VPN IPSEC RV220w problem

Hello, I hope someone can help with my problem.

I have a RV220w in the office, I set it for ipsec vpn connections. Behind the router, there is a NAS for file storage.

My setup as follows:

RV220w 192.168.1.1 with dyndns, configured for ipsec vpn with default Client strategies.

Remote location (my laptop) local IP: 192.168.3.2

Remote site VPN IP (given by ShrewVPN): 192.168.30.5

I managed to connect to the router at home with ShrewVPN and I can ping each client connected to RV220w.

The problem is that I can't connect to the web interface of the router or the NAS web interface or any other web page intranet (the browser gives no error, but continues to load without displaying the web page). Even if I can access the web pages of my laptop.

In addition, in windows Explorer when I log into the NAS, although I can go through the files, I can't copy the files from my laptop on the NAS and vice versa, I still get timeout error (I checked the permissions on the NAS and also I managed to copy a txt file small 1 KB) (, but no luck with large files).

I also tried with QuickVPN client, but I got the same results.

When I connect with pptp windows everything works like a charm.

My laptop has windows 7 64 bit.

If you need other configuration details, please advice.

Thank you

Hi Spyros, one of the differences between IPsec and PPTP is that IPsec requires the client that connects to use another LAN IP address, when you connect. Unlike PPTP, it is assigned by the router.

Another difference is that the requirement of bandwidth is much higher for IPsec connections.

I don't think it's a problem of IP subnet as you are able view readers to all least, then it means that the unit can accept connections from different subnets. But it is possible, it may be a problem of download speed. QVPN needs Mbit upload environ.5 to have an activity and a reliable and quality connection.

Another problem may be a matter of downtime with IPsec encryption. The RV220W has a non routable WAN address. This suggests to me that you have another router upstream. Time to answer through the IPsec tunnel can be volatile because of the translation through multiple jumps.

-Tom
Please mark replied messages useful

Tags: Cisco Support

Similar Questions

  • VPN IPSec S2S problems

    Hello

    I have a headquarters and a remote site and I want to get a VPN site-to site between the two. I have the following Setup on each router. 'Show encryption session' says that the VPN is in the IDLE-UP condition (and my somewhat limited understanding of virtual private networks, this means that the phase 1 of IKE is complete and waiting for phase 2) When you run a "debug crypto ipsec" on the remote site, I get "no ip crypto card is for addresses local 100.x.x.x" and the VPN remains to IDLE-UP. The ACL on the external interface allows the IP of the remote site. I have CBAC running on the external interface of both routers and ACL permits all traffic between the addresses 100.x.x.x and 200.x.x.x. Could someone help me with the config? I have to do something wrong somewhere.

    Thank you!

    Shaun

    Router HQ: Local 10.2.0.0/16 (network)

    crypto ISAKMP policy 1
    BA aes 256
    md5 hash
    preshared authentication
    Group 5
    ISAKMP crypto key address 100.x.x.x
    !
    86400 seconds, duration of life crypto ipsec security association
    !
    Crypto ipsec transform-set aes - esp AES_MD5_COMPRESSION esp-md5-hmac comp-lzs
    !
    card crypto S2S_VPN local-address FastEthernet0/0
    !
    S2S_VPN 10 ipsec-isakmp crypto map
    the value of 100.x.x.x peer
    game of transformation-AES_MD5_COMPRESSION
    PFS Set group5
    match address TRAFFIC_TO_REMOTE_NETWORK
    !
    interface FastEthernet0/0
    IP address 200.x.x.x 255.255.255.252
    IP access-group firewall in
    NAT outside IP
    no ip virtual-reassembly
    card crypto S2S_VPN
    !
    TRAFFIC_TO_REMOTE_NETWORK extended IP access list
    IP enable any 10.1.0.0 0.0.255.255

    Remote router: (LAN 10.1.0.0/16)

    crypto ISAKMP policy 1
    BA aes 256
    md5 hash
    preshared authentication
    Group 5
    ISAKMP crypto key address 200.x.x.x
    !
    86400 seconds, duration of life crypto ipsec security association
    !
    Crypto ipsec transform-set aes - esp AES_MD5_COMPRESSION esp-md5-hmac comp-lzs
    !
    card crypto S2S_VPN local-address FastEthernet0/0
    !
    S2S_VPN 10 ipsec-isakmp crypto map
    the value of 200.x.x.x peer
    game of transformation-AES_MD5_COMPRESSION
    PFS Set group5
    match address TRAFFIC_TO_HQ_NETWORK
    !
    interface FastEthernet0/0
    IP address 100.x.x.x 255.255.255.252
    IP access-group firewall in
    NAT outside IP
    no ip virtual-reassembly
    card crypto S2S_VPN
    !
    TRAFFIC_TO_HQ_NETWORK extended IP access list
    IP 10.1.0.0 allow 0.0.255.255 10.2.0.0 0.0.255.255

    Hi Shaun,

    Some comments...

    The QM_IDLE means that the phase 1 is established. (sh cry isa his)

    You should see with "sh cry ips its" that he has put SAs in place for IPsec encryption/decryption of traffic for the phase 2.

    The ACL for VPN (the crypto ACL) should be one mirror of the other (you have "all" on one side and two statements by the other peer network.

    You do NAT, therefore, there should be a 'workaround NAT rule' VPN traffic (to remove the IPsec NAT traffic).

    This should be it.

    Federico.

  • ASA 5505 VPN Client Ipsec config problems

    I configured the asa the wizard to Setup vpn, but this still does not work properly. Vpn connect without problem, but I can't access all the resources on the 192.168.1.x subnet. Don't know what I'm missing here, here's a copy of my config.

    ASA Version 8.0 (3)
    !
    host name
    domain name
    activate the password
    names of
    !
    interface Vlan1
    nameif inside
    security-level 100
    192.168.1.3 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    "Public ip" 255.255.255.0 IP address
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd
    passive FTP mode
    DNS lookup field inside
    DNS domain-lookup outside
    DNS server-group DefaultDNS
    Server name 192.168.1.28
    domain fmrs.org
    GroupVpn_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
    vpngroup_splitTunnelAcl list standard access allowed 192.168.1.0 255.255.255.0
    outside_access_in list extended access permit tcp any any eq pptp
    outside_access_in list extended access will permit a full
    inside_nat0_outbound list of allowed ip extended access all 192.168.99.0 255.255.255.0
    inside_nat0_outbound list of allowed ip extended access entire 192.168.1.0 255.255.255.0
    inside_access_in to access ip 192.168.1.0 scope list allow 255.255.255.0 any
    access extensive list ip 192.168.99.0 inside_access_in allow 255.255.255.0 any
    inside_access_in list of allowed ip extended access all 192.168.99.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    mask 192.168.99.2 - 192.168.99.100 255.255.255.0 IP local pool GroupPool
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow any inside
    ICMP allow all outside
    ASDM image disk0: / asdm - 602.bin
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 192.168.1.0 255.255.255.0
    public static tcp (indoor, outdoor) interface 192.168.1.62 pptp pptp netmask 255.255.255.255
    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 66.76.199.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout, uauth 0:05:00 absolute
    dynamic-access-policy-registration DfltAccessPolicy
    RADIUS protocol AAA-server fmrsdc
    fmrsdc AAA-server 192.168.1.28
    Timeout 5
    fmrsasa key
    Enable http server
    http 192.168.1.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    outside_map interface card crypto outside
    crypto ISAKMP allow inside
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    No vpn-addr-assign aaa
    No dhcp vpn-addr-assign
    Console timeout 0
    dhcpd outside auto_config
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    GroupVpn internal group policy
    GroupVpn group policy attributes
    value of server WINS 192.168.1.28
    value of server DNS 192.168.1.28
    Protocol-tunnel-VPN IPSec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list GroupVpn_splitTunnelAcl
    FMRs.org value by default-field
    ID password cisco
    tunnel-group GroupVpn type remote access
    attributes global-tunnel-group GroupVpn
    address pool GroupPool
    authentication-server-group fmrsdc
    Group Policy - by default-GroupVpn
    IPSec-attributes tunnel-group GroupVpn
    pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    inspect the pptp
    inspect the icmp
    !
    global service-policy global_policy
    context of prompt hostname
    Cryptochecksum:b5df903e690566360b38735b6d79e65e
    : end

    Please configure the following:

    ISAKMP nat-traversal crypto

    management-access inside

    You should be able to ping of the SAA within the IP 192.168.1.3

  • Blocks VIRTUAL local network access to a tunnel VPN IPSec on WRV200?

    I have two identical WRV200 wireless routers which are connected by a VPN IPSec tunnel.  This goes to my LAN LAN of my parents.  Everything works well.

    But I also have my WRV200 configured for two VLANS.  Vlan1 for my network and secure wireless access.  VLAN2 for a WiFi not secure for customers.

    My problem is that my guest on VLAN2 slips through the VPN devices and access on LAN of my parents.  I'm looking for a way to block to do this.

    I use the version of the software on the two routers (v1.0.39).

    For what it's worth, I know that my receive an IP address in the range 192.168.x.101 DHCP - 199.  I could assign a different range if that helps.  I thought that I could block this beach on the remote router firewall, but I see there is blocking a single IP address at the time, maximum of 8.  Am I missing something?

    Or could I put something weird in the routing tables somewhere to get the IPs guest out of lala land?

    Any suggestions are appreciated.  I can't be the only one in this boat.

    Steve

    Try to check local and remote, vpn under safe group settings if you change the ip address range subnet. Don't include the range of ip addresses of the computers wireless comments so that it will not pass through the vpn tunnel. If there is no ip range option, you must to the subnet of the network in order to control the ip address you want to allow on the vpn tunnel.

  • need help with VPN IPSEC with RV042

    https://supportforums.Cisco.com/docs/doc-30883

    I enjoy any support for a trial with RV042 VPN IPSec game please.

    Thanks in advance.

    Hi Bay, if you use a Windows computer, you can use QuickVPN. The only thing to note is the router that you have as the gateway to the RV042. You must define a port forward for all IPsec services be able to overcome the problems with the NAT device.

    RV042 configuration is easy, create a name of user and password and that's it. The problem/challenge will get your NAT connection to allow VPN pass.

    -Tom
    Please mark replied messages useful

  • Cisco's VPN IPSec help please

    Hi all

    I have 3 sites, the main site has a cisco firewall mikrotik router.

    There is a vpn ipsec existing between the cisco router and another router cisco on the site of the 2nd and it works well.

    Now, I've added an another vpn between a 3rd site and main site. The router on the 3rd site is a mikrotik firewall.

    I had the vpn on the main site and the 3rd site where the mikrotik firewall is and it worked well.

    then for some reason, the vpn with the 3rd site has failed and I could not get it working again.

    When looking for answers, I see that the vpn for the 3rd site States the following:

    #pkts program: 46, #pkts encrypt: 46, #pkts digest: 46
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

    It seems that no traffic is coming back to the cisco

    I also found the following output below to diagnose the problem.

    It seems that there is communication, but if I read this right, it looks like the cisco established a new number but the other end is not the new number

    new node-1868419487

    node-1868419487 error suppression FALSE "Information (in) condition 1" pattern

    Any help would be appreciated.

    * 02:49:51.911 Jul 22: ISAKMP: (2060): purge the node-1140469772

    * 02:49:59.723 Jul 22: ISAKMP: DPD received message KMI.

    * 02:49:59.723 Jul 22: ISAKMP: node set 1053074288 to QM_IDLE

    * 02:49:59.723 Jul 22: ISAKMP: (2060): Protocol for sending INFORMER DPD/R_U_THERE 1

    SPI 2273844328, message ID = 1053074288

    * 02:49:59.723 Jul 22: ISAKMP: (2060): seq. no 0x645EC368

    * 02:49:59.723 Jul 22: ISAKMP: (2060): my_port of x.x.x.127 package sending 5

    peer_port 00 500 (R) QM_IDLE

    * 02:49:59.723 Jul 22: ISAKMP: (2060): sending a packet IPv4 IKE.

    * 02:49:59.723 Jul 22: ISAKMP: (2060): purge the node 1053074288

    * 02:49:59.767 Jul 22: ISAKMP (2060): packet received dport x.x.x.127

    500 sport Global 500 (R) QM_IDLE

    * 02:49:59.767 Jul 22: ISAKMP: node set-1868419487 to QM_IDLE

    * 02:49:59.771 Jul 22: ISAKMP: (2060): HASH payload processing. Message ID = 24265

    47809

    * 02:49:59.771 Jul 22: ISAKMP: (2060): treatment of the NOTIFY DPD/R_U_THERE_ACK protoco

    l 1

    0, message ID SPI = 2426547809, a = 0x8705F854

    * 02:49:59.771 Jul 22: ISAKMP: (2060): DPO/R_U_THERE_ACK received from the peer 125,23

    6.211.127, sequence 0x645EC368

    * 02:49:59.771 Jul 22: ISAKMP: (2060): node-1868419487 FALSE reason for deletion error

    "Information (in) condition 1"

    * 02:49:59.771 Jul 22: ISAKMP: (2060): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

    * 02:49:59.771 Jul 22: ISAKMP: (2060): former State = new State IKE_P1_COMPLETE = IKE

    _P1_COMPLETE

    * 02:50:01.111 Jul 22: ISAKMP: (2060): purge the node-1201068805

    Comparing encrypt of 46 to 47436 counters, it seems that router is ecncrypting the traffic, but we do not get any interesting traffic on the remote side.

    Most likely, you might want to check on the remote site, if you see counters increment in parallel decryption and encryption of the counters are incrementing or not.

    On the router IOS, if are incrementing counters encrypt, and confirm that you have not any tunnel existing before the router can be seen same proxy IDs, which is already negotiated with other peer.

    Finally, please make sure that the ESP, 50 protocol traffic is not blocked in transit.
    I hope this helps.

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • GRE tunnels will not come on VPN IPsec/GRE

    Hi all

    We have 400 + remote sites that connect to our central location (and a backup site) using Cisco routers with vpn IPSec/GRE tunnels.  We use a basic model for the creation of tunnels, so there is very little chance of a bad configuration on each router.  Remote sites use Cisco 831 s, central sites use Cisco 2821 s.  There is a site where the tunnels WILL refuse just to come.

    Routers are able to ping their public IP addresses, so it is not a routing problem, but gre endpoints cannot ping.  There is no NATing involved, two routers directly accessing the Internet.  The assorded display orders seem to indicate that the SAs are properly built, but newspapers, it seems that last part just don't is finished, and the GRE tunnels come not only upward.

    The attached log file, it seems that both its IPSEC & ISAKMP are created @ 00:25:14, then QM_PHASE2 end @ 00:25:15.

