Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trouble with IP address assignment

have the following config and I can not get the client to pull an ip address

crypto pki trustpoint dc-ho1

enrollment mode ra

enrollment url http://10.10.20.2:80/certsrv/mscep/mscep.dll

serial-number none

fqdn HOEDTVPN.edt.net

ip-address none

password xxx

subject-name O=EDT, OU=VPN, C=US, ST=Tx

revocation-check crl

rsakeypair HOEDTVPN.edt.net

auto-enroll

!

!

!

crypto pki certificate map cert_map 10

subject-name co ou = vpn

!

crypto isakmp policy 1

encr 3des

crypto isakmp client configuration group VPN

dns 10.10.20.2

wins 10.10.20.2

domain edg.net

pool hoedtvpn

acl 101

netmask 255.255.255.128

!

crypto isakmp profile VPN_client

ca trust-point dc-ho1

match certificate cert_map

client configuration address respond

client configuration group VPN

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map vpnclient 20

set transform-set ESP-3DES-SHA

crypto map vpnmap1 local-address GigabitEthernet0/1

crypto map vpnmap1 client configuration address respond

crypto map vpnmap1 20 ipsec-isakmp dynamic vpnclient

interface GigabitEthernet0/1

description External Interface

ip address 64.XX.XX.XXX 255.255.255.248

ip access-group 111 in

duplex auto

speed auto

media-type rj45

crypto map vpnmap1

ip local pool hoedtvpn 10.20.90.1 10.20.90.126

access-list 101 permit ip 10.0.0.0 0.0.0.255 10.20.90.0 0.0.0.127

access-list 111 remark SDM_ACL Category=17

access-list 111 remark Auto generated by SDM for NTP (123) 10.10.20.2

access-list 111 permit udp host 10.10.20.2 eq ntp host 64.XX.xx.XXX eq ntp

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq non500-isakmp

access-list 111 permit icmp any any

access-list 111 permit tcp any any eq 22

access-list 111 permit tcp any any eq telnet

access-list 111 permit gre any any

access-list 111 permit esp any any

access-list 111 permit tcp any any eq 10000

If I assign the pool directly under isakmp it will work but does not provide the other needed attributes, dns, wins ect.

when debug I get

Sep 23 14:48:24.090: ISAKMP:(7177):attributes sent in message:

Sep 23 14:48:24.090: Address: 0.2.0.0

Sep 23 14:48:24.090: ISAKMP:(7177):No IP address pool defined for ISAKMP!

Sep 23 14:48:24.090: ISAKMP:(7177):peer does not do paranoid keepalives.

Sep 23 14:48:24.090: ISAKMP:(7177):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer 24.XXX.XX.XX)

any ideas?

297
Views
0
Helpful
0
Replies