-VPN - PROBLEM IOS CLIENT!
-Start ciscomoderator note - the following message has been changed to remove potentially sensitive information. Please refrain from publishing confidential information about the site to reduce the risk to the security of your network. -end of the note ciscomoderator-
Hello
I have IOS Cisco 2650XM running IPSEC. I configured for authentication local customer vpn. I create ipsec tunnel more Don t ping from router to my client vpn (windows 2 k with vpn client 4.0). If anyone can help me, my express recognition.
Better compliance
Joao Medeiros
SH RUN
Current configuration: 8092 bytes
!
! Last configuration change at 09:09:04 GMT Tuesday, March 2, 1993 by lordz
!
version 12.2
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
hostname router_vpn_fns
!
start the system flash c2600-ik9o3s - mz.122 - 11.T.bin
AAA new-model
!
!
AAA authentication login default local
AAA authorization network default local
AAA - the id of the joint session
!
clock timezone GMT - 3
voice-card 0
dspfarm
!
IP subnet zero
no ip source route
IP cef
!
!
no ip domain search
agm IP domain name - tele.com
name-server IP 192.168.10.1
!
no ip bootp Server
audit of IP notify Journal
Max-events of po verification IP 100
property intellectual ssh time 60
IP port ssh 2000 rotary 1
!
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 110
preshared authentication
lifetime 10000
!
crypto ISAKMP policy 130
preshared authentication
lifetime 10000
ISAKMP crypto key xxx address xxx.xxx.76.22
ISAKMP crypto key xxx address yyy.yyy.149.190
!
ISAKMP crypto client configuration group xlordz
key cisco123
DNS 192.168.10.1
area agm - tele.com
LDz-pool
ACL 108
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac agmipsec_gyn
Crypto ipsec transform-set esp-3des esp-sha-hmac agmipsec_poa
Crypto ipsec transform-set esp-3des esp-sha-hmac ldz-series
!
Crypto-map dynamic ldz_dynmap 10
ldz - Set transform-set
!
!
by default the card crypto client ldz_map of authentication list
default value of card crypto ldz_map isakmp authorization list
client configuration address card crypto ldz_map answer
ldz_map 10 card crypto ipsec-isakmp dynamic ldz_dynmap
!
agmmap_gyn crypto-address on Serial0/0
agmmap_gyn 1 ipsec-isakmp crypto map
the value of xxx.xxx.76.22 peer
Set transform-set agmipsec_gyn
PFS group2 Set
match address 120
QoS before filing
agmmap_gyn 2 ipsec-isakmp crypto map
the value of yyy.yyy.149.190 peer
Set transform-set agmipsec_poa
PFS group2 Set
match address 130
!
!
!
call active voice carrier's ability
!
voice class codec 1
codec preference 1 60 g729r8 bytes
g711alaw preferably 2 codec
!
!
Fax fax-mail interface type
MTA receive maximum-recipients 0
!
controller E1 0/1
case mode
No.-CRC4 framing
termination 75 Ohm
time intervals DS0-Group 1-15, 17 0 type digital r2 r2-compelled ani
Digital-r2 r2-compelled ani type 1 time intervals DS0-group 18-31
0 cases-custom
country Brazil
counting
signal response Group-b 1
case-personal 1
country Brazil
counting
signal response Group-b 1
!
!
!
!
interface FastEthernet0/0
192.168.15.1 IP address 255.255.255.0 secondary
192.168.7.1 IP address 255.255.255.0 secondary
IP 192.168.10.10 255.255.255.0
NBAR IP protocol discovery
load-interval 30
automatic speed
full-duplex
priority-group 1
No cdp enable
!
interface Serial0/0
bandwidth of 512
IP 200.193.103.154 255.255.255.252
NBAR IP protocol discovery
frame relay IETF encapsulation
load-interval 30
priority-group 1
dlci 507 frame relay interface
frame-relay lmi-type ansi
ldz_map card crypto
!
interface FastEthernet0/1
no ip address
NBAR IP protocol discovery
load-interval 30
Shutdown
automatic duplex
automatic speed
No cdp enable
!
LDz-pool IP local pool 192.168.10.3 192.168.10.5
IP classless
IP route 0.0.0.0 0.0.0.0 200.193.103.153
IP route 192.168.20.0 255.255.255.0 xxx.xxx.76.22
IP route 192.168.25.0 255.255.255.0 xxx.xxx.76.22
IP route 192.168.30.0 255.255.255.0 yyy.yyy.149.190
IP route 192.168.35.0 255.255.255.0 yyy.yyy.149.190
IP route vvv.vvv.17.152 255.255.255.248 192.168.10.1
IP http server
enable IP pim Bennett
!
!
dns-servers extended IP access list
extended IP access to key exchange list
!
