10-03-2006 08:16 AM
Hi,
I have built two different VPN client configurations on a PIX 515E 7.0 and although the config seems exactly the same, one is working fine when the other is failing to make a connection.
I have pasted the config below, the working VPN profile is wccuser and the non-working is switchengineer.
Can anyone see what the problem is? I have also attached the error I get on the logs.
access-list wccuservpn extended permit ip 192.168.0.0 255.255.252.0 172.28.251.0 255.255.255.0
access-list wccuser-splitlist standard permit 192.168.0.0 255.255.252.0
access-list switchengineervpn extended permit ip 172.18.50.0 255.255.255.0 172.28.252.64 255.255.255.192
access-list switchengineer-splitlist standard permit 172.18.50.0 255.255.255.0
ip local pool wccuserpool 172.28.251.1-172.28.251.254 mask 255.255.255.0
ip local pool switchengineerpool 172.28.252.65-172.28.252.126 mask 255.255.255.192
group-policy switchengineerpolicy internal
group-policy switchengineerpolicy attributes
banner value Welcome to Wavecrest SwitchEngineer IPSec VPN
wins-server value 192.168.0.30
dns-server value 192.168.0.30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value switchengineer-splitlist
default-domain value wavecrestcom.co.uk
group-policy wccuserpolicy internal
group-policy wccuserpolicy attributes
banner value Welcome to Wavecrest VPNUSER IPSec VPN
wins-server value 192.168.0.30
dns-server value 192.168.0.30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value wccuser-splitlist
default-domain value wavecrestcom.co.uk
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map wccmap 101 match address wccuservpn
crypto dynamic-map wccmap 101 set transform-set 3des
crypto dynamic-map wccmap 102 match address switchengineervpn
crypto dynamic-map wccmap 102 set transform-set 3des
crypto map Empire 300 ipsec-isakmp dynamic wccmap
crypto map Empire interface VoIP_PI
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp enable VoIP_PI
tunnel-group switchengineer type ipsec-ra
tunnel-group switchengineer general-attributes
address-pool switchengineerpool
authentication-server-group TACACS
default-group-policy switchengineerpolicy
tunnel-group switchengineer ipsec-attributes
pre-shared-key *
tunnel-group wccuser type ipsec-ra
tunnel-group wccuser general-attributes
address-pool wccuserpool
authentication-server-group TACACS
default-group-policy wccuserpolicy
tunnel-group wccuser ipsec-attributes
pre-shared-key *
Attached is the log file. Note the line:
Can't find a valid tunnel group, aborting...
10-09-2006 08:48 AM
This URL should help you:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/prod_troubleshooting_guides_list.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide