Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problems with IPSec termination on Cisco836

Hello I built a VPN with a Cisco836 router as concentrator for two direct IPSec connection with fixed addresse, one IPSec connection from a dynamic address and one IPSec connection from a Cisco VPN Client. All connection should work over a PKI infrastrucure with x509 certificates.

With the configuration below all IPSec connections work fine only the VPNClient connection does not work. If I configure the access-list 101 with permit ip any any then all IPSec connection work but only over the VPNClient profile and not over their own profile and access-list????!!!!

If I configure additional XAUTH for VPNClient connection then the also the other IPSec connection want to authenticate by XAUTH???!!!

Is anybody there who can say me the mistake of these configuration below?

Configuration of Cisco836 as VPN concentrator:

!C836-K9O3S8Y6-M, Version 12.3(2)XA

!

username xxxxxxx password xxxxxxxx

aaa new-model

aaa authentication login ClientAuth local

aaa authorization network ClientAuth local

aaa session-id common

!

crypto isakmp policy 10

encr 3des

hash md5

group 2

!

crypto isakmp policy 40

encr 3des

group 2

crypto isakmp identity dn

crypto isakmp keepalive 10 3

!

crypto isakmp client configuration group xxxxxxxx

pool vpnpool

!

!

crypto ipsec transform-set 3desMD5 esp-3des esp-md5-hmac

!

crypto dynamic-map ISPpeers 30

set transform-set 3desMD5

match address 122

!

crypto dynamic-map VPNClients 40

set transform-set 3desMD5

match address 101

!

!crypto map zentrale client authentication list ClientAuth

crypto map zentrale isakmp authorization list ClientAuth

crypto map zentrale client configuration address respond

!

crypto map zentrale 10 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set 3desMD5

match address 120

!

crypto map zentrale 20 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set 3desMD5

match address 121

!

crypto map zentrale 30 ipsec-isakmp dynamic ISPpeers

crypto map zentrale 40 ipsec-isakmp dynamic VPNClients

!

interface Dialer1

ip address negotiated

ip mtu 1300

ip nat outside

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer remote-name dsl

dialer-group 1

ppp authentication chap callin

ppp chap hostname xxxxxxx

ppp chap password xxxxxxxx

crypto map zentrale

!

ip local pool vpnpool 172.31.1.1 172.31.1.10

!

access-list 101 permit ip 10.110.10.0 0.0.0.255 172.31.1.0 0.0.0.255

!

access-list 120 permit ip host 172.25.128.3 host 172.25.1.1

!

access-list 121 permit ip host 172.29.128.3 host 172.29.1.1

!

access-list 122 permit ip 10.110.10.0 0.0.0.255 10.120.10.0 0.0.0.255

1 REPLY
Cisco Employee

Re: Problems with IPSec termination on Cisco836

If you have both dynamic and fixed tunnels terminating on a hub router, with both VPn clients and L2L tunnels terminating, you need to use ISAKMP Profiles to separate the two.

There's a sample config here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008032cd24.shtml

in which there is a IOS hub router (your 836), a PIX w spoke with a L2L config, a PIX set up as an EzVPN client (dynamic IP address), and a VPN client configuration, similar to what you have set up.

Create an ISAKMP Profile for each tunnel type, and use the "match identity" command under these to map the specific remote tunnel attributes.

For example, you can do a "match identity address x.x.x.x" for your LAN-to-LAN tunnel because you know the address it will be coming from.

Use a "match identity group " for your VPN clients, where is the group name configured in the VPN client profile. Under that profile you can then add your "isakmp client authen/author" type commands.

Define a similar ISAKMP Profile with another "match identity group " where is the group name configured on the remote IPSec device with a dynamic IP address.

Then you just define a crypto map as normal, and map it to two instances of a dynamic crypto map, both pointing to your two "match identity group ..." ISAKMP Profiles. The router will pick the best match, assign it to teh most specific ISAKMP Profile and take all the tunnel's attributes from that.

199
Views
0
Helpful
1
Replies
CreatePlease login to create content