    00:25:15: ISAKMP: (0:10:HW:2): node error 1891573546 FALSE reason for deletion "(wait) QM.
    00:25:15: ISAKMP: (0:10:HW:2): entrance, node 1891573546 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    00:25:15: ISAKMP: (0:10:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
    00:25:15: ISAKMP (0:268435467): received 208.XX packet. Dport 500 sport Global 500 (I) QM_IDLE yy.11
       
    00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
    00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
    00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 1572231461/50
    00:25:15: ISAKMP: (0:11:HW:2): error in node-1931380074 FALSE reason for deletion "(wait) QM.
    00:25:15: ISAKMP: (0:11:HW:2): entrance, node-1931380074 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    00:25:15: ISAKMP: (0:11:HW:2): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
    00:25:15: IPSEC (key_engine): had an event of the queue with 1 kei messages
    00:25:15: IPSEC (key_engine_enable_outbound): rec would prevent ISAKMP
    00:25:15: IPSEC (key_engine_enable_outbound): select SA with spinnaker 310818168/50

    I don't have the remote router log file, and is very long, so I joined her.  Before that I captured the log file, I enabled debugging ipsec & isakmp and immediately authorized the SAs.

    Assorted useful details and matching orders of show results:

    Cisco IOS Software, C831 (C831-K9O3SY6-M), Version 12.4 (25), RELEASE SOFTWARE (fc1)

    There are 2 connections of IPSEC/GRE tunnel:

    Tunnel101: KC (208.YY. ZZ.11) - remote control (74.WW. XX.35)
    Tunnel201: Dallas (208.XX. YY.11) - remote control (74.WW. XX.35)

    Site-382-831 #sho ip int br
    Interface IP-Address OK? Method State Protocol
    FastEthernet1 unassigned YES unset down down
    FastEthernet2 unassigned YES unset upward, upward
    FastEthernet3 unassigned YES unset upward, upward
    FastEthernet4 unassigned YES unset upward, upward
    Ethernet0 10.3.82.10 YES NVRAM up up
    Ethernet1 74.WW. XX.35 YES NVRAM up up
    Ethernet2 172.16.1.10 YES NVRAM up up
    Tunnel101 1.3.82.46 YES NVRAM up toward the bottom<>
    Tunnel201 1.3.82.62 YES NVRAM up toward the bottom<====  ="">
    NVI0 unassigned don't unset upward upwards

    Site-382-831 #.
    Site-382-831 #sho run int tunnel101
    Building configuration...

    Current configuration: 277 bytes
    !
    interface Tunnel101
    Description % connected to the 2nd KC BGP 2821 - PRI - B
    IP 1.3.82.46 255.255.255.252
    IP mtu 1500
    IP virtual-reassembly
    IP tcp adjust-mss 1360
    KeepAlive 3 3
    source of tunnel Ethernet1
    destination of the 208.YY tunnel. ZZ.11
    end

    Site-382-831 #.

    Site-382-831 #show isakmp crypto his
    status of DST CBC State conn-id slot
    208.XX. YY.11 74.WW. XX.35 QM_IDLE ASSETS 0 11
    208.YY. ZZ.11 74.WW. XX.35 QM_IDLE 10 0 ACTIVE
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show detail of the crypto isakmp
    Code: C - IKE configuration mode, D - Dead Peer Detection
    NAT-traversal - KeepAlive, N - K
    X - IKE extended authentication
    PSK - GIPR pre-shared key - RSA signature
    renc - RSA encryption

    C - id Local Remote I have VRF status BA hash Auth DH lifetime limit.
    11 74.WW. XX.35 208.XX. YY.11 ACTIVE 3des sha psk 1 23:56:09
    Connection-id: motor-id = 11:2 (hardware)
    74.WW 10. XX.35 208.YY. ZZ.11 ACTIVE 3des sha psk 1 23:56:09
    Connection-id: motor-id = 10:2 (hardware)
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show crypto ipsec his

    Interface: Ethernet1
    Tag crypto map: IPVPN_MAP, local addr 74.WW. XX.35

    protégé of the vrf: (none)
    ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
    Remote ident (addr, mask, prot, port): (208.YY. ZZ.11/255.255.255.255/47/0)
    current_peer 208.YY. ZZ.11 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 21, #recv errors 0

    local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.YY. ZZ.11
    Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
    current outbound SPI: 0x45047D1D (1157922077)

    SAS of the esp on arrival:
    SPI: 0x15B97AEA (364477162)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2004, flow_id: C83X_MBRD:4, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4486831/1056)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x45047D1D (1157922077)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2003, flow_id: C83X_MBRD:3, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4486744/1056)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    protégé of the vrf: (none)
    ident (addr, mask, prot, port) local: (74.WW. XX.35/255.255.255.255/47/0)
    Remote ident (addr, mask, prot, port): (208.XX. YY.11/255.255.255.255/47/0)
    current_peer 208.XX. YY.11 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: 2333, #pkts encrypt: 2333, #pkts digest: 2333
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    #send 21, #recv errors 0

    local crypto endpt. : 74.WW. XX.35, remote Start crypto. : 208.XX. YY.11
    Path mtu 1500, mtu 1500 ip, ip mtu IDB Ethernet1
    current outbound SPI: 0xE82A86BC (3895101116)

