I am attempting to setup my uc520 to accept a VPN connection so I can use CCA remotely.
Attached is my screen shot of the configuration I made with CCA.
I am attempting to connect withVPN client 5.0.03.0560
The connection fails, terminating locally with "Reason 414: Failed to estatblish a TCP connection"
the connection entry on the client has user and password set as the user I added in CCA, group authentification, transport set a IPSec of TCP port 1000, transparent tunnelling enabled.
Any help as to what I am missing is appreciated.
1) Paste the text below into Notepad.
2) Replace the highlighted parameters with your Site Description, FE0/0 IP address or name (If using DDNS) and the Group password.
3) Save to a file using a .pcf (dot pcf) extension.
4) Import from your Cisco VPN CLient.
5) Try to connect from the WAN side.
Let me know,
It did not work but I don't know what the group password is. See log below from client
Where in CCA do I set the group password?
I see the group you mention in CCA but nowhere to set the password.
1 23:01:01.953 02/25/09 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified
2 23:01:01.953 02/25/09 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
3 23:01:01.953 02/25/09 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:904)
4 23:01:01.953 02/25/09 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)
I am no longer on site and cannot access the router via CCA but I can telnet to it.
How do I set this password via the CLI?
Replace where indicated:
crypto isakmp client configuration group EZVPN_GROUP_1
I was presented with dialog box for username and password by the client but failed to make connection.
Here is what the log had after that point:
Cisco Systems VPN Client Version 5.0.03.0560
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
11 14:54:03.843 02/26/09 Sev=Warning/2 IKE/0xE3000023
No private IP address was assigned by the peer
12 14:54:03.843 02/26/09 Sev=Warning/2 IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)
Thanks for your help.
At this point you enter one of the usernames and password that you configured under the VPN screen in CCA.
Let me know,
Sorry that was not clear in my message, but I did put in the username and password that I configured with CCA
You may be able to leverage the CCA setup of the host UC500 VPN Server configuration from this document, since that would be the same for what you are doing. https://www.myciscocommunity.com/docs/DOC-1335
Thanks Steve, Looks like page 12 may be relevant.
How do I do this from the CLI since I don't have CCA access yet until I get this to work?
What do you think Marcos?
Well, page 12 is for the PC Client on the Remote Teleworker. So maybe not so relevant.
The thing is, you need to create the VPN Server on the Main UC500 before you connect the PC with Cisco VPN CLient. For that, look at page 11, about half way down. Make sure you set a DHCP Pool on the Host for remote connecting clients.
Using CCA on the main site (prerequisite), go to Configure SecurityVPN Server and provision:
user ID : xxxxx
Secret Key: xxxxxxx
local IP Address pool: 192.168.10.101 …110
The VPN Client must match this information like this...
Your screen shot is not readable - can you post it as file?
Also there is a missing image in your post - this is a cut and paste - can you repost whatever this is?
I cannot access CCA for the "main" (and only site) I am 90 miles away. That is why I am trying to set this up.
How can I do what you suggest with the CLI?
This problem was fixed by doing an OOB configuration change for the access lists.
The access lists were prevoiusly deleted by CCA after it encountered an aparently non-compatible configuration
So this problem was basiclly a hangover from the problem of CCA deleting access lists.
Here's a neat trick: If you click on the screenshot, it will expand out larger and will be easier to read. Most images in discussions and documents should do this.
Glad to hear the problem was solved.
Cisco Moderation Team