Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN Client 4.0.x to IOS

Reply
Thread Tools

VPN Client 4.0.x to IOS

 
 
Chris Ames-Farrow
Guest
Posts: n/a
 
      09-03-2004
I've been trying to get a couple of machines running VPN client
version 4.6.00.0049 and 4.0.5 to connect to a 3745 running 12.3(5),
but with no luck. I've based my configurations on the sample configs
on CCO for "IOS IPSec NAT Transparency with VPN Client" and
"Configuring Cisco VPN Client 3.5 for Windows to IOS Using Local
Extended Authentication."

The PCs in question are behind a Linksys cable router, with IPSec
passthrough turned on - I don't believe this router to be the issue ,
as I can connect to a PIX at another location using the same client
versions.

Editted highlights of the router config:


aaa authentication login userauthen local
aaa authorization network groupauthor local

username test password likeimgonnatellyou

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20

crypto isakmp client configuration group vpnusers
key iwasntbornyesterday
pool ippool
acl remote

crypto ipsec transform-set 3desvpn esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10
set transform-set 3desvpn

crypto map VPNClient client authentication list userauthen
crypto map VPNclient isakmp authorization list groupauthor
crypto map VPNclient client configuration address respond
crypto map VPNClient 10 ipsec-isakmp dynamic dynmap

! This is a .1q subinterface of a 100Mbps circuit to one of our ISPs
interface f0/1.78
crytpo map VPNclient

ip local pool ippool 10.10.3.100 10.10.3.200

ip access-list extended remote
permit ip 172.31.251.0 0.0.0.255 10.10.3.0 0.0.0.255

Comparing the configuration with the PIX on another site, the
transforms and encryptions are the same, but when I try to connect to
the router, the last message in the debug window on the client is "
DEL_REASON_IKE_NEG_FAILED" - I don't have the full logs from the
router or the client as I'd been working on this until 3 a.m. and
decided that putting the router back to it's starting point and
getting some sleep would be the better option.

So, will the above configuration work, or have I missed anything out?

I'll be attempting to get this to work again tonight, so if there's
any other debug information to capture, let me know.

--
Chris Ames-Farrow
 
Reply With Quote
 
 
 
 
PES
Guest
Posts: n/a
 
      09-03-2004

"Chris Ames-Farrow" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I've been trying to get a couple of machines running VPN client
> version 4.6.00.0049 and 4.0.5 to connect to a 3745 running 12.3(5),
> but with no luck. I've based my configurations on the sample configs
> on CCO for "IOS IPSec NAT Transparency with VPN Client" and
> "Configuring Cisco VPN Client 3.5 for Windows to IOS Using Local
> Extended Authentication."
>
> The PCs in question are behind a Linksys cable router, with IPSec
> passthrough turned on - I don't believe this router to be the issue ,
> as I can connect to a PIX at another location using the same client
> versions.
>
> Editted highlights of the router config:
>
>
> aaa authentication login userauthen local
> aaa authorization network groupauthor local
>
> username test password likeimgonnatellyou
>
> crypto isakmp policy 3
> encr 3des
> authentication pre-share
> group 2
>
> crypto isakmp keepalive 40 5
> crypto isakmp nat keepalive 20
>
> crypto isakmp client configuration group vpnusers
> key iwasntbornyesterday
> pool ippool
> acl remote
>
> crypto ipsec transform-set 3desvpn esp-3des esp-sha-hmac
>
> crypto dynamic-map dynmap 10
> set transform-set 3desvpn
>
> crypto map VPNClient client authentication list userauthen
> crypto map VPNclient isakmp authorization list groupauthor
> crypto map VPNclient client configuration address respond
> crypto map VPNClient 10 ipsec-isakmp dynamic dynmap
>
> ! This is a .1q subinterface of a 100Mbps circuit to one of our ISPs
> interface f0/1.78
> crytpo map VPNclient
>
> ip local pool ippool 10.10.3.100 10.10.3.200
>
> ip access-list extended remote
> permit ip 172.31.251.0 0.0.0.255 10.10.3.0 0.0.0.255
>
> Comparing the configuration with the PIX on another site, the
> transforms and encryptions are the same, but when I try to connect to
> the router, the last message in the debug window on the client is "
> DEL_REASON_IKE_NEG_FAILED" - I don't have the full logs from the
> router or the client as I'd been working on this until 3 a.m. and
> decided that putting the router back to it's starting point and
> getting some sleep would be the better option.
>
> So, will the above configuration work, or have I missed anything out?
>
> I'll be attempting to get this to work again tonight, so if there's
> any other debug information to capture, let me know.
>
> --
> Chris Ames-Farrow


If this is a true cut and paste, you have two crypto maps. One is VPNClient
and one is VPNclient. The VPNclient is bound to the interface. It does not
have an authentication method. In any case, I think this will work much
better after some sleep. Also, make sure your acl on your outside interface
is compatible. And once connected, some sort of nat bypass may be required.


 
Reply With Quote
 
 
 
 
Chris Ames-Farrow
Guest
Posts: n/a
 
      09-04-2004
On Fri, 3 Sep 2004 19:51:39 -0400, "PES"
<NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote:

>
>"Chris Ames-Farrow" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed).. .
>> I've been trying to get a couple of machines running VPN client

[snip]
>
>If this is a true cut and paste, you have two crypto maps. One is VPNClient
>and one is VPNclient. The VPNclient is bound to the interface. It does not
>have an authentication method. In any case, I think this will work much
>better after some sleep. Also, make sure your acl on your outside interface
>is compatible. And once connected, some sort of nat bypass may be required.
>


Thanks for the response - after sleep, coffee and starting from
scratch, with the necessary configuration planned on paper, it's now
working. Now for the inevitable complaints from the users about split
tunnelling not being implemented.

--
Chris Ames-Farrow
 
Reply With Quote
 
PES
Guest
Posts: n/a
 
      09-04-2004

"Chris Ames-Farrow" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Fri, 3 Sep 2004 19:51:39 -0400, "PES"
> <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote:
>
>>
>>"Chris Ames-Farrow" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed). ..
>>> I've been trying to get a couple of machines running VPN client

> [snip]
>>
>>If this is a true cut and paste, you have two crypto maps. One is
>>VPNClient
>>and one is VPNclient. The VPNclient is bound to the interface. It does
>>not
>>have an authentication method. In any case, I think this will work much
>>better after some sleep. Also, make sure your acl on your outside
>>interface
>>is compatible. And once connected, some sort of nat bypass may be
>>required.
>>

>
> Thanks for the response - after sleep, coffee and starting from
> scratch, with the necessary configuration planned on paper, it's now
> working. Now for the inevitable complaints from the users about split
> tunnelling not being implemented.


That will be easy. Have fun.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
instructions on how to perform an IOS upgrade on a Catalyst 6500 switch (IOS to IOS) Mike Rahl Cisco 1 05-30-2007 05:22 PM
VPN - Cisco IOS <-> VPN Client - problem Jarosław Skórka Cisco 1 02-01-2005 11:32 AM
IOS to IOS VPN Problem Evan Mann Cisco 0 02-11-2004 04:42 PM
Building VPN's: Static/Dynamic//IOS/PIX/Cisco VPN Client/ all at the same time hk Cisco 0 11-25-2003 02:47 AM



Advertisments