13:25.483 EST: ISAKMP (0:1): processing vendor id payload

*Feb 28 19:13:25.487 EST: ISAKMP (0:1): vendor ID is Unity

*Feb 28 19:13:25.487 EST: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

*Feb 28 19:13:25.487 EST: ISAKMP: encryption 3DES-CBC

*Feb 28 19:13:25.487 EST: ISAKMP: hash SHA

*Feb 28 19:13:25.487 EST: ISAKMP: default group 2

*Feb 28 19:13:25.487 EST: ISAKMP: auth XAUTHInitPreShared

*Feb 28 19:13:25.487 EST: ISAKMP: life type in seconds

*Feb 28 19:13:25.487 EST: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Feb 28 19:13:25.491 EST: ISAKMP (0:1): Encryption algorithm offered does not match policy!

*Feb 28 19:13:25.491 EST: ISAKMP (0:1): atts are not acceptable. Next payload is 3

*Feb 28 19:13:25.491 EST: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 1 policy

*Feb 28 19:13:25.491 EST: ISAKMP: encryption 3DES-CBC

*Feb 28 19:13:25.491 EST: ISAKMP: hash MD5

*Feb 28 19:13:25.491 EST: ISAKMP: default group 2

*Feb 28 19:13:25.491 EST: ISAKMP: auth XAUTHInitPreShared

*Feb 28 19:13:25.491 EST: ISAKMP: life type in seconds

*Feb 28 19:13:25.491 EST: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Feb 28 19:13:25.495 EST: ISAKMP (0:1): Encryption algorithm offered does not match policy!

*Feb 28 19:13:25.495 EST: ISAKMP (0:1): atts are not acceptable. Next payload is 3

*Feb 28 19:13:25.495 EST: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 1 policy

*Feb 28 19:13:25.495 EST: ISAKMP: encryption 3DES-CBC

*Feb 28 19:13:25.495 EST: ISAKMP: hash SHA

*Feb 28 19:13:25.495 EST: ISAKMP: default group 2

*Feb 28 19:13:25.495 EST: ISAKMP: auth pre-share

*Feb 28 19:13:25.495 EST: ISAKMP: life type in seconds

*Feb 28 19:13:25.495 EST: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Feb 28 19:13:25.499 EST: ISAKMP (0:1): Encryption algorithm offered does not match policy!

*Feb 28 19:13:25.499 EST: ISAKMP (0:1): atts are not acceptable. Next payload is 3

*Feb 28 19:13:25.499 EST: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 1 policy

*Feb 28 19:13:25.499 EST: ISAKMP: encryption 3DES-CBC

*Feb 28 19:13:25.499 EST: ISAKMP: hash MD5

*Feb 28 19:13:25.499 EST: ISAKMP: default group 2

*Feb 28 19:13:25.499 EST: ISAKMP: auth pre-share

*Feb 28 19:13:25.499 EST: ISAKMP: life type in seconds

*Feb 28 19:13:25.499 EST: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Feb 28 19:13:25.503 EST: ISAKMP (0:1): Encryption algorithm offered does not match policy!

*Feb 28 19:13:25.503 EST: ISAKMP (0:1): atts are not acceptable. Next payload is 3

*Feb 28 19:13:25.503 EST: ISAKMP (0:1): Checking ISAKMP transform 5 against priority 1 policy

--------------------------------------------------------------------------------------------------------

Once I applied the changes to the interface my static vpn fell and the configured dynamic vpn did not work.

Is there a limit to the number of crypto maps I can apply to an interface?

The term "atts" - does it apply to client attributes?

Thanks again for the help.

RJ

90
Views
0
Helpful
4
Replies
CreatePlease to create content