    SAS of the esp on arrival:
    SPI: 0x539697CA (1402378186)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2008, flow_id: C83X_MBRD:8, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4432595/1039)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0xE82A86BC (3895101116)
    transform: esp-3des esp-sha-hmac.
    running parameters = {Tunnel}
    Conn ID: 2001, flow_id: C83X_MBRD:1, crypto card: IPVPN_MAP
    calendar of his: service life remaining (k/s) key: (4432508/1039)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show crypto ipsec his | Pkts Inc. | life
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4486831/862)
    calendar of his: service life remaining (k/s) key: (4486738/862)
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4432595/846)
    calendar of his: service life remaining (k/s) key: (4432501/846)
    Site-382-831 #.

    Site-382-831 #.
    Site-382-831 #show crypto isakmp policy

    World IKE policy
    Priority protection Suite 10
    encryption algorithm: three key triple a
    hash algorithm: Secure Hash Standard
    authentication method: pre-shared Key
    Diffie-Hellman group: #1 (768 bits)
    lifetime: 86400 seconds, no volume limit
    Default protection suite
    encryption algorithm: - Data Encryption STANDARD (56-bit keys).
    hash algorithm: Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group: #1 (768 bits)
    lifetime: 86400 seconds, no volume limit
    Site-382-831 #.

    Site-382-831 #show crypto card
    "IPVPN_MAP" 101-isakmp ipsec crypto map
    Description: at the 2nd KC BGP 2821 - PRI - B
    Peer = 208.YY. ZZ.11
    Extend the PRI - B IP access list
    access list PRI - B allowed will host 74.WW. XX.35 the host 208.YY. ZZ.11
    Current counterpart: 208.YY. ZZ.11
    Life safety association: 4608000 Kbytes / 3600 seconds
    PFS (Y/N): N
    Transform sets = {}
    IPVPN,
    }

    "IPVPN_MAP" 201-isakmp ipsec crypto map
    Description: 2nd Dallas BGP 2821 - s-B
    Peer = 208.XX. YY.11
    Expand the list of IP SEC-B access
    s - B allowed will host 74.WW access list. XX.35 the host 208.XX. YY.11
    Current counterpart: 208.XX. YY.11
    Life safety association: 4608000 Kbytes / 3600 seconds
    PFS (Y/N): N
    Transform sets = {}
    IPVPN,
    }
    Interfaces using crypto card IPVPN_MAP:
    Ethernet1
    Site-382-831 #.

    Tunnel between KC & the remote site configuration is:

    Distance c831 - KC

    crypto ISAKMP policy 10
    BA 3des
    preshared authentication
    !
    PRI-B-382 address 208.YY isakmp encryption key. ZZ.11
    !
    Crypto ipsec transform-set esp-3des esp-sha-hmac IPVPN
    transport mode
    !
    IPVPN_MAP 101 ipsec-isakmp crypto map
    Description of 2nd KC BGP 2821 - PRI - B
    set of peer 208.YY. ZZ.11
    game of transformation-IPVPN
    match address PRI - B
    !
    interface Tunnel101
    Description % connected to the 2nd KC BGP 2821 - PRI - B
    IP 1.3.82.46 255.255.255.252
    IP mtu 1500
    KeepAlive 3 3
    IP virtual-reassembly
    IP tcp adjust-mss 1360
    source of tunnel Ethernet1
    destination of the 208.YY tunnel. ZZ.11
    !
    interface Ethernet0
    private network Description
    IP 10.3.82.10 255.255.255.0
    IP mtu 1500
    no downtime
    !
    interface Ethernet1
    IP 74.WW. XX.35 255.255.255.248
    IP mtu 1500
    automatic duplex
    IP virtual-reassembly
    card crypto IPVPN_MAP
    no downtime
    !
    PRI - B extended IP access list
    allow accord 74.WW the host. XX.35 the host 208.YY. ZZ.11
    !

    KC-2821 *.

    PRI-B-382 address 74.WW isakmp encryption key. XX.35
    !
    PRI-B-382 extended IP access list
    allow accord 208.YY the host. ZZ.11 the host 74.WW. XX.35
    !
    IPVPN_MAP 382 ipsec-isakmp crypto map
    Description % connected to the 2nd KC BGP 2821
    set of peer 74.WW. XX.35
    game of transformation-IPVPN
    match address PRI-B-382
    !
    interface Tunnel382
    Description %.
    IP 1.3.82.45 255.255.255.252
    KeepAlive 3 3
    IP virtual-reassembly
    IP tcp adjust-mss 1360
    IP 1400 MTU
    delay of 40000
    tunnel of 208.YY origin. ZZ.11
    destination of the 74.WW tunnel. XX.35
    !
    end

    Any help would be much appreciated!

    Mark

    Hello

    logs on Site-382-831, only see the crypt but none decrypts, could you check a corresponding entry on the peer and see if has any questions send return traffic?

    Site-382-831 #show crypto ipsec his | Pkts Inc. | life
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4486831/862)
    calendar of his: service life remaining (k/s) key: (4486738/862)
    #pkts program: 2397, #pkts encrypt: 2397, #pkts digest: 2397
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    calendar of his: service life remaining (k/s) key: (4432595/846)
    calendar of his: service life remaining (k/s) key: (4432501/846)
    Site-382-831 #.

    Kind regards

    Averroès.

  • VPN IPSEC on Metro-Elba

    Hi all

    I have a small question. Is it possible to run L2L IPSEC VPN via a subway-E connection? It's not supposed to do something like that with Metro-E but this connection is with a partner so at both ends, firewall is in place. With port forwading, NATting, etc, etc, I came across problems of providing additional services because of it. I hope that IPSEC VPN L2L at both ends will solve this problem once and for all. The only question is of course in fact that a metro-E is just an ethernet connection and not really difference in setting up a VPN IPSEC of L2L via internet.

    Thank you for your help.

    Eric,

    Yes, connection L2L IPSEC VPN Tunnel Over Metro-E should work perfectly. You might meet in the treatment of air issues and the flow on the VPN server but it should be good.

    Kind regards

    Arul

    * Rate pls if it helps *.

  • VPN/IPSec-L2L - Question?

    Hello!

    Recently, I was doing some troubleshooting on a connection VPN/IPSec Lan-to-Lan between a Cisco PIX515E and a Linux firewall. My question concerns the configuration and is not the problem itself.

    Traffic interesting (encrypted traffic) defined and configured the LAN of PIX (inside) and the distance public IP? Which means that the Peer IKE and the interesting remote control LAN/IP are the same... and it works!

    Any ideas?

    Thank you

    JP

    As long as you source the package from the local network of Pix to remote public IP, the tunnel will work well and works :-)

    So, if you really look at the fluidity of the traffic, you're sourcing traffic from Pix LAN intended to public IP remote that corresponds to the defined access list. Thus, the pix knows he has encrypt traffic and now seeks the cryptographic endpoint points (pix outside IP public IP remotely) and sends the encrypted packets. So, this configuration works perfectly.

    In fact, Pix will not allow Telnet the external of the pix interface unless the traffic is through an IPSEC Tunnel and it was one of the establishment who gave a telnet access to the external interface of the Pix, it's LAN to the public IP of Pix through an IPSEC Tunnel.

    Kind regards

    Arul

    * Please note all useful messages *.

  • QNS vpn IPsec

    Hello

    I have 2 questions about vpn IPsec

    I have an asa, vpn ipsec (l2l) running on a remote site with 192.168.0.0/24 network

    1 > I can ping 192.168.0.1 but not 192.168.0.111. I had observed "Recv errors" whenever I have ping to 192.168.0.111.

    I had observed recevied errors of "crypto ipsec to show his" exit; but not because the tunnel to reconnect (after timeout) and w/o any changes made to the configuration.

    What could be the cause and how can I fix just in case where the returned errors? I can't find much info on "recv errors."

    2 > I understand there are 2 acl required for a vpn ipsec typical; 1 for no NAT, 1 correspondence address card crypto

    can I implement an acl to allow tcp 3389 only from the remote network on my local network on the asa?

    Thank you

    cash

    Salvation of cash,

    There is not a lot we can do here in what concerns this isuse.

    You can talk to your service provider and see if they do not modify the packets somehow.

    Also ask them to check for any problem on the circuit.

    See you soon,.

    Nash.

  • ASA ASA from Site to Site VPN IPSec Tunnel

    Any help would be greatly appreciated...

    I have two devices Cisco ASA with a Site for the configuration of the tunnel VPN IPSec Site as follows: -.

    Site #1 - Cisco ASA running version 8.2 (1) with an internal range of 10.0.0.x/24

    Site #2 - Cisco ASA running version 8.2 (1) with an internal range of 10.1.1.x/24

    Site #1 is simple and has a dynamic NAT rule which translates all of the inside and the outside (public IP) of the SAA.

    Internet access works very well in all workstations of this site.  A static route is configured to redirect all traffic to a public router upstream.

    Site #2 is slightly more complicated; the Cisco ASA is configured with 10.1.1.254/24 as its interior IP address and 10.1.2.254/24 as its external IP address.  A dynamic NAT rule is configured to translate everything inside as the 10.1.2.254 (outside) address of the ASA.  A default static route is then configured to redirect all traffic to a Draytek device on 10.1.2.253.  This device then performs its own private Public NAT.  Again the Internet works fine all hosts inside the Cisco ASA (10.1.1.x)

    The IPSec tunnel is created with the networks local and remote endpoint as above (10.0.0.x/24) and (10.1.1.x/24).  The Draytek at the Site #2 device is configured with a form of DMZ that allows essentially ALL traffic toward the front directly on the external interface of the ASA (10.1.2.254).  The Phase 1 and Phase 2 negotiation of the tunnel ends correctly, and the tunnel is formed without any problem.  However, all traffic passing on networks ICMP does not end and the Syslog reports the following-

    Site #1-

    6 January 19, 2011 15:27:21 302020 ZEFF-SB-01_LAN 1 10.1.1.51 0 Built of outbound ICMP connection for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1
    6 January 19, 2011 15:27:23 302021 10.1.1.51 0 ZEFF-SB-01_LAN 1 Connection of ICMP disassembly for faddr 10.1.1.51/0 gaddr ZEFF-SB-01_LAN/1 laddr ZEFF-SB-01_LAN/1

    Site #2-

    6 January 19, 2011 15:24:47 302020 10.1.1.51 0 10.0.0.30 1 Built of outbound ICMP connection for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1
    6 January 19, 2011 15:24:49 302021 10.0.0.30 1 10.1.1.51 0 Connection of disassembly for faddr gaddr laddr 10.1.1.51/0 10.1.1.51/0 10.0.0.30/1 ICMP

    It's the same for any form of traffic passing over the tunnel.  The ACL is configured to allow segments of LAN out to any destination.  At this point, I left scratching my head, as my original theory was to blame the Draytek, but after reading the documentation given to the DMZ host configuration, it appears this parameter is configured all traffic is simply forwarded to the IP address (in this case, the Cisco ASA interface outside).

    Anyone can shed light on a possible cause of this problem?

    Thank you

    Nick

    did you bypass the vpn traffic between 10.0.0 and 10.1.1 to be NAT - ed on the two ASA?

    Please provide the following information

    -set up the tunnel

    -show the isa cry his

    -show the ipsec cry his

    -ping of the site 1 site 2 via tunnel

    -capture "crypto ipsec to show his" once again

    -ping from site 2 to 1 by the tunnel of the site

    -capture "crypto ipsec to show his" once again

    -two ASA configuration.

  • Site-to-Site VPN IPSEC falls intermittently

    Site-to-Site VPN IPSEC falls intermittently

    I am currently having a problem with a VPN from Site to Site traffic not only not intermittently. When the problem occurs, I can't Ping the remote site to the AC Site. But I can solve the problem by Pinging from HQ at the Remote Site. My network is currently configured as follows

    -------HQ------

    7.0 (4) version of pix 515 with card Ethernet 4 ports.

    Outside of the interface connected to the Broadband DSL link.

    Outside2 Interface connected to the second link DSL broadband

    -Distance-

    I have 4 Remote Sites. 2 sites connect you to each connection to wide band at HQ to spread the load to HQ

    6.3 (5) pix 501 version

    # The problem #.

    All VPN establishes successfully to the HQ Pix

    Intermittently, a remote site will report that they cannot connect to servers/services in the HQ. When I do a show crypto ipsec's and see the crypto isakmp his headquarters there is no entry for the remote site. However when I do the same on the remote site there is an entry for the HQ. With debugging on the remote site pix I try to ping from a pc to the HQ server and I get the following (see below). If I do a "ipsec Isakmp security association claire crypto ' and ' clear crypto ipsec his ' on the pix of remote site, then I can successfully ping all servers in headquarters.

    This problem seems to have taken place only when I upgraded the pix of a 501 to 515 and added another 2 remote sites and a second broadband, as described above. I'm afraid that there is a problem with software version 7 Pix. Any advice would be greatly appreciated.

    Console record Carrick-PIX01 (config) # 7

    Carrick-PIX01 (config) # ter Lun

    Output Carrick-PIX01 (config) #.

    Carrick-PIX01 # debug crypto ipsec

    Carrick-PIX01 # debug crypto isakmp

    Carrick-PIX01 #.

    ISAKMP (0:0): sending of NAT - T vendor ID - rev 2 & 3

    ISAKMP (0): early changes of Main Mode

    ISAKMP (0): retransmission of the phase 1 (0)...

    ISAKMP (0): retransmission of the phase 1 (1)...

    ISAKMP (0): retransmission of the phase 1 (2)...

    Carrick-PIX01 #.

    Carrick-PIX01 #.

    ISAKMP (0): retransmission of the phase 1 (3)...

    Carrick-PIX01 #.

    Carrick-PIX01 #.

    ISAKMP (0): retransmission of the phase 1 (4)... IPSec (key_engine): request timer shot: count = 1,.

    (identity) local = OUTER-IP, distance = 86.43.74.16,.

    local_proxy = LAN-OFFICE/255.255.255.0/0/0 (type = 4),

    remote_proxy = 194.x.x.x.x.255.0/0/0 (type = 4)

    ISAKMP (0): delete SA: CBC EXTERNAL IP, dst 86.43.74.16

    ISADB: Reaper checking HIS 0x10c167c, id_conn = 0 DELETE IT!