Journal of access list 1 permit 192.168.10.44
Journal of access list 1 permit 192.168.10.2
Journal of access list 1 permit 192.168.10.1
access-list 1 permit vvv.vvv.17.154 Journal
IP access-list 108 allow any 192.168.10.0 0.0.0.255 connect
access-list 108 permit ip any any newspaper
IP access-list 120 allow any 192.168.20.0 0.0.0.255 connect
IP access-list 120 allow any 192.168.25.0 0.0.0.255 connect
access-list allow 120 ip host xxx.xxx.76.22 any log
access-list 120 deny ip any any newspaper
IP access-list 130 allow any 192.168.30.0 0.0.0.255 connect
IP access-list 130 allow any 192.168.35.0 0.0.0.255 connect
access-list allow 130 ip host yyy.yyy.149.190 any log
access-list 130 deny ip any any newspaper
access-list 140 deny udp 192.168.20.0 0.0.0.255 any netbios-ns range
NetBIOS-ss log
access-list 140 deny udp 192.168.25.0 0.0.0.255 any netbios-ns range
NetBIOS-ss log
access-list 140 deny udp 192.168.30.0 0.0.0.255 any netbios-ns range
NetBIOS-ss log
access-list 140 deny udp 192.168.35.0 0.0.0.255 any netbios-ns range
NetBIOS-ss log
access-list 140 refuse tcp 192.168.20.0 0.0.0.255 any beach 137 139 connect
access-list 140 refuse tcp 192.168.25.0 0.0.0.255 any beach 137 139 connect
access-list 140 refuse tcp 192.168.30.0 0.0.0.255 any beach 137 139 connect
access-list 140 deny tcp 192.168.35.0 0.0.0.255 any beach 137 139 connect
access-list 140 refuse tcp 192.168.20.0 0.0.0.255 any eq connect 5900
access-list 140 refuse tcp 192.168.25.0 0.0.0.255 any eq connect 5900
access-list 140 refuse tcp 192.168.30.0 0.0.0.255 any eq connect 5900
access-list 140 deny tcp 192.168.35.0 0.0.0.255 any eq connect 5900
access-list 140 permit ip any any newspaper
Dialer-list 1 ip protocol allow
not run cdp
!
Server SNMP community xxxxxxxxxx
Enable SNMP-Server intercepts ATS
call the rsvp-sync
!
voice-port 0/1:0
!
voice-port 0/1:1
!
No mgcp timer receive-rtcp
!
profile MGCP default
!
Dial-peer cor custom
!
!
!
!
Line con 0
exec-timeout 2 0
Synchronous recording
length 50
line to 0
exec-timeout 0 10
No exec
line vty 0 4
access-class 1
transport input telnet ssh
!
Master of NTP
!
end
Hello
If you are not disturbing the production network much, just try to reload 2650.
This works sometimes!
Kind regards
Walked.
Tags: Cisco Security
Similar Questions
-
Cisco RV220W IPSec VPN problem Local configuration for any config mode
Dear all,
I need help, I am currently evaluating RV220W for VPN usage but I'm stuck with the config somehow, it seems that there is a problem with the Mode-Config?
What needs to be changed or where is my fault?
I have installed IPSec according to the RV220W Administrator's Guide. Client's Mac with Mac Cisco IPSec VPN, I also tried NCP Secure Client.
I have 3 other sites where the config on my Mac works fine, but the Cisco VPN router is not.
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: remote for found identifier "remote.com" configuration
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: application received for the negotiation of the new phase 1: x.x.x.x [500]<=>2.206.0.67 [53056]
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: early aggressive mode.
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: RFC 3947
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received unknown Vendor ID
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: CISCO - UNITY
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: received Vendor ID: DPD
2013-03-07 01:55:49: [CiscoFirewall] [IKE] INFO: for 2.206.0.67 [53056], version selected NAT - T: RFC 39472013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: floating ports NAT - t with peer 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload is x.x.x.x [4500]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT - D payload does not match for 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: NAT detected: Peer is behind a NAT device
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: request sending Xauth for 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association established for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REPLY" from 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: connection for the user "Testuser".
2013-03-07 01:55:50: [CiscoFirewall] [IKE] INFO: type of the attribute "ISAKMP_CFG_REQUEST" from 2.206.0.67 [52149]
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: ignored attribute 5
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28678
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode=>
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] ERROR: local configuration for 2.206.0.67 [52149] has no config mode
2013-03-07 01:55:50: [CiscoFirewall] [IKE] WARNING: attribute ignored 28683
2013-03-07 01:56:07: [CiscoFirewall] [IKE] INFO: purged-with proto_id = ISAKMP and spi = 1369a43b6dda8a7d:fd874108e09e207e ISAKMP Security Association.
