cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
463
Views
0
Helpful
5
Replies

IOS to IOS and VPN Client 3.5.1C and 1.1 + NAT/PAT/Firewall

Robert_Berger
Level 1
Level 1

Hello, i have following Problem:

I need different tunnels on one Router and different VPN Clients.

Working with one Cryptomap does not work. With 2 Cryptomap i can use one or the other one not both on same time. Interface Serial0 takes only one cryptomap.

I tryed also to make a dummy loopback interface for the secoud Map. but no connect by any tests. I tryed also to disable all Firewall by testing.

Existing: Cisco 1750 IPSec 3DES + VPN-Module

Connection to Internet Serial 0 NAT

New IOS Release 12.2.8(T) 3DES

Existing 7 Tunnels to other IOSes 17xx + 26xx +

NAT/PAT My whole net to one IP to customer side

Existing VPN Clients 1.1 with Windows NT works also on same Cryptomap

NEW:

But now in additional i need VPN Client 3.5.x and Windows 2000.

But here I have different way do define.

crypto map cm-cryptomap client authentication list my-useraut

crypto map cm-cryptomap isakmp authorization list my-groupaut

crypto isakmp client configuration group xxxx

and so one ..... (Like Example on Cisco samples)

To I have a way to combine all those ?

Thanks Robert

5 Replies 5

brad
Level 1
Level 1

Hi Robert

The details are a little vauge so if possible maybe you could post some excerts from your config.

What I will say is that in even the most unusual VPN configurations including using different both VPN clients, different policies, and different transform-sets one crypto map is sufficient. I have never seen an instance of two crypto maps that could not be combined into one.

Of course I haven't seen everything, so post your crypto maps and we can take a look.

Thanks, here are the dependent statments of my config:

I removed the VPN Dynamic für VPN Client 1.1 because I can install anyway there also the 3.5 client.

*******here the running config *****

!

crypto isakmp enable

crypto isakmp identity address

!

crypto isakmp policy 5

encryption des

hash md5

authentication pre-share

group 1

!

crypto isakmp key *************** address x.x.x.x

crypto isakmp key *************** address y.y.y.y

!->>> and 5 more

!

crypto ipsec transform-set cm-transformset ah-md5-hmac esp-des esp-md5-hmac

!

crypto map cm-cryptomap local-address Serial0

!

crypto map cm-cryptomap 5 ipsec-isakmp

match address 105

set peer x.y.z.z.

set transform-set cm-transformset

set security-association lifetime seconds 3600

set security-association lifetime kilobytes 4608000

!

crypto map cm-cryptomap 6 ipsec-isakmp

!->>> and 5 more

!

interface FastEthernet0

no shutdown

ip address 192.168.123.254 255.255.255.0

......

!

interface Serial0

ip address 212.x.y.z 255.255.255.252

ip nat outside

crypto map cm-cryptomap

......

!

********************************

in additional for the VPN 3.5.x i tryed

********************************

aaa new-model

aaa authentication login my-useraut local

aaa authorization network my-groupaut local

!

username **** password 0 ****

!

crypto isakmp policy 2

encr 3des

hash sha

authentication pre-share

group 2

!

ip local pool vpn-dial-pool 192.168.124.1 192.168.124.254

!

crypto isakmp client configuration group *****

key ****

pool vpn-dial-pool

!

crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac

!

crypto dynamic-map vpn-dynamic 15

set transform-set vpn-transform

!

crypto map cm-cryptomap client authentication list my-useraut

crypto map cm-cryptomap isakmp authorization list my-groupaut

crypto map cm-cryptomap client configuration address respond

crypto map cm-cryptomap 15 ipsec-isakmp dynamic vpn-dynamic

!

*****************

When i add "crypto map cm-cryptomap isakmp authorization list my-groupaut" and the client keywords to my " cm-cryptomap", the other tunnels does not work anymore. Only the Client 3.5 works

So if you see any choise, please let me know. Robert

Robert_Berger
Level 1
Level 1

At the moment, i have no solution. So i try do renew my question.

Thanks for any help

Robert

I just got over the same issue. Search Cisco.com for a doc entitled "Ability to Disable Extended Authentication for Static IPSec Peers".

Thank's

"crypto isakmp key MyKey address x.y.x.y no-xauth"

works.

Robert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: