Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Remote access using Cisco Client

Hi,

This is part of my site to site config, which is working fine.

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 20

BUT when I applied client config into the above, the remote client access cannot work
crypto isakmp client configuration group Client-Group
key cisco123
dns 165.21.83.88
pool POOL_1
acl 101

BUT if I remove 'no-xauth' in my site to site isakmp, then my client can work  but my site to site VPN cannot work. Please advise, what is wrong??OR how can i resolve this?

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Remote access using Cisco Client

VTI will never work since you have dynamic ip address.

Please follow the sample configuration provided earlier for dynamic to static IPSec VPN:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

17 REPLIES
Cisco Employee

Re: Remote access using Cisco Client

For site-to-site VPN, I am assuming that you have a static peer ip address.

Hence you would need to configure the following:

crypto isakmp key cisco address no-xauth

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

Hope that helps.

Community Member

Re: Remote access using Cisco Client

I think I know what to do. Let me try out 1st

Thank you

Cisco Employee

Re: Remote access using Cisco Client

You mean it's dynamic to static site-to-site VPN tunnel?

Can you please share your crypto map configuration?

Community Member

Re: Remote access using Cisco Client

Hi,

its dynamic to dynamic site to site VPN.

Anyway, I got an idea now after your advise above. Now will try out 1st.


Thank you so much.

Community Member

Re: Remote access using Cisco Client

Hi halijenn,

I tried using hostname to my crypto key but seem like hostname is not working for my site to site.

Crypto isakmp key cisco hostname example.dyn.com no-xauth

Am I doing correct on using the hostname method above?

Will using hostname will solve my problem?

Thankyou

Cisco Employee

Re: Remote access using Cisco Client

No, you can't use hostname unfortunately.

Community Member

Re: Remote access using Cisco Client

Hi halijenn

Anyway to overcome the problem?

Cisco Employee

Re: Remote access using Cisco Client

You can use the "crypto keyring" option instead of "crypto isakmp key" to configure the pre-shared key.

Here is the sample configuration for your reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Hope that helps.

Community Member

Re: Remote access using Cisco Client

Cool!

Will try it out and let you know again. Thank you.

Cheers!

Community Member

Re: Remote access using Cisco Client

Hi Halijenn,

After using Command Keyring, Client is working but the Site to Site Router is not working.  When I 'show crypto isakmp sa", I can see connection BUT  when I show Crypto Ipsec sa, there is nothing.

From the config below, can you see any problem?

SITE A configuration:

crypto keyring ToSite
  pre-shared-key address 0.0.0.0 0.0.0.0 key Cisco123
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 20
!
crypto isakmp client configuration group Client-Group
key Cisco
dns 165.21.83.88
pool POOL_1
acl 101


crypto isakmp profile Vi
   match identity group Client-Group
   isakmp authorization list default
   client configuration address respond
   virtual-template 1


crypto isakmp profile Site-Crypto
   keyring ToSite
   match identity address 0.0.0.0
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac

!
crypto ipsec profile Crypto
set transform-set AES256
set isakmp-profile Site-Crypto
!
crypto ipsec profile Vi
set transform-set AES256
set isakmp-profile Vi

interface Tunnel100
ip address 10.10.10.1 255.255.255.0
ip virtual-reassembly
zone-member security VPN
ip tcp adjust-mss 1400
tunnel source Dialer0
tunnel destination 110.XX.XX.XXX
tunnel mode ipsec ipv4
tunnel protection ipsec profile Crypto

For your information, Site B have 2 VTI Tunnel configured. Tunnel from Site B to C is working but Tunnel from Site B to A is not working. Will Site B having 2 VTI Tunnel caused the problem?

Thank you

Cisco Employee

Re: Remote access using Cisco Client

Sorry, but why are you configuring GRE over IPSec?

Dynamic site-to-site IPSec is not GRE over IPSec, and by configuring tunnel interface, that's creating GRE tunnel.

Please kindly use dynamic-map to set the isakmp profile, and crypto map to set the dynamic map, and finally assign crypto map to the outside interface as per the sample configuration.

Community Member

Re: Remote access using Cisco Client

Good day to you Halijenn,

Sorry I'm only have a less than 3 months experience with Cisco. Thus do not have deep understanding on the different between GRE & VTI over Ipsec. But i was using the example below for my configuration and it is using tunnel but it called Virtual Tunnel Interface (VTI) and not GRE.

https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629.html

I thought they are similar but VTI is easier to configure and does not need to use ACL.

Please correct me if my understanding is wrong.

Thank you

Cisco Employee

Re: Remote access using Cisco Client

From your configuration, your tunnel interface destination is a static ip address, however, you mentioned earlier that your remote peer has dynamic ip address. So is 110.XX.XX.XXX a static ip address, or it's dynamically assign ip address on the remote end?

If it's static, then the easiest is your first crypto isakmp key configuration with that 110.XX.XX.XXX static ip address (with no-xauth keyword). Nothing else needs to be changed apart from that.

Can you share your crypto map configuration?

Community Member

Re: Remote access using Cisco Client

Hi,

110.XX.XX.XXX a dynamic ip address. (In command mode, I entered the hostname and also performing DDNS updating)

Can advise why my site to site does not work with the crypto keyring command?

I will attached the config fastest by tomorrow.

Thank you

Cisco Employee

Re: Remote access using Cisco Client

VTI will never work since you have dynamic ip address.

Please follow the sample configuration provided earlier for dynamic to static IPSec VPN:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Community Member

Re: Remote access using Cisco Client

Hi Halim,

Had been trying out your recommendation and yes, using crypto ring with dynamic map worked. Thank you for you help.

Cisco Employee

Re: Remote access using Cisco Client

Great to hear, and thanks for the update, Kim.

785
Views
0
Helpful
17
Replies
CreatePlease to create content