2013-03-07 01:56:08: [CiscoFirewall] [IKE] INFO: ISAKMP Security Association deleted for x.x.x.x [4500] - 2.206.0.67 [52149] with spi: 1369a43b6dda8a7d:fd874108e09e207e
Hi Mike, the built-in client for MAC does not work with the RV220W. The reason is, the MAC IPSec client is the same as the Cisco VPN 5.x client.
The reason that this is important is that the 5.x client work that on certain small business products include the SRP500 and SA500 series.
I would recommend that you search by using a client VPN as Greenbow or IPSecuritas.
-Tom
Please mark replied messages useful -
"vpn 3002 hardware client" and any other vpn device
When I do a session between the customer Hardware 3002 3000 and remote site vpn series concentrator or PIX or router to the central site. "Server has" is located at a remote site and 'Server B' is located at the Central site. "Server has ' and 'Server B' communicate with IPSEC Tunnel. I know that "Server A"(sur un site distant) can initiate a session of "Server B" "(central site)." Is it possible that initiate (central site) of "ServerB"a session of "Server A"(remote site)? ".
Hi sbjeong,
If you use the NMS on the 3002, two servers can initiate traffic in the event where the IPSec tunnel between your 3002 and Server VPN (PIX, IOS, VPN3K) is established
Jean Marc
-
4.0.1W/2000 CLIENT VPN VPN with IOS ping no internal.
I installed vpn client on windows 2000 with local authentication of IOS. First problem is that the sending of subnet mask of IOS is not correct, I use the class A address with subnet mask of 24-bit. I change this configuration in network connections (windows 2000) no longer reach interface internal ping to the router.
After im established tunnel do not get my vpn client statistics package shipment.
If one can help me, my express recognition.
Best regards
Joao Medeiros
Below to sh run my router and sh crypto ipsec his
Current configuration: 4997 bytes
!
version 12.3
no cache Analyzer
no service button
horodateurs service debug uptime
Log service timestamps uptime
no password encryption service
!
hostname SEJUSP_ADSL
!
enable secret 5 XXXXXXXXX.
!
username password joao 0 XXXX
username password marcio 0 XXXX
username password gustavo XXXXXX 0
password username admin privilege 5 0 XXXXXX
username password manager privilege 15 0 XXXXXXX
AAA new-model
!
!
AAA authentication login userauthen local
AAA authorization groupauthor LAN
AAA - the id of the joint session
IP subnet zero
no ip domain search
IP domain name sejusp.ms.gov.br
DHCP excluded-address IP 10.10.1.1 10.10.1.10
!
IP dhcp VPNCLIENT pool
Network 10.10.1.0 255.255.255.0
default router 10.10.1.1
200.199.252.68 DNS server
domain sejusp.ms.gov.br
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
IP port ssh 2001 rotary 1
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group 3000client
XXXXXXXX key
DNS 200.199.252.68
sejusp.ms.gov.br field
RTP-pool
ACL 166
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac rtpset
!
crypto dynamic-map rtp-dynamic 10
Set transform-set rtpset
!
!
card crypto rtp client authentication list userauthen
crypto isakmp authorization list groupauthor rtp map
client configuration address card crypto rtp answer
RTP 10 card crypto ipsec-isakmp dynamic-dynamic rtp
!
!
!
!
interface Loopback0
IP 200.103.82.19 255.255.255.248
!
interface Ethernet0
10.10.1.1 IP address 255.255.255.0
no ip redirection
no ip proxy-arp
IP nat inside
no ip mroute-cache
No cdp enable
Hold-queue 100 on
!
ATM0 interface
no ip address
no ip mroute-cache
No atm ilmi-keepalive
Bundle-enable
DSL-automatic operation mode
waiting-208 in
!
point-to-point interface ATM0.1
Description ADSL AC DF GO MS MT PR RO SC to
PVC 0/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Dialer0
IP 200.163.45.206 255.255.255.0
NAT outside IP
encapsulation ppp
Dialer pool 1
Dialer-Group 1
No cdp enable
PPP authentication pap callin
PPP pap sent-username [email protected] / * / password 7 XXXXXXXXXXXXXX
PPP ipcp dns request
crypto rtp map
!
local IP RTP-POOL 10.10.1.10 pool
IP nat pool sejusp 200.103.82.18 200.103.82.18 netmask 255.255.255.248
IP nat inside source list pool 12 sejusp overload
IP nat inside source overload map route sheep interface Dialer0
IP nat inside source static tcp 10.10.1.2 23 200.103.82.21 23 expandable
IP classless
IP route 0.0.0.0 0.0.0.0 Dialer0 180
IP http server
no ip http secure server
!
!
IP access-list extended by default-field
temps_inactivite extended IP access list
access-list 10 permit 10.10.1.0 0.0.0.15
access-list 12 allow 10.10.1.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 everything
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq telnet
access-list 110 permit tcp any any eq pop3
access-list 110 permit tcp any any eq smtp
access-list 110 permit tcp any any eq 22
access-list 110 permit tcp any any eq ftp
access-list 110 deny ip any one
access ip-list 166 allow a whole
Dialer-list 1 ip protocol allow
not run cdp
!
sheep allowed 10 route map
corresponds to the IP 10
!
RADIUS server authorization allowed missing Type of service
Banner motd ^ C
0A DD %A
HA UH HU
Q # Q $HA #.
DHD QQ DHD
DDAUDDUU AH$ #Q
DDAUADDDDAUDDAAUA AH
AUQQQQAD DDDDDADDHU DAUA $2DUUUD
+ UQD DUUD DAAUAD + AQQQQQQQQQQ
QQ + AAU #A OF $ UQQQQQQQQQQ$
Q # Q # QQ AQ #QQQQQA
#Q #Q + HA
AH2 AH QH #U AH A #U D
AH % AHD DHD Q # HA Q QH # $HA UH
#Q QH. D #QD DHD Q # DHD 2HD #Q % HA
U #A. #A DUUUD #Q #Q #Q DH2 Q OH$ #.
A DUQUDD #U $ #Q AH. AH #U DH$
+ DUUUD$ DDDUUAAU HU HU UH HQ
+ # QA #D QA DDAUADDDAAAU
Dicorel Comercio e Industria Ltda.
Suporte: (67) 345-2800
+------------------------------------------------------+
| E-Este' um sistema restrito! |
| Você esta sendo MONITORADO * |
+------------------------------------------------------+^C
!
Line con 0
exec-timeout 0 0
StopBits 1
line vty 0 4
exec-timeout 0 0
password XXXXXXX
entry ssh transport
!
max-task-time 5000 Planner
!
end
SEJUSP_ADSL #sh crypto ipsec his
Interface: Dialer0
Tag crypto map: rtp, local addr. 200.163.45.206
protected VRF:
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (10.10.1.10/255.255.255.255/0/0)
current_peer: 200.163.29.5:61560
LICENCE, flags is {}
#pkts program: encrypt 0, #pkts: 0, #pkts 0 digest
#pkts decaps: 165, #pkts decrypt: 165, #pkts check 165
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
local crypto endpt. : 200.163.45.206, remote Start crypto. : 200.163.29.5
Path mtu 1500, media, mtu 1500
current outbound SPI: 3BD55B25
SAS of the esp on arrival:
SPI: 0xE4449888 (3829700744)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
slot: 0, conn id: 2000, flow_id: 1, crypto card: rtp
calendar of his: service life remaining (k/s) key: (4450558/83934)
Size IV: 8 bytes
support for replay detection: Y
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x3BD55B25 (1003838245)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
slot: 0, conn id: 2001, flow_id: 2, crypto card: rtp
calendar of his: service life remaining (k/s) key: (4450586/83934)
Size IV: 8 bytes
support for replay detection: Y
outgoing ah sas:
outgoing CFP sas:
Interface: virtual-Access2
Tag crypto map: rtp, local addr. 200.163.45.206
protected VRF:
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (10.10.1.10/255.255.255.255/0/0)
current_peer: 200.163.29.5:61560
LICENCE, flags is {}
#pkts program: encrypt 0, #pkts: 0, #pkts 0 digest
#pkts decaps: 165, #pkts decrypt: 165, #pkts check 165
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
local crypto endpt. : 200.163.45.206, remote Start crypto. : 200.163.29.5
Path mtu 1500, media, mtu 1500
current outbound SPI: 3BD55B25
SAS of the esp on arrival:
SPI: 0xE4449888 (3829700744)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
slot: 0, conn id: 2000, flow_id: 1, crypto card: rtp
calendar of his: service life remaining (k/s) key: (4450558/83933)
Size IV: 8 bytes
support for replay detection: Y
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x3BD55B25 (1003838245)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
slot: 0, conn id: 2001, flow_id: 2, crypto card: rtp
calendar of his: service life remaining (k/s) key: (4450586/83933)
Size IV: 8 bytes
support for replay detection: Y
outgoing ah sas:
outgoing CFP sas:
Hello
You can change your pool to be something different:
no ip local pool RTP - 10.10.1.10
local IP RTP-POOL 10.10.100.10 pool
Also change the NAT pool:
no ip inside the pool sejusp nat overload source list 12
no nat ip inside the source map route sheep interface Dialer0 overload
route No. - nat allowed 10 map
corresponds to the IP 100
access-list 100 deny ip 10.10.1.0 0.0.0.255 host 10.10.100.10
access-list 100 permit ip 10.10.1.0 0.0.0.255 any
IP nat inside source map of route No. - nat pool sejusp overload
IP nat inside source map of route No. - nat interface overloading Dialer0
Jean Marc
-
Problem with the Cisco VPN and Vista client
Hello
I have an easy VPN server configured on a c2811 and users use the Cisco VPN client. Lately, I have users running Windows Vista 64 bit and I need to know what is the correct version of the vpn client, I have to use and the compatibility problems with the server, I configured.
Thank you and best regards.
Cisco VPN Client doesn't have any version that is compatible with Vista 64 bit OS. The only customer that Cisco has released that supports the 64 bit OS's AnyConnect, but it is only supported on the CISCO ASA Appliance
-
Configuration of the client VPN IPSEC IOS question
Hello all, I just can't get my IOS Firewall to accept a client based vpn IPSEC connection. The Cisco client comes to expiration and Im never disputed a username and password. I checked my group and a pre-shared on the client and the router. I put my relevant config below. Any help would be greatly appreciated.
version 12.4
boot system flash: uc500-advipservicesk9 - mz.124 - 24.T.bin
AAA new-model
!
!
AAA authentication login default local
radius of group AAA authentication login userauthen
AAA authorization exec default local
radius of group AAA authorization network groupauthor
inspect the IP tcp outgoing name
inspect the IP udp outgoing name
inspect the name icmp outgoing IP
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto SMOVPN
key xxxxx
DNS 192.168.10.2
business.local field
pool vpnpool
ACL 108
Crypto isakmp VPNclient profile
match of group identity SMOVPN
client authentication list default
Default ISAKMP authorization list
client configuration address respond
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
Define VPNclient isakmp-profile
market arriere-route
!
!
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
interface FastEthernet0/0
IP 11.11.11.10 255.255.255.252
IP access-group outside_in in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the outgoing IP outside
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
IP local pool vpnpool 192.168.109.1 192.168.109.254
IP nat inside source list 1 interface FastEthernet0/0 overload
outside_in extended IP access list
permit tcp object-group Yes_SMTP host 11.11.11.10 eq smtp
allow any host 74.143.215.138 esp
allow any host 74.143.215.138 eq isakmp udp
allow any host 74.143.215.138 eq non500-isakmp udp
allow any host 74.143.215.138 ahp
allow accord any host 74.143.215.138
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 108 allow ip 192.168.109.0 0.0.0.255 10.1.10.0 0.0.0.255
Here are a few suggestions:
change this:
radius of group AAA authorization network groupauthor
for this
AAA authorization groupauthor LAN
(unless you use the group permission for your radius server you need local)
Choose either on ISAKMP profiles and if you decide to go with and then get rid of these lines:
map clientmap client to authenticate crypto list userauthen
card crypto clientmap isakmp authorization list groupauthor
client configuration address map clientmap crypto answer
AND change the following items on your profile isakmp:
Crypto isakmp VPNclient profile
ISAKMP authorization list groupauthor
Also if you'll use a list for user authentication, I advise you to avoid using the default list so go ahead and change it too much under the isakmp profile
client authentication list userauthen.
If you do not use isakmp profiles change the following:
No crypto isakmp VPNclient profile
Crypto-map dynamic dynmap 10
No VPNclient set isakmp-profile
-
Client VPN router IOS, and site to site vpn
Hello
Im trying to configure a vpn client access to an ios router that already has a vpn site-to site running. I don't see how the two can run on the same router.
So I guess my question is is it possible? and if anyone has therefore had a config that they can share or a useful link.
IM using a router 800 series with 12.4 ios
Thank you very much
Colin
ReadersUK wrote:
Hi
Im trying to configure access for a vpn client to a ios router that already has a site to site vpn running. I cant see how both can be running on the same router.
So i guess my question is can this be done? and if so has anyone got a config they can share or a useful link.
im using a 800 series router with 12.4 ios
Many thanks
Colin
Colin
It can be done. Look at this config example that shows a router configured with a site to site VPN and client vpn - connection
Jon
-
What VPN Cisco IOS VPN and RADIUS client?
Hello community,
My company are trying to set up the remote user VPN for all of our external collaborators to the help of our existing Cisco router and a RADIUS server in Active Directory.
I did all the AAA config on the router and set up the RADIUS, but I do not know what customer buy Cisco Remote and how to set up.
Anyone who knows this set upwards or it uses can be me help please we don't lose our money (and my boss time!)?
Thanks in advance.
Paul
Paul,
AnyConnect lets connect you using IKEv2/IPsec and SSLVPN for IOS network head.
There are countless examples of configuration.
Alternatively, some clients of IKEv1/IPsec 3rd party exists and are able to connect, however is those who are not TAC (Cisco) supported. You can check the feature called ezvpn
M.
-
Site to cause VPN - problem with IOS 12.4 of the site?
I have a site with several VPN is configured. Sites with routers (Cisco all) running IOS 12.3 or down are fine. New routers with IOS 12.4 may establish the VPN connection and I can ping the remote networks. When I try to access the Intranet homepage from a remote site, the home page is displayed, but I am not able to access all pages. The same thing is happening with another application (SQL Server program). The clent (remote site) can connect to the SQL database and perform a task, and then get a connectivity error. Sites running IOS 12.3 not have these problems.
ANY IDEAS please?
Looks like an MTU problem.
see if you can clear the df bit in the packet encrypted using the command
Crypto ipsec df - bit clear
or
On the output interface, use the ip tcp adjust-mss command 1400.
Let me know if it helps
-
Client VPN router IOS does not connect
Hi all
I'm having some trouble of Client VPN connection over the internet to our Cisco IOS router. Some help would be very appreciated!
On the VPN client log I get the following error messages:
---------------------------
...
573 16:32:13.164 21/12/05 Sev = WARNING/2 IKE/0xE3000099
Size invalid SPI (PayloadNotify:116)
574 16:32:13.164 21/12/05 Sev = Info/4 IKE/0xE30000A4
Invalid payload: said length of payload, 568, not enough Notification:(PayloadList:149)
575 16:32:13.164 21/12/05 Sev = WARNING/3 IKE/0xA3000058
Received incorrect message or negotiation is no longer active (message id: 0x00000000)
---------------------------
We get debugging on the router that I'm trying to connect:
---------------------------
router #debug isakmp crypto
...
21 Dec 16:32:16.089 AEDT: ISAKMP (0:0): received 203.153.196.1 packet dport 500 sport 500 SA NEW Global (N)
21 Dec 16:32:16.089 AEDT: ISAKMP: created a struct peer 203.153.196.1, peer port 500
21 Dec 16:32:16.089 AEDT: ISAKMP: new created position = 0x678939E0 peer_handle = 0 x 80000031
21 Dec 16:32:16.089 AEDT: ISAKMP: lock struct 0x678939E0, refcount IKE peer 1 for crypto_isakmp_process_block
21 Dec 16:32:16.089 AEDT: ISAKMP: 500 local port, remote port 500
21 Dec 16:32:16.089 AEDT: insert his with his 67B0AB34 = success
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): treatment ITS payload. Message ID = 0
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): payload ID for treatment. Message ID = 0
21 Dec 16:32:16.089 AEDT: ISAKMP (0:0): payload ID
next payload: 13
type: 11
ID of the Group: eggs
Protocol: 17
Port: 500
Length: 12
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): peer games * no * profiles
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 215
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is XAUTH
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is DPD
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 194
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): supplier code seems the unit/DPD but major incompatibility of 123
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is NAT - T v2
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): load useful vendor id of treatment
21 Dec 16:32:16.089 AEDT: ISAKMP: (0:0:N / A:0): provider ID is the unit
21 Dec 16:32:16.089 AEDT: ISAKMP: analysis of the profiles for xauth...
.....
21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): atts are not acceptable. Next payload is 3
21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): audit ISAKMP transform 12 against the policy of priority 3
21 Dec 16:32:16.093 AEDT: ISAKMP: 3DES-CBC encryption
21 Dec 16:32:16.093 AEDT: ISAKMP: MD5 hash
21 Dec 16:32:16.093 AEDT: ISAKMP: group by default 2
21 Dec 16:32:16.093 AEDT: ISAKMP: pre-shared key auth
21 Dec 16:32:16.093 AEDT: ISAKMP: type of life in seconds
21 Dec 16:32:16.093 AEDT: ISAKMP: life (IPV) 0x0 0 x 20 0xC4 0x9B
21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): pre-shared authentication offered but does not match policy.
21 Dec 16:32:16.093 AEDT: ISAKMP: (0:0:N / A:0): atts are not acceptable. Next payload is 3
---------------------------
You can apply the encryption the WAN interface card and check?
-
What is a good VPN for Mac and iOS client?
I want to identify a strong product of VPN for Mac and iOS. I want something that is easy to install and maintain, and it's effective.
Thank you
This depends a lot on what you're trying to accomplish. Can elaborate you on why you think you need?
-
ASA easy vpn server and ios client both need public ip
Hello
If someone can define that cisco asa 5525-x and cisco 2800 router ios can be customer both parties have public ip or only side server.
Please clear my doubt
Hello
Then you can do with ezvpn himself. Take the below mentioned thing for example and configure accordingly for your scenario.
http://www.Cisco.com/c/en/us/products/collateral/iOS-NX-OS-software/iOS-...
