Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn-service with preshared auth. and preshared Xauth.

hi,

i've tried to configure a vpn-service for both ios-ios-link and ios-vpn~client-link after binding the dynamic-map for the vpn-clients, the ios-devices can't (re)-connect to the server (they can't establish a sa - established sa's from ios-devices are lost after timeout [debugging the sa shows that the policy (56/group1/presh-auth) which should match is denied from the server).

after deleting the dynamic-map-entry for the soft-clients from the crypto-map, the ios-clients works fine again.

i'm using rel. 12.2.8(T8). is this a misconfiguration (below) or a problem with the release ??

regards

stefan

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname runner

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login vpn-user local

aaa authentication ppp default local

aaa authorization network default local

aaa authorization network vpn-group local

aaa session-id common

enable password ENABLE

!

username USER password PASSWORD

!

ip subnet-zero

ip tcp path-mtu-discovery

ip domain-name mydom.com

ip name-server 145.253.2.11

!

vpdn enable

!

isdn switch-type basic-net3

!

crypto isakmp policy 3

hash md5

authentication pre-share

lifetime 360

!

crypto isakmp policy 5

hash md5

authentication pre-share

group 2

!

crypto isakmp key PRESH-KEY-FOR-IOS address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 11

!

crypto isakmp client configuration group vpn-user

key PRESH-KEY-FOR-VPN-CLIENT

pool CLIENT-VPN

!

!

crypto ipsec transform-set IOS-SET esp-des esp-md5-hmac

crypto ipsec transform-set CLIENT-SET esp-des esp-md5-hmac

!

crypto dynamic-map vpn-dyn-map 10

set security-association lifetime kilobytes 6000

set transform-set CLIENT-SET

!

crypto dynamic-map iosmap 10

set security-association lifetime seconds 420

set transform-set IOS-SET

!

!

crypto map vpn-map client authentication list vpn-user

crypto map vpn-map isakmp authorization list vpn-group

crypto map vpn-map client configuration address respond

crypto map vpn-map 10 ipsec-isakmp dynamic vpn-dyn-map

crypto map vpn-map 20 ipsec-isakmp dynamic iosmap

!

# i've also changed the position of the dynamic-maps,

# ...the ios-connection failed

!

!

interface Ethernet0

ip address 200.100.10.1 255.255.255.252

no cdp enable

crypto map vpn-map

!

interface Ethernet1

ip address 10.100.0.1 255.255.0.0

ip directed-broadcast

ip mtu 1492

!

interface BRI0

no ip address

shutdown

isdn switch-type basic-net3

!

ip local pool CLIENT-VPN 192.168.2.249 192.168.2.250

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0

ip route 192.168.2.0 255.255.255.0 Ethernet0

no ip http server

ip pim bidir-enable

!

!

access-list 135 permit ip any 192.168.2.0 0.0.0.255

access-list 136 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

dialer-list 1 protocol ip permit

!

!

line con 0

line vty 0 4

line vty 5 15

!

end

3 REPLIES
New Member

Re: vpn-service with preshared auth. and preshared Xauth.

Hi Stefan,

Sorry, I couldn't make out if the above is the configuration on the client side or the IOS side. If you don't mind can you mention the devices, the IOS releases used on both sides and the VPN related configs on both sides for which the case fails. This will help in debugging your cases faster.

Keep us posted.

Naveen

mnaveen@cisco.com

New Member

Re: vpn-service with preshared auth. and preshared Xauth.

the previous posted configuration is the vpn-server, 16 cisco1751 connect via dsl to the server in a hub-and-spoke configuration (below is the ios-client config)

server:

cisco 2621 (60416K/5120K)

c2600-ik8s-mz.122-8.T8.bin

client:

cisco 1751 (39322K/9830K)

c1700-k8o3sv3y7-mz.122-4.XM3.bin

soft-client:

vpn-client v4.0

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname vpn-ios-client

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp default local

aaa authorization exec default local

aaa authorization network default local

aaa session-id common

!

username callback-dialstring "" password

username privilege 5 password

memory-size iomem 20

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

ip tcp path-mtu-discovery

ip telnet source-interface FastEthernet0/0

ip tftp source-interface FastEthernet0/0

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

isdn switch-type basic-net3

!

!

!

!

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key PRESH-KEY-FOR-IOS address 200.100.10.1

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set vpnset esp-des esp-md5-hmac

!

crypto map vpn 1 ipsec-isakmp

set peer 200.100.10.1

set security-association lifetime seconds 150

set transform-set vpnset

match address 115

!

!

!

!

interface Ethernet0/0

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet0/0

ip address 10.1.201.254 255.255.255.0

ip helper-address 10.101.104.255

ip helper-address 10.100.255.255

ip directed-broadcast

ip nat inside

speed auto

!

!

interface Dialer1

bandwidth 768

ip address negotiated

ip directed-broadcast

ip mtu 1492

ip nat outside

encapsulation ppp

ip tcp adjust-mss 1300

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username password 7

ppp ipcp dns request

crypto map vpn

!

!

ip nat inside source route-map nonat interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1 10

ip route 0.0.0.0 0.0.0.0 Dialer10 20

no ip http server

ip pim bidir-enable

!

!

!

logging trap debugging

logging source-interface FastEthernet0/0

logging 10.100.0.1

access-list 10 permit 10.1.201.0 0.0.0.255

access-list 11 permit 10.100.0.0 0.1.255.255

access-list 115 permit ip 10.1.201.0 0.0.0.255 10.100.0.0 0.1.255.255

access-list 115 deny ip 10.1.201.0 0.0.0.255 any

access-list 120 deny ip 10.1.201.0 0.0.0.255 10.100.0.0 0.1.255.255

access-list 120 permit ip 10.1.201.0 0.0.0.255 any

dialer-list 1 protocol ip list

!

route-map nonat permit 10

match ip address 120

!

call rsvp-sync

!

dial-peer cor custom

!

!

!

banner motd ^C

^C

privilege exec level 5 show

privilege exec level 5 ping

!

line con 0

line aux 0

line vty 0 4

access-class 5 in

line vty 5 15

!

no scheduler allocate

ntp clock-period 17179934

ntp source FastEthernet0/0

ntp server 10.100.0.1

end

New Member

Re: vpn-service with preshared auth. and preshared Xauth.

in the meantime i've added the statement "no-xauth" in the following line

crypto isakmp key PRESH-KEY-FOR-IOS address 0.0.0.0 0.0.0.0 no-xauth

... now my ios-clients works proper, ... but the "Processing of Aggressive mode failed" for my soft-clients (x-auth is skipped for them too) : (

all my clients get negotiated provider pool-addresses ... ???

117
Views
0
Helpful
3
Replies
CreatePlease login to create content