Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

IPSEC Tunnel Prob

Hello VPN Gurus!

ich have configured a VPN client 1.1 to PIX 6.1 Gateway to Authenticate with Xauth.

wenn I start the connection the IKE Pase one is done but no Ike phase 2

wenn i test this with the 3000 Client with adding on the Pix the Group config all works!

But my customer do not need to use the 3000 Client

cann you help mee to solve this Prob?

the config looks like this

access-list nonatraz permit ip host

ip local pool mypool

nat (raz) 0 access-list nonatraz

aaa-server TACACS+ protocol tacacs+

aaa-server SCGACS protocol tacacs+

aaa-server SCGACS (raz) host hallo timeout 5

crypto ipsec transform-set dvag_set esp-3des esp-md5-hmac

crypto dynamic-map mydynmap 10 set transform-set dvag_set

crypto map vpnpeer 20 ipsec-isakmp dynamic mydynmap

crypto map vpnpeer client configuration address initiate

crypto map vpnpeer client authentication SCGACS

crypto map vpnpeer interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local mypool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 3600

best regards !

Cisco Employee

Re: IPSEC Tunnel Prob

Config looks ok. Check the key

isakmp key cisco123 address netmask

sometimes by mistake, if you press ENTER after the address, the netmask defaults to which causes the problem.

Furthermore, see following sample config to check futher;

Turn on the debugs, where does it exactly fail, what are the error messages.



New Member

Re: IPSEC Tunnel Prob

thanks Yu,

all works now, the next prob is to make ACS Server Assigning Client IP Address. wich command on the Pix remplace the "ip local pool mypool " and "isakmp client configuration address-pool local mypool outside " in this case ?

I see on the ACS bokk how to configure the Pool. but what is about the pix ? wich command could i use on the pix to forward the client ip adress request on the ACS server.

thanks for any help


CreatePlease to create content