Concerning
Knockaert
-
Hi, I implemented a project some time back which went something like this: a Headquarters site where a PIX515E is installed with a public static IP on its external interface. Three remote sites, each with connecting to the internet through 837 routers ADSL with a dynamic public IP address. I configured the firewall and routers for EzVPN (router is configured in client mode) and the VPN tunnel rises and it works fine. Of course, when there is no interesting traffic through the tunnel and the idle timer on the PIX expires, the tunnel down. It is also very good. The problem is once the tunnel breaks down, it is again automatically when interesting traffic passes through the router (which is assumed). I use the console and ran the debugging on one of the routers and noticed that once the tunnel descends and the router tries to bring it up again, it gives the message:
"Key pair for this"XXX. " XX. XX. Mask XX/XX"already exists." Then, when I give the command "clear crypto isakmp his ', the tunnel rises immediately. I already posted this question before (link:http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd6e4b2). Maybe she has something to do with the Dead Peer Detection on the PIX and the router system. In any case, I have configured the following command on the router and PIX:
ISAKMP crypto keepalive 2 10
but still it does not solve the problem. The router's IOS version 12.3 (2) XC2 and the PIX OS version 6.3 a (3). Also im attaching the PIX and router config for this post. What else can be done to solve the problem?
I replied to your last message.
As I said, you must at least 12.3.7 so that it works correctly.
"You must at least 12.3 (7) T for Dead Peer Detection work and send KeepAlive interval you want.
ISAKMP crypto keepalive [interval] [dry til counted dead] periodical
for example,.
"isakmp crypto 15 5 keepalive periodicals.
the key word is "periodic" is not available until 12.3.7 or later.
ISAKMP crypto keepalive 2 10
without periodic does nothing, you need periodic KeepAlive.
ISAKMP crypto keepalive 2 10 periodicals
will maintain the tunnel and head of network device know if/when it falls. It should be applied to the router and the PIX in your situation.
I worked through this issue before with IOS EzVPN (12.3 (11) T) to PIX (6.3 (3)) and IOS EzVPN hub VPN3000 (4.1) of the basic VPN
also... http://www.Cisco.com/en/us/products/SW/iosswrel/ps5207/products_feature_guide09186a00801ee19a.html
-
VPN problem taking in charge the VRF CSR
Hello community,
I am currently evaluating CSR at AWS (60 day trial) and already around the usual problems and specialty architecture network AWS design.
I can't open a TAC case, because we purchased no license. We will, once this last problem is solved.
Current configuration:
- Two councillors in a VPC in two AZs
- Transit between two advisers of the GRE tunnel
- running supports the BGP VRF
- using door VRF
- the RSC is connected to several AWS VPC (customers) via the AWS VPN feature - route entirely mesh based VPN--a VRF customer - all running with BGP
- Link to local is done in the same way: entirely mesh route based VPN - using door VRF - all running with BGP
- VRF import/export rules
It works fine - no problems here. All HA tests work as expected. So far, so good.
Now, we had to create a VPN connection to a special local location of our society. We should create a policy based VPN location (no support for VPN road based there). It is a two-to-one VPN. Two advisors of the connection to a gateway onPrem. The two tunnels, run the same field of encryption. OnPrem routing is based on the State of the tunnel. We put this tunnel in the VRF door of entry. Routes are injected to the door VRF routing table by VPN process (reverse-way static in crypto map). To get these exported to consumer VRF routes, there is a network statement in door VRF BGP process.
Well, this also works fine if we do this only with CSR A. Reachablity is out. CSR B the delivery of the CSR due to taking work supported the VRF VPN. However, if we establish the second CSR B tunnel, there is something strange happens.
Tunnel is very well implemented. Traffic through the tunnel at CSR B is accepted and routed to the destination. Created at door VRF on CSR B traffic is routed in its own VPN very well. However, traffic from a VRF client who reached CSR B (traceroute proved that) is not routed through the VPN tunnel, despite the VPN client routing table is to say. CSR A running the same configuration, there is no problem. Only on the CSR B.
I don't understand this. If remove us the configuration of the tunnel of CSR and create only tunnel on CSR B, it still does not. I don't understand why, because I did a comparison of config and found no difference.
Someone at - it an idea, whats going on?
How can I debug this problem?
CSR - A:
B 172.29.13.176/28 [20/0] via 1.1.119.182 (vrf - default), 3w4d
CSR - B:
with route (doesn't work is not for the customer VRF)
B 172.29.13.176/28 [20/0] via 1.1.119.182 (vrf - default), 00:00:02No itinerary (work, because only sent by public transit to the CSR - A)
B 172.29.13.176/28 [20/0] via 192.168.254.53 (vrf - default), 00:38:23This problem is hard to describe, I would really appriciate discuss with a TAC engineer in a WebEx. Is this possible?
Thank you.
Hello Tobias,.
The problem you describe is going to be outside our CSR platform expertise. Looks like the CSR works well and HA works as well, and now you're trying to find a solution to a problem of network/VPN that you are facing.
Our team is led to find an internal resource to resolve your issue, please allow us a day or two to get back to you with an answer
Concerning
Tony
-
Hello
I got a pix 501 (6.3 - 4) on a local network and try to use Cisco VPN Client (4.0.2-D) on a remote pc.
I can open a vpn session.
I can't ping from the remote pc to the LAN
I can ping from any station on the LAN to the remote pc
After that I did a ping of a station on the LAN to the remote pc, I ping the remote computer to the local network.
I am so newb, trying for 2 days changing ACLs, no way.
I must say that I am in dynamic ip wan on the local network and the remote pc.
Any idea about this problem?
Any help is welcome.
Here is the configuration of my pix:
6.3 (4) version PIX
interface ethernet0 10baset
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password * encrypted
passwd * encrypted
pixfirewall hostname
domain ciscopix.com
clock timezone THATS 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
fixup protocol dns-length maximum 512
fixup protocol ftp 21
correction... /...
fixup protocol tftp 69
names of
name 192.168.42.0 Dmi
inside_access_in ip access list allow a whole
inside_outbound_nat0_acl ip access list allow any 192.168.229.0 255.255.255.0
outside_cryptomap_dyn_20 ip access list Dmi 255.255.255.0 allow 192.168.229.32 255.255.255.224
access-list outside_cryptomap_dyn_20 allow icmp a whole
pager lines 24
opening of session
logging trap information
Outside 1500 MTU
Within 1500 MTU
IP address outside the 209.x.x.x.255.255.224
IP address inside 192.168.42.40 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool dmivpndhcp 192.168.229.1 - 192.168.229.254
location of PDM 192.168.229.1 255.255.255.255 outside
209.165.x.x.x.255.255 PDM location inside
209.x.x.x.255.255.255 PDM location outdoors
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
Enable http server
Dmi 255.255.255.0 inside http
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
TFTP server inside the 192.168.42.100.
enable floodguard
Permitted connection ipsec sysopt
AUTH-prompt quick pass
AUTH-guest accept good
AUTH-prompt bad rejection
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
Dynamic crypto map dynmap 20 match address outside_cryptomap_dyn_20
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
ISAKMP allows outside
ISAKMP identity address
part of pre authentication ISAKMP policy 20
ISAKMP policy 20 3des encryption
ISAKMP policy 20 chopping sha
20 2 ISAKMP policy group
ISAKMP duration strategy of life 20 86400
vpngroup address dmivpndhcp pool dmivpn
vpngroup dns 192.168.42.20 Server dmivpn
vpngroup dmivpn wins server - 192.168.42.20
vpngroup dmivpn by default-field defi.local
vpngroup idle 1800 dmivpn-time
vpngroup password dmivpn *.
Telnet timeout 5
SSH timeout 5
Console timeout 0
VPDN username vpnuser password *.
VPDN allow outside
VPDN allow inside
dhcpd address 192.168.42.41 - 192.168.42.72 inside
dhcpd lease 3600
dhcpd ping_timeout 750
Terminal width 80
Cryptochecksum: *.
Noelle,
Add the command: (in config mode): isakmp nat-traversal
Let me know if it helps.
Jay
Maybe you are looking for
-
I get a message telling me that there is an available at 41.0.1 security/stability update, but I have to go and get manually because I (my computer) is allowed to be updated... However when I followed the link to the page of Mozilla, I get a happines
-
After installing Windows 7 system recovery
Hello I got a brand new HP m9770 desktop PC and I installed Windows 7 from scratch on C:\ partition. Unfortunately, I want to go back to Vista, but I can't do a system restore. There is always a partition that contains the files in recovery E:\ but p
-
Can I change the background color of tabs open in FF 4.0. Currently, it is grey with black characters. A clear background would be easier to read. Thank you, TJH
-
HP Pavilion all-in-one 23xt: CPU Upgrade
HP Pavilion q160xt CTO 23xt all in one I currently have an i3 - 4160 T Cpu, can I change CPU to i5-4590 t without license o/s issues? The i3 processor heat sink will be ok with the i5 processor. (both CPU state 35 Watt). What would be the best time
-
ListField.drawListRow only draws a line in the first row, all the lines.
I'm close. ListField.drawListRow is called for every row without problem, but the two graphics.drawLine only are displayed (shot) in the first row at the point of coordinates noted. I thought that each line would get the two drawn drawLines? Graphics