Easy VPN - client doesn't get config from server

Discussion in 'Cisco' started by psychogenic, Apr 12, 2006.

  1. psychogenic

    psychogenic Guest

    Hi all,

    I have a 2600 router setup as a ezvpn server and a pix501 set up as a
    client. The client end can ping my public interface and I can ping
    their's but they can't receive the configuration from us. Here are the
    configs of our devices:

    These are ip ranges are just examples...

    My network: 192.168.0.0/24
    My DMZ: 192.168.1.0/24

    2600 Router as Server

    hostname Router2600
    !
    boot-start-marker
    boot-end-marker
    !
    card type t3 1
    logging buffered 51200 debugging
    logging console critical
    enable secret
    !
    aaa new-model
    !
    !
    aaa authentication login localuser local
    aaa authorization network groupvpn local
    !
    aaa session-id common
    !
    resource policy
    !
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    ip subnet-zero
    !
    !
    no ip dhcp use vrf connected
    !
    !
    ip cef
    ip flow-cache timeout active 1
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    no ip ips deny-action ips-interface
    !
    !
    username admin password 7
    username ezvpn-user secret 5 TESTING123
    !
    !
    controller T3 1/0
    cablelength 10
    !
    !
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp keepalive 90 12
    crypto isakmp xauth timeout 60

    !
    crypto isakmp client configuration group groupvpn
    key TESTING
    dns 192.168.0.2 192.168.0.1
    wins 192.168.0.1 192.168.0.2
    domain testing.com
    pool vpn-pool
    acl 104
    save-password
    !
    !
    crypto ipsec transform-set VPNTRANSF esp-3des esp-md5-hmac
    !
    crypto dynamic-map dynmap 10
    set transform-set VPNTRANSF
    reverse-route
    !
    !
    crypto map dynmap client authentication list localuser
    crypto map dