Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN issue please help???

Hi,

I am trying to connect vpn client (Win XP) and its works just fine. It is also communicating with radius server and internal network no issues in that. However, when using vpn client on Win 7 it does not connect. I can see from the debug in firewall that phase 2 is complete, but the client does not connect and I can see the error 809 in Win 7 (32 bit and 64 bit) clients. I would really appreciate if anyone can just guide me in right direction. Please see below the code that is working fine for XP.

 

 

nat (inside,outside) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp route-lookup

aaa-server int-radius-group protocol radius

aaa-server int-radius-group (inside) host 172.16.5.100

key ***

radius-common-pw ***

 

crypto ipsec ikev1 transform-set RA-VPN-Set-3desmd5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set RA-VPN-Set-3desmd5 mode transport

crypto ipsec ikev1 transform-set RA-VPN-Set-aes128sha esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set RA-VPN-Set-aes128sha mode transport

crypto ipsec ikev1 transform-set RA-VPN-Set-aes256sha esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set RA-VPN-Set-aes256sha mode transport

crypto ipsec ikev1 transform-set RA-VPN-Set-aes256md5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set RA-VPN-Set-aes256md5 mode transport

crypto ipsec ikev1 transform-set RA-VPN-Set-dessha esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set RA-VPN-Set-dessha mode transport

crypto ipsec ikev1 transform-set RA-VPN-Set-3dessha esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set RA-VPN-Set-3dessha mode transport

crypto ipsec ikev1 transform-set RA-VPN-Set-desmd5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set RA-VPN-Set-desmd5 mode transport

crypto ipsec ikev1 transform-set RA-VPN-Set-aes192md5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set RA-VPN-Set-aes192md5 mode transport

crypto ipsec ikev1 transform-set RA-VPN-Set-aes192sha esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set RA-VPN-Set-aes192sha mode transport

crypto ipsec ikev1 transform-set RA-VPN-Set-aesmd5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set RA-VPN-Set-aesmd5 mode transport

 

crypto dynamic-map dyn-ra-vpn 65000 set ikev1 transform-set RA-VPN-Set-3desmd5 RA-VPN-Set-aes128sha RA-VPN-Set-aes256s-dessha RA-VPN-Set-3dessha RA-VPN-Set-desmd5 RA-VPN-Set-aes192md5 RA-VPN-Set-aes192sha RA-VPN-Set-aesmd5

crypto dynamic-map dyn-ra-vpn 65000 set reverse-route

 

crypto map ASA-VPN-SITE 65000 ipsec-isakmp dynamic dyn-ra-vpn

crypto map ASA-VPN-SITE interface outside

 

crypto ikev1 enable outside

 

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

 

crypto ikev1 policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

 

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

 

crypto ikev1 policy 40

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

 

crypto ikev1 policy 50

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

 

crypto ikev1 policy 60

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

 

group-policy RA-VPN-GP internal

group-policy RA-VPN-GP attributes

dns-server value 172.16.5.31 172.16.5.32

vpn-tunnel-protocol ikev1 l2tp-ipsec

default-domain value mydomain.com

intercept-dhcp enable

client-firewall none

 

tunnel-group DefaultRAGroup general-attributes

address-pool ra-vpn-ippool

authentication-server-group int-radius-group

default-group-policy RA-VPN-GP

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

 

Thanks & Regards

Rohit

1 REPLY

We are using VPN client v5.0

We are using VPN client v5.0.05.0290 without a problem.  Here is a link that I found initially when testing with Windows 7 and the VPN client...maybe it will help you resolve your issue.

http://weblogs.asp.net/bhouse/archive/2009/01/15/how-to-successfully-install-cisco-vpn-client-on-windows-7.aspx

I didn't have to use this procedure on windows 7 pro 32bit.

On a different note, can you pass traffic to hosts on your internal LAN by IP address or hostname?  I found an issue using the AnyConnect client - I didn't configure the connection profile to tell the connecting client what our internal domain name was...so my clients weren't able to make connections inbound withougt manually appending the domain name to the end of the hostname...shot in the dark...

Good Luck!!

 

"please rate me if post helpful"

39
Views
0
Helpful
1
Replies
CreatePlease login to create content