Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote access with Cisco VPN 4.8.01.03 client

Pix 501 running 6.2.1

Cisco VPN client 4.8.01.03 on WinXP.

I am trying to get remote access VPN up on the outside interface. I would like to allow for clients who's addresses may change. I would also like to avoid using a authentication server. Using a group name and password are the only option in my cisco vpn client.

I recieve the following in my client event log.

Unable to establish phase 1 sa with server because of "DEL_REASON_PEER_NOT_RESPONDING"

On the pix debug crypto isakmp shows.

crypto_isakmp_process_block: src 192.168.9.201, dest 192.168.9.51

VPN peer: ISAKMP: Peer ip:192.168.9.201 ref cnt incremented to :2 total vpn peers 1

debug crypto ipsec shows nothing.

Below is my config

access-list 103 permit ip host 192.168.9.51 host

192.168.9.201

ip address outside 192.168.9.51 255.255.255.0

ip address inside 192.168.11.50 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list 103

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

sysopt ipsec pl-compatible

no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 20 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000

vpnclient vpngroup mygroup password ********

1 REPLY
New Member

Re: Remote access with Cisco VPN 4.8.01.03 client

in the isakmp policy you have to have group 2:

isakmp policy 10 group 2

vpn client never works with dh group 1. also remove the following command from the config:

sysopt ipsec pl-compatible

i dont see any ip local pool in the config and any pool assigned in the vpngroup mygroup.

thirdly you have to bypass nat for the ip which will be assigned via the client pool and not the actual ip of the host.

here is a config sample for vpn client to pix.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801e71c0.shtml

Regards,

Puneet

231
Views
0
Helpful
1
Replies
CreatePlease login to create content