07-31-2002 04:24 AM - edited 02-21-2020 11:58 AM
Hello VPN Gurus!
ich have configured a VPN client 1.1 to PIX 6.1 Gateway to Authenticate with Xauth.
wenn I start the connection the IKE Pase one is done but no Ike phase 2
wenn i test this with the 3000 Client with adding on the Pix the Group config all works!
But my customer do not need to use the 3000 Client
cann you help mee to solve this Prob?
the config looks like this
access-list nonatraz permit ip host 193.96.2.114 10.70.254.0 255.255.255.0
ip local pool mypool 10.62.0.1-10.62.63.254
nat (raz) 0 access-list nonatraz
aaa-server TACACS+ protocol tacacs+
aaa-server SCGACS protocol tacacs+
aaa-server SCGACS (raz) host 10.70.254.2 hallo timeout 5
crypto ipsec transform-set dvag_set esp-3des esp-md5-hmac
crypto dynamic-map mydynmap 10 set transform-set dvag_set
crypto map vpnpeer 20 ipsec-isakmp dynamic mydynmap
crypto map vpnpeer client configuration address initiate
crypto map vpnpeer client authentication SCGACS
crypto map vpnpeer interface outside
isakmp enable outside
isakmp identity address
isakmp client configuration address-pool local mypool outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 3600
best regards !
07-31-2002 10:56 PM
Config looks ok. Check the key
isakmp key cisco123 address 0.0.0.0 netmask 0.0.0.0
sometimes by mistake, if you press ENTER after the address 0.0.0.0, the netmask defaults to 255.255.255.255 which causes the problem.
Furthermore, see following sample config to check futher;
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/config/basclnt.htm#xtocid20
Turn on the debugs, where does it exactly fail, what are the error messages.
HTH
R/Yusuf
07-31-2002 11:25 PM
thanks Yu,
all works now, the next prob is to make ACS Server Assigning Client IP Address. wich command on the Pix remplace the "ip local pool mypool 10.62.0.1-10.62.63.254 " and "isakmp client configuration address-pool local mypool outside " in this case ?
I see on the ACS bokk how to configure the Pool. but what is about the pix ? wich command could i use on the pix to forward the client ip adress request on the ACS server.
thanks for any help
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide