Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

remote vpn doesn't work on Cisco 7206

Hi there,

I am doing a test to configure remote VPN access to Cisco 7206 (simulated by dynamips). The relevant configuration is as follows:

hostname Concentrator

aaa new-model

aaa authentication login xauth local

username ciscouser password 0 cisco1234

ip subnet-zero

crypto isakmp policy 10

hash md5

group 2

authentication pre-share

crypto isakmp client configuration group test

key cisco123

pool mypool

crypto map REMOTEACCESS client authentication list xauth

crypto ipsec transform-set RTP-TRANSFORM esp-des esp-md5-hmac

crypto dynamic-map vpn 1

set transform-set RTP-TRANSFORM

crypto map REMOTEACCESS client configuration address initiate

crypto map REMOTEACCESS client configuration address respond

crypto map REMOTEACCESS 1 ipsec-isakmp dynamic vpn

interface Ethernet0/0

ip address 150.1.1.1 255.255.255.0

crypto map REMOTEACCESS

interface Ethernet0/1

ip address 11.10.1.1 255.255.255.0

no ip directed-broadcast

ip local pool mypool 10.1.10.0 10.1.10.254

ip nat translation timeout never

ip nat translation tcp-timeout never

ip nat translation udp-timeout never

ip nat translation finrst-timeout never

ip nat translation syn-timeout never

ip nat translation dns-timeout never

ip nat translation icmp-timeout never

ip classless

ip route 0.0.0.0 0.0.0.0 10.103.1.1

no ip http server

end

However, when I try to connect the router via Cisco client 4.6, the following error appears:

05:04:52: ISAKMP (0:1): Checking ISAKMP transform 13 against priority 10 policy

05:04:52: ISAKMP: encryption DES-CBC

05:04:52: ISAKMP: hash MD5

05:04:52: ISAKMP: default group 2

05:04:52: ISAKMP: auth XAUTHInitPreShared

05:04:52: ISAKMP: life type in seconds

05:04:52: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

05:04:52: ISAKMP (0:1): Xauth authentication by pre-shared key offered but does not match policy!

05:04:52: ISAKMP (0:1): atts are not acceptable. Next payload is 3

05:04:52: ISAKMP (0:1): Checking ISAKMP transform 14 against priority 10 policy

05:04:52: ISAKMP: encryption DES-CBC

05:04:52: ISAKMP: hash MD5

05:04:52: ISAKMP: default group 2

05:04:52: ISAKMP: auth pre-share

05:04:52: ISAKMP: life type in seconds

05:04:52: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

05:04:52: ISAKMP (0:1): Preshared authentication offered but does not match policy!

05:04:52: ISAKMP (0:1): atts are not acceptable. Next payload is 0

Does anybody have any idea? Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: remote vpn doesn't work on Cisco 7206

Wang,

Thanks for the update! Glad its working.

The below commands are for group policy lookup.

aaa authorization network groupauthor local

crypto map REMOTEACCESS isakmp authorization list groupauthor

Since, you have configured the Group Policy (name,presharedkey,etc) locally on the router, you need to tell the router where to look for isakmp policies when VPN Cient tries to connect.

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

3 REPLIES
Cisco Employee

Re: remote vpn doesn't work on Cisco 7206

Jun,

Add the below lines to the configuration and try bringing up the tunnel.

aaa authorization network groupauthor local

crypto map REMOTEACCESS isakmp authorization list groupauthor

Let me know how it goes.

Regards,

Arul

** Please rate all helpful posts **

New Member

Re: remote vpn doesn't work on Cisco 7206

Arul,

It works. However, I am not clear why the authorization is a must. In fact, my network is very simple: the computer running VPN client directly connect to the Router.

C u kindly tell me what the command is for?

Thanks and Regards,

Wang Jun

Cisco Employee

Re: remote vpn doesn't work on Cisco 7206

Wang,

Thanks for the update! Glad its working.

The below commands are for group policy lookup.

aaa authorization network groupauthor local

crypto map REMOTEACCESS isakmp authorization list groupauthor

Since, you have configured the Group Policy (name,presharedkey,etc) locally on the router, you need to tell the router where to look for isakmp policies when VPN Cient tries to connect.

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

361
Views
5
Helpful
3
Replies
CreatePlease login to create content