    Peer VPN: ISAKMP: Peer Info for 86.43.74.16/500 not found - peer: 1

    ISADB: Reaper checking HIS 0x10ca914, id_conn = 0

    Can force you the ISAKMP Keepalive, value from IPSec Security Association idle time and on the other. The problem should be solved

    ISAKMP crypto keepalive 30

    Crypto ipsec security association temps_inactivite 60

    Let me know if it helps

  • Site to Site VPN IPsec IPv6 on issue of routers-Tunnel

    Hi, I am experiencing a problem can any one address the question below and let me know the solution. I have two routers and try to build "Site to Site VPN IPsec IPv6". I followed orders from Cisco and community document but when I apply my profile of ipsec for tunnel interfaces, that the tunnel is down.

    https://supportforums.Cisco.com/docs/doc-27009

    Ali,

    VTI tunnels are meant to be broken when there is no active negotiated spinnakers.

    The tunnel will go towards up/face upwards when there is a means of transport of packages - i.e. the SPIs are present.

    You can control the order spinnakers 'show peer's crypto ipsec '.

    For debugging:

    Debug crypto isa

    Debug crypto ipsec

    M.

  • Cisco ASA Site to Site VPN IPSEC and NAT question

    Hi people,

    I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

    ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

    Just an example:

    N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

    The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

    It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

    Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

    Grateful if someone can shed some light on this subject.

    Hello

    OK so went with the old format of NAT configuration

    It seems to me that you could do the following:

    • Configure the ASA1 with static NAT strategy

      • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
    • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
    • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
    • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
      • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
      • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
      • NAT (inside) 0-list of access to the INTERIOR-SHEEP
    • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
      • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

    I could test this configuration to work tomorrow but I would like to know if it works.

    Please rate if this was helpful

    -Jouni

  • Configuration of the client VPN IPSEC IOS question

    Hello all, I just can't get my IOS Firewall to accept a client based vpn IPSEC connection. The Cisco client comes to expiration and Im never disputed a username and password. I checked my group and a pre-shared on the client and the router. I put my relevant config below. Any help would be greatly appreciated.

    version 12.4

    boot system flash: uc500-advipservicesk9 - mz.124 - 24.T.bin

    AAA new-model

    !

    !

    AAA authentication login default local

    radius of group AAA authentication login userauthen

    AAA authorization exec default local

    radius of group AAA authorization network groupauthor

    inspect the IP tcp outgoing name

    inspect the IP udp outgoing name

    inspect the name icmp outgoing IP

    crypto ISAKMP policy 3

    BA 3des

    preshared authentication

    Group 2

    !

    Configuration group customer isakmp crypto SMOVPN

    key xxxxx

    DNS 192.168.10.2

    business.local field

    pool vpnpool

    ACL 108

    Crypto isakmp VPNclient profile

    match of group identity SMOVPN

    client authentication list default

    Default ISAKMP authorization list

    client configuration address respond

    !

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

    Crypto-map dynamic dynmap 10

    Set transform-set RIGHT

    Define VPNclient isakmp-profile

    market arriere-route

    !

    !

    map clientmap client to authenticate crypto list userauthen

    card crypto clientmap isakmp authorization list groupauthor

    client configuration address map clientmap crypto answer

    10 ipsec-isakmp crypto map clientmap Dynamics dynmap

    interface FastEthernet0/0

    IP 11.11.11.10 255.255.255.252

    IP access-group outside_in in

    no ip redirection

    no ip unreachable

    no ip proxy-arp

    NAT outside IP

    inspect the outgoing IP outside

    IP virtual-reassembly

    automatic duplex

    automatic speed

    clientmap card crypto

    IP local pool vpnpool 192.168.109.1 192.168.109.254

    IP nat inside source list 1 interface FastEthernet0/0 overload

    outside_in extended IP access list

    permit tcp object-group Yes_SMTP host 11.11.11.10 eq smtp

    allow any host 74.143.215.138 esp

    allow any host 74.143.215.138 eq isakmp udp

    allow any host 74.143.215.138 eq non500-isakmp udp

    allow any host 74.143.215.138 ahp

    allow accord any host 74.143.215.138

    access-list 1 permit 192.168.10.0 0.0.0.255

    access-list 1 permit 10.1.1.0 0.0.0.255

    access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255

    access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255

    access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255

    Here are a few suggestions:

    change this:

    radius of group AAA authorization network groupauthor

    for this

    AAA authorization groupauthor LAN

    (unless you use the group permission for your radius server you need local)

    Choose either on ISAKMP profiles and if you decide to go with and then get rid of these lines:

    map clientmap client to authenticate crypto list userauthen

    card crypto clientmap isakmp authorization list groupauthor

    client configuration address map clientmap crypto answer

    AND change the following items on your profile isakmp:

    Crypto isakmp VPNclient profile

    ISAKMP authorization list groupauthor

    Also if you'll use a list for user authentication, I advise you to avoid using the default list so go ahead and change it too much under the isakmp profile

    client authentication list userauthen.

    If you do not use isakmp profiles change the following:

    No crypto isakmp VPNclient profile

    Crypto-map dynamic dynmap 10

    No VPNclient set isakmp-profile

Maybe you are looking for