Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS to IOS and VPN Client 3.5.1C and 1.1 + NAT/PAT/Firewall

Hello, i have following Problem:

I need different tunnels on one Router and different VPN Clients.

Working with one Cryptomap does not work. With 2 Cryptomap i can use one or the other one not both on same time. Interface Serial0 takes only one cryptomap.

I tryed also to make a dummy loopback interface for the secoud Map. but no connect by any tests. I tryed also to disable all Firewall by testing.

Existing: Cisco 1750 IPSec 3DES + VPN-Module

Connection to Internet Serial 0 NAT

New IOS Release 12.2.8(T) 3DES

Existing 7 Tunnels to other IOSes 17xx + 26xx +

NAT/PAT My whole net to one IP to customer side

Existing VPN Clients 1.1 with Windows NT works also on same Cryptomap

NEW:

But now in additional i need VPN Client 3.5.x and Windows 2000.

But here I have different way do define.

crypto map cm-cryptomap client authentication list my-useraut

crypto map cm-cryptomap isakmp authorization list my-groupaut

crypto isakmp client configuration group xxxx

and so one ..... (Like Example on Cisco samples)

To I have a way to combine all those ?

Thanks Robert

5 REPLIES
New Member

Re: IOS to IOS and VPN Client 3.5.1C and 1.1 + NAT/PAT/Firewall

Hi Robert

The details are a little vauge so if possible maybe you could post some excerts from your config.

What I will say is that in even the most unusual VPN configurations including using different both VPN clients, different policies, and different transform-sets one crypto map is sufficient. I have never seen an instance of two crypto maps that could not be combined into one.

Of course I haven't seen everything, so post your crypto maps and we can take a look.

New Member

Re: IOS to IOS and VPN Client 3.5.1C and 1.1 + NAT/PAT/Firewall

Thanks, here are the dependent statments of my config:

I removed the VPN Dynamic für VPN Client 1.1 because I can install anyway there also the 3.5 client.

*******here the running config *****

!

crypto isakmp enable

crypto isakmp identity address

!

crypto isakmp policy 5

encryption des

hash md5

authentication pre-share

group 1

!

crypto isakmp key *************** address x.x.x.x

crypto isakmp key *************** address y.y.y.y

!->>> and 5 more

!

crypto ipsec transform-set cm-transformset ah-md5-hmac esp-des esp-md5-hmac

!

crypto map cm-cryptomap local-address Serial0

!

crypto map cm-cryptomap 5 ipsec-isakmp

match address 105

set peer x.y.z.z.

set transform-set cm-transformset

set security-association lifetime seconds 3600

set security-association lifetime kilobytes 4608000

!

crypto map cm-cryptomap 6 ipsec-isakmp

!->>> and 5 more

!

interface FastEthernet0

no shutdown

ip address 192.168.123.254 255.255.255.0

......

!

interface Serial0

ip address 212.x.y.z 255.255.255.252

ip nat outside

crypto map cm-cryptomap

......

!

********************************

in additional for the VPN 3.5.x i tryed

********************************

aaa new-model

aaa authentication login my-useraut local

aaa authorization network my-groupaut local

!

username **** password 0 ****

!

crypto isakmp policy 2

encr 3des

hash sha

authentication pre-share

group 2

!

ip local pool vpn-dial-pool 192.168.124.1 192.168.124.254

!

crypto isakmp client configuration group *****

key ****

pool vpn-dial-pool

!

crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac

!

crypto dynamic-map vpn-dynamic 15

set transform-set vpn-transform

!

crypto map cm-cryptomap client authentication list my-useraut

crypto map cm-cryptomap isakmp authorization list my-groupaut

crypto map cm-cryptomap client configuration address respond

crypto map cm-cryptomap 15 ipsec-isakmp dynamic vpn-dynamic

!

*****************

When i add "crypto map cm-cryptomap isakmp authorization list my-groupaut" and the client keywords to my " cm-cryptomap", the other tunnels does not work anymore. Only the Client 3.5 works

So if you see any choise, please let me know. Robert

New Member

Re: IOS to IOS and VPN Client 3.5.1C and 1.1 + NAT/PAT/Firewall

At the moment, i have no solution. So i try do renew my question.

Thanks for any help

Robert

New Member

Re: IOS to IOS and VPN Client 3.5.1C and 1.1 + NAT/PAT/Firewall

I just got over the same issue. Search Cisco.com for a doc entitled "Ability to Disable Extended Authentication for Static IPSec Peers".

New Member

Re: IOS to IOS and VPN Client 3.5.1C and 1.1 + NAT/PAT/Firewall

Thank's

"crypto isakmp key MyKey address x.y.x.y no-xauth"

works.

Robert

104
Views
0
Helpful
5
Replies