Re: VPN Client 3.x and IOS what is going on?

adushey · ‎08-28-2002

Is it just me or is it a nightmare configuring this with any type of standard configuration. Cisco, you have samples on your web site but those aren't real world config's! Most VPN customers use NAT+FW+site to site VPN+ Client VPN. Yet try to configure this with the 3.x client and I have had nothing but problems. Has anyone got this running with an explanation of how/why it works? I'm getting different answers from even the TAC. Some say with NAT you need a policy route one for dynamic and one for statics, then on the firewall side you have to punch a hole for the pool of IP's you assign the VPN clients. I've tried this all but am having very buggy results. I tried IOS 12.2.11T and could'nt ping. I then downgraded to 12.2.8T and I could ping but things were real flaky. That was with the FW and site-to-site VPN removed. Since you have authentication on that web ios-unity web link how does that work with site-site VPN. I have 3 customers waiting on this whom aren't very happy at this point. Or if you could tell me its not mature at this point and to downgrade then fine, I'd rather eat it now than later-Thanks in advance for any help....

adushey · ‎08-28-2002

Ok, I haven't tried this yet but it is looking more promising. For your future reference, this is what I've gotten from the TAC. I still haven't heard about the 12.2.11t issue so I'm sticking with 12.2.8T5. Let me know if you all get any more information.

> This side will accept connections from another

> router (having a static address) and 3.x clients.

> It performs PAT for Internet traffic and static NAT

> for one server. It bypasses PAT and NAT for tunnel

> traffic. CBAC (IOS Firewall) provides security.

>

> aaa new-model

> !

> aaa authentication login userauthen local

> aaa authorization network groupauthor local

> !

> username cisco password 0 cisco

> !

> ip inspect name user_traffic tcp

> ip inspect name user_traffic udp

> ip inspect name user_traffic ftp

> ip inspect name user_traffic h323

> ip inspect name user_traffic realaudio

> !

> crypto isakmp policy 1

> authentication pre-share

> hash md5

> !

> crypto isakmp policy 2

> authentication pre-share

> hash md5

> group 2

> !

> crypto isakmp key cisco123 address 99.99.99.2

> !

> crypto isakmp client configuration group mygroup

> key cisc0cisc0

> pool client-pool

> acl 120

> !

> crypto ipsec transform-set rtpset esp-des

> esp-md5-hmac

> !

> crypto dynamic-map unity_clients 1

> set transform-set rtpset

> !

> crypto map rtp client authentication list userauthen

> crypto map rtp isakmp authorization list groupauthor

> crypto map rtp client configuration address respond

> !

> crypto map rtp 10 ipsec-isakmp

> set peer 99.99.99.2

> set transform-set rtpset

> match address 115

> crypto map rtp 999 ipsec-isakmp dynamic

> unity_clients

> !

> interface loopback1

> ip address 172.16.1.1 255.255.255.0

> !

> interface Ethernet0

> ip address 10.103.1.75 255.255.255.0

> no ip directed-broadcast

> ip nat inside

> !

> interface Serial0

> ip address 95.95.95.2 255.255.255.0

> no ip directed-broadcast

> ip inspect user_traffic out

> ip access-group 150 in

> ip nat outside

> no ip route-cache

> no ip mroute-cache

> crypto map rtp

> !

> ip local pool client-pool 192.168.254.1

> 192.168.254.123

> ip nat inside source route-map nopat interface

> Serial0 overload

> ip nat inside source static 10.103.1.15 25

> 95.95.95.48 25 extendable

> ip classless

> ip route 0.0.0.0 0.0.0.0 95.95.95.1

> no ip http server

> !

> access-list 110 deny ip 10.103.1.0 0.0.0.255

> 10.50.50.0 0.0.0.255

> access-list 110 deny ip 10.103.1.0 0.0.0.255

> 192.168.254.0 0.0.0.255

> access-list 110 permit ip 10.103.1.0 0.0.0.255 any

> access-list 115 permit ip 10.103.1.0 0.0.0.255

> 10.50.50.0 0.0.0.255

> access-list 120 permit ip 10.103.1.0 0.0.0.255

> 192.168.254.0 0.0.0.255

> access-list 125 permit ip 10.103.1.0 0.0.0.255

> 10.50.50.0 0.0.0.255

> access-list 125 permit ip 10.103.1.0 0.0.0.255

> 192.168.254.0 0.0.0.255

> !

> access-list 150 permit udp any host 95.95.95.2 eq

> 500

> access-list 150 permit esp any host 95.95.95.2

> access-list 150 permit ip 10.50.50.0 0.0.0.255

> 10.103.1.0 0.0.0.255

> access-list 150 permit ip 192.168.254.0 0.0.0.255

> 10.103.1.0 0.0.0.255

> access-list 150 permit tcp any host 95.95.95.48 eq

> 25

> !

> route-map nopat permit 10

> match ip address 110

> !

> route-map nostat permit 10

> match ip address 125

> set ip next-hop 172.16.1.2

>

> ----------------------------------------------------

> This side will only connect with the router above.

>

> ip inspect name user_traffic tcp

> ip inspect name user_traffic udp

> ip inspect name user_traffic ftp

> ip inspect name user_traffic h323

> ip inspect name user_traffic realaudio

> !

> crypto isakmp policy 1

> hash md5

> authentication pre-share

> crypto isakmp key cisco123 address 95.95.95.2

> !

> crypto ipsec transform-set rtpset esp-des

> esp-md5-hmac

> !

> crypto map rtp 1 ipsec-isakmp

> set peer 95.95.95.2

> set transform-set rtpset

> match address 115

> !

> interface Ethernet0

> ip address 10.50.50.50 255.255.255.0

> no ip directed-broadcast

> ip nat inside

> no mop enabled

> !

> interface Ethernet1

> ip address 99.99.99.2 255.255.255.0

> no ip directed-broadcast

> ip inspect user_traffic out

> ip access-group 150 in

> ip nat outside

> no ip route-cache

> no ip mroute-cache

> crypto map rtp

> !

> ip nat inside source route-map nonat interface

> Ethernet1 overload

> ip classless

> ip route 0.0.0.0 0.0.0.0 99.99.99.1

> no ip http server

> !

> access-list 110 deny ip 10.50.50.0 0.0.0.255

> 10.103.1.0 0.0.0.255

> access-list 110 permit ip 10.50.50.0 0.0.0.255 any

> access-list 115 permit ip 10.50.50.0 0.0.0.255

> 10.103.1.0 0.0.0.255

> access-list 150 permit udp host 95.95.95.2 host

> 99.99.99.2 eq 500

> access-list 150 permit esp host 95.95.95.2 host

> 99.99.99.2

> access-list 150 permit 10.103.1.0 0.0.0.255 ip

> 10.50.50.0 0.0.0.255

> !

> route-map nonat permit 10

> match ip address 110

> !