Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client - 3660 IOS 12.2

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

I'm trying to set up VPN Client access for traveling users into our network through a 3660 router running IOS 12.2 (16a). This is the specific image: c3660-jk9o3s-mz.122-16a

I've tried more setups than I care to think of and nothing is working. I get this error every time: "Secure VPN Connection terminated locally by the client. Reason: The remote peer is no longer responding."

I've never setup VPN Client before and about the only thing I can find on the site are a few hundred docs showing how to set up the Client with a RADIUS or TACACS server and VPN Concentrator 3000 series. I haven't found anything useful in the VPN Client setup documentation either (HTML stuff on the site), so I figured I'd turn here.

Anyway here is my current config on the router...if you see anything wrong please let me know.

logging queue-limit 100

logging rate-limit 1000

aaa new-model

aaa authentication login userauthen enable

aaa authentication login userauthen local

aaa authorization network userauthor local

enable password 7 xxxxxxxxxxxxxxxxxxxxx

!

username all

username ** privilege 15 password 7 xxxxxxxxxxx

username ** privilege 0 password 7 xxxxxxxxxxx

ip subnet-zero

no ip source-route

ip icmp rate-limit unreachable 5000

!

ip domain-list xxxxxxxxxxxxxx.com

ip domain-name xxxxxxxxxxxxxx.com

ip name-server 12.127.16.68

ip name-server 172.0.0.10

!

ip inspect audit-trail

ip inspect max-incomplete low 300

ip inspect max-incomplete high 400

ip inspect one-minute high 2000

ip inspect one-minute low 1800

ip inspect udp idle-time 600

ip inspect dns-timeout 10

ip inspect tcp idle-time 600

ip inspect name inbound udp alert on timeout 600

ip inspect name inbound realaudio timeout 600

ip inspect name inbound tcp alert on timeout 600

ip inspect name inbound ftp timeout 600

ip inspect name inbound http timeout 600

ip inspect name inbound rcmd timeout 600

ip inspect name inbound rtsp timeout 600

ip inspect name inbound tftp timeout 600

ip inspect name inbound netshow timeout 600

ip inspect name inbound streamworks timeout 600

ip inspect name inbound vdolive timeout 600

ip inspect name inbound cuseeme timeout 600

ip inspect name inbound h323 timeout 600

ip audit notify log

ip audit po max-events 100

ip dhcp-server 172.0.0.10

!

crypto isakmp policy 1

encr 3des

authentication pre-share

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key * address xxx.xx.xxx.231

crypto isakmp key * address xxx.xx.xxx.130

crypto isakmp key * address xxx.xx.xxx.76

crypto isakmp key * address xxx.xx.xxx.89

crypto isakmp key * address xxx.xx.xxx.26

crypto isakmp key * address xxx.xx.xxx.24

crypto isakmp key * address xxx.xx.xxx.43

crypto isakmp key * address xxx.xx.xxx.217

crypto isakmp key * address xxx.xx.xxx.109

crypto isakmp key * address xxx.xx.xxx.106

crypto isakmp key * address xxx.xx.xxx.193

crypto isakmp key * address xxx.xx.xxx5.187

crypto isakmp key * address xxx.xx.xxx.4

crypto isakmp client configuration address-pool local testpool

!

!

crypto ipsec transform-set cm-transformset-1 esp-3des esp-sha-hmac

crypto ipsec transform-set cm-transformset-2 esp-3des esp-sha-hmac

!

!

crypto dynamic-map testdynamicmap 1

set security-association lifetime seconds 68000

set transform-set cm-transformset-1

!

!

crypto map cm-cryptomap client authentication list userauthen

crypto map cm-cryptomap isakmp authorization list userauthor

crypto map cm-cryptomap client configuration address respond

crypto map cm-cryptomap 98 ipsec-isakmp dynamic testdynamicmap

!

!

call rsvp-sync

!

!

!

!

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

!

!

interface FastEthernet0/0

description connected to Outside_LAN

ip address xxx.xx.xxx.1 255.255.255.128

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

description connected to Inside_LAN

ip address 172.0.0.1 255.255.255.128

ip nat inside

duplex auto

speed auto

!

interface FastEthernet1/0

description connected to xxxxxxxxxxxxxxx

ip address 192.168.250.1 255.255.0.0

ip nat inside

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

!

interface Serial1/0

description connected to Internet

ip address xxx.xx.xxx.* 255.255.255.*

ip access-group 2000 in

ip access-group 2001 out

ip nat outside

ip inspect inbound out

encapsulation ppp

no ip route-cache

no ip mroute-cache

no fair-queue

service-module t1 timeslots 1-24

service-module t1 remote-alarm-enable

crypto map cm-cryptomap

!

router rip

version 2

network 10.0.0.0

network xx.0.0.0

network 172.0.0.0

network 192.0.0.0

!

ip local pool testpool 172.0.0.230 172.0.0.245

ip nat inside source route-map nonat interface Serial1/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Serial1/0

ip http server

!

logging facility syslog

logging 172.0.0.70

***Cut out most of ACL 2000 to save space***

access-list 2000 permit icmp any any echo

access-list 2000 permit icmp any any echo-reply

access-list 2000 permit icmp any any host-redirect

access-list 2000 permit icmp any any host-unknown

access-list 2000 permit icmp any any host-unreachable

access-list 2000 permit icmp any any packet-too-big

access-list 2000 permit icmp any any redirect

access-list 2000 permit icmp any any traceroute

access-list 2000 permit icmp any any unreachable

access-list 2000 permit icmp any any time-exceeded

access-list 2000 permit icmp any any administratively-prohibited

access-list 2000 permit esp any any

access-list 2000 permit udp any any eq isakmp

access-list 2000 deny ip 172.0.0.0 0.0.0.127 172.0.0.0 0.0.0.127

access-list 2000 deny ip host 255.255.255.255 any

access-list 2000 deny tcp any 172.0.0.0 0.0.0.127

access-list 2000 deny udp any 172.0.0.0 0.0.0.127

access-list 2000 deny ip any 172.0.0.0 0.0.0.127

access-list 2001 permit ip any any

access-list 2001 permit tcp any any

access-list 2001 permit udp any any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 199

!

!

snmp-server community xxxxxxxxxxxxxx

snmp-server enable traps tty

!

dial-peer cor custom

!

!

!

!

banner incoming ^C On^C

!

line con 0

exec-timeout 0 0

password 7 xxxxxxxxxxxxxxxxxx

line aux 0

password 7 xxxxxxxxxxxxxxxxxx

line vty 0 4

password 7 xxxxxxxxxxxxxxxxxx

!

end

1 REPLY
Silver

Re: VPN Client - 3660 IOS 12.2

On which platform are you running the VPN client? Some issues like this one have been seen over Windows ME and old Client versions. Please ensure that you are using the latest version of the VPN client. Also check the key and make sure that you are using the right key. This should resolve the issue.

104
Views
0
Helpful
1
Replies