Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpnclient3.x to IOS with NAT

Is there a sample config for configuring VPN on a router with NAT, to support client 3.x?

I have the following config and debug shows 'Hash algorithm offered does not match policy!'

Thanks

Cisco1605#

version 12.2

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngroup1

key MYKEY

pool vpnpool

acl 150

!

crypto ipsec transform-set clientset esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 15

set transform-set clientset

!

!

crypto map clientmap client configuration address initiate

crypto map clientmap client configuration address respond

crypto map clientmap 15 ipsec-isakmp dynamic dynmap

!

!

interface Ethernet0

description to LAN

ip address 192.168.200.1 255.255.255.0

ip nat inside

ip inspect Ethernet_0 in

!

interface Ethernet1

ip address public_ip 255.255.255.252

ip access-group 101 in

ip nat outside

crypto map clientmap

!

ip local pool vpnpool 192.168.100.1 192.168.100.20

ip nat inside source route-map nonat-route-map interface Ethernet1 overload

ip nat inside source static tcp 192.168.200.2 3389 public_ip 3389 extendable

ip nat inside source static tcp 192.168.200.2 5005 public_ip 5005 extendable

ip nat inside source static tcp 192.168.200.2 80 public_ip 80 extendable

ip nat inside source static tcp 192.168.200.2 5631 public_ip 5631 extendable

ip nat inside source static udp 192.168.200.2 5632 public_ip 5632 extendable

ip pim bidir-enable

!

access-list 101 permit tcp any any eq 3389

access-list 101 permit tcp any host 65.184.189.197 eq ftp

access-list 101 permit tcp any host 65.184.189.197 eq 3389

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit tcp any host public_ip eq 5005

access-list 101 permit tcp any host public_ip eq ftp-data

access-list 101 permit tcp any host public_ip eq www

access-list 101 permit tcp any host public_ip eq 5631

access-list 101 permit udp any host public_ip eq 5632

access-list 105 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 105 permit ip 192.168.200.0 0.0.0.255 any

access-list 150 permit ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

route-map nonat-route-map permit 15

match ip address 105

1 REPLY
New Member

Re: vpnclient3.x to IOS with NAT

The ISAKMP and crypto IPSEC policy settings are all right.

You did not attached your full router' config, you need following commands as well:

"crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor"

If you are using local authentication, I assume that you have put following:

"aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

username cisco password cisco"

Best Regards,

Paul Qiu

78
Views
0
Helpful
1
Replies
CreatePlease to create content