Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
420
Views
0
Helpful
3
Replies

Why only one user can build connection with ipsec?

xt
Level 1
Level 1

‎06-06-2003 01:17 AM - edited ‎02-21-2020 12:35 PM

only one user can build connection with ipsec, the second user kick out the online user, what's the problem? misconfig? bug?

SZ-Sig# wr term

Building configuration...

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx encrypted

passwd xxxxx encrypted

hostname SZ-Sig

domain-name sig.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

name x.x.x.x exchange

name x.x.x.x proxy

access-list acl_out permit icmp any any

access-list acl_out permit tcp any host x.x.x.x

access-list acl_in permit ip x.x.x.x 255.255.255.0 any

access-list acl_in permit icmp any any

access-list vpn_client permit ip x.x.x.x 255.255.255.248 x.x.x.x 255.2

access-list vpn_client permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.2

access-list vpn_clients permit ip x.x.x.x 255.255.255.0 x.x.x.x 255.255.

pager lines 24

logging console debugging

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside x.x.x.x 255.255.255.252

ip address inside x.x.x.x 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool sigpool 192.168.1.1-192.168.1.254

pdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 0 access-list vpn_clients

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.x exchange netmask 255.255.255.255 0 0

access-group acl_out in interface outside

access-group acl_in in interface inside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 172.19.0.0 255.255.0.0 172.19.1.4 1

route inside 172.29.19.96 255.255.255.252 172.19.1.4 1

route inside 172.29.19.100 255.255.255.252 172.19.1.4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 172.19.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 30 set transform-set myset

crypto map VPN_LIN 10 ipsec-isakmp

crypto map VPN_LIN 10 match address vpn_client

crypto map VPN_LIN 10 set peer x.x.x.x

crypto map VPN_LIN 10 set transform-set myset

crypto map VPN_LIN 20 ipsec-isakmp dynamic dynmap

crypto map VPN_LIN client configuration address initiate

crypto map VPN_LIN interface outside

isakmp enable outside

isakmp key ******** address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp client configuration address-pool local sigpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup Cisco idle-time 1800

vpngroup cbcn05 address-pool sigpool

vpngroup cbcn05 dns-server exchange

vpngroup cbcn05 wins-server exchange

vpngroup cbcn05 default-domain sig.com

vpngroup cbcn05 idle-time 1800

vpngroup cbcn05 password ********

vpngroup cbcn01 address-pool sigpool

vpngroup cbcn01 dns-server exchange

vpngroup cbcn01 wins-server exchange

vpngroup cbcn01 default-domain sig.com

vpngroup cbcn01 idle-time 1800

vpngroup cbcn01 password ********

vpngroup cbcn02 address-pool sigpool

vpngroup cbcn02 dns-server exchange

vpngroup cbcn02 wins-server exchange

vpngroup cbcn02 default-domain sig.com

vpngroup cbcn02 idle-time 1800

vpngroup cbcn02 password ********

vpngroup cbcn03 address-pool sigpool

vpngroup cbcn03 dns-server exchange

vpngroup cbcn03 wins-server exchange

vpngroup cbcn03 default-domain sig.com

vpngroup cbcn03 idle-time 1800

vpngroup cbcn03 password ********

vpngroup cbcn04 address-pool sigpool

vpngroup cbcn04 dns-server exchange

vpngroup cbcn04 wins-server exchange

vpngroup cbcn04 default-domain sig.com

vpngroup cbcn04 idle-time 1800

vpngroup cbcn04 password ********

vpngroup cisco idle-time 1800

telnet 172.19.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxxxx

: end

[OK]

Labels:
0 Helpful
3 Replies 3

cody.rowland
Level 1
Level 1

‎06-09-2003 07:11 AM

It sounds like the clients might be connecting through a proxy server.

0 Helpful

l.mourits
Level 5
Level 5

‎06-13-2003 02:45 AM

What client are you using? CiscoSecure client or VPN 3000 client, or are you using a combination of site-to-site VPN's and client-to-site VPN's, otherwise your config seems a bit odd to me, it seems that there a little to many items in config for using only client-to-site VPN's using VPN 3000 clients (recommended client)

Here's a part of my configuration for our users connecting via VPN 3000 client via client-to-site VPN's to our internal network:

sysopt connection permit-ipsec

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host Cerberus ******** timeout 20

ip local pool Telewerken start_ip-end_ip

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client token authentication RADIUS

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup VPNclients address-pool Telewerken

vpngroup VPNclients dns-server primary_dns secondary_dns

vpngroup VPNclients wins-server primary_wins secondary_wins

vpngroup VPNclients default-domain foobar.com

vpngroup VPNclients idle-time 1800

vpngroup VPNclients password ********

Hope this helps

0 Helpful

jbertone
Level 1
Level 1
In response to l.mourits

‎06-16-2003 06:36 PM

I have seen this problem on the 3030 concentrator using the Cisco VPN client. If the connections are comming from the same Address, the UDP port will be the same (port 500) and IPsec will drop the connection. The work around was to enable TCP connections on the client for accessing the network through a firewall\NAT\PAt. I aslo had them move of the default time of 90 to 200 on the keep alive. Good luck

John B

0 Helpful
Customers Also Viewed These Support Documents