Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to set up ipsec tunnel between ASA5505 and vpnclient

<p>I need a document to tell me how to set up ipsec tunnel between ASA5505(version 7.2) and vpnclient.</p>

<p>Thanks a lot.</p>

9 REPLIES

Re: how to set up ipsec tunnel between ASA5505 and vpnclient

New Member

Re: how to set up ipsec tunnel between ASA5505 and vpnclient

I configure ASA according to a document but it dones't work.When connecting the ASA with Cisco VPN Client4.7.00.0533, "username and password" window pops up. After completing these entries, "Not connected" shows in the left corner of the window.Attached file is running-configuration of ASA.

Re: how to set up ipsec tunnel between ASA5505 and vpnclient

Hi,

3 things..

The 'nonat' ACL need to be reversed as the traffic goes from 192.168.0.0 (inside) to 192.168.1.0 (outside)

And for connectivity... you need to apply the group-policy 'vpngroup' to your tunnel-group.

tunnel-group vpngroup general-attributes

address-pool vpnpool

default-group-policy vpngroup

add this command as well...

same-security-traffic permit intra-interface

try both and let us know how it goes..

hth

MS

New Member

Re: how to set up ipsec tunnel between ASA5505 and vpnclient

Thanks you very much for your reply. But it also doesn't work after adding those commands.Maybe I need collect debug information to try.

I also have a problem. I input the command "sysopt connection permit-vpn". But I cann't see this command in "show running".Why?Is this command necessary?

New Member

Re: how to set up ipsec tunnel between ASA5505 and vpnclient

Hi,

here a template for VPN-Client on ASA5505:

Replace everything with $...

ip local pool USER $VPN_POOL_START-$VPN_POOL_END

access-list NO-NAT-INSIDE extended permit ip $INSIDE-IP $INSIDE-MASK $VPN_POOL_IP $VPN_POOL_NETMASK

access-list SPLIT-TUNNEL-USER extended permit ip $INSIDE-IP $INSIDE-MASK $VPN_POOL_IP $VPN_POOL_NETMASK

nat (inside) 0 access-list NO-NAT-INSIDE

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac

crypto dynamic-map DYNMAP 10 set transform-set MYSET

crypto dynamic-map DYNMAP 10 set reverse-route

crypto map MYMAP 1000 ipsec-isakmp dynamic DYNMAP

crypto map MYMAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

group-policy USER internal

group-policy USER attributes

vpn-idle-timeout none

vpn-session-timeout none

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL-USER

default-domain value $DOMAIN

tunnel-group USER type ipsec-ra

tunnel-group USER general-attributes

address-pool USER

default-group-policy USER

tunnel-group USER ipsec-attributes

pre-shared-key $GROUP_PASSWD

username $USER1 password $USER1_PASSWD

username $USER1 attributes

vpn-group-policy USER

group-lock value USER

Regards, Celio

New Member

Re: how to set up ipsec tunnel between ASA5505 and vpnclient

debug information:

Feb 04 19:56:04 [IKEv1]: Group = vpngroup, Username

= cisco, IP = x.x.177.227, Removing peer from peer table failed, no match!

Feb 04 19:56:04 [IKEv1]: Group = vpngroup, Username = cisco, IP = xx.xx.177.227

, Error: Unable to remove PeerTblEntry

Re: how to set up ipsec tunnel between ASA5505 and vpnclient

Please post the current config. That helps in further t-shoot.

thanks

MS

New Member

Re: how to set up ipsec tunnel between ASA5505 and vpnclient

Attachment is current config.

New Member

Re: how to set up ipsec tunnel between ASA5505 and vpnclient

Hi,

this command is missed:

crypto isakmp identity address

and this command is needed for Client behind NAT devices:

crypto isakmp nat-traversal 20

Regards, Celio

203
Views
0
Helpful
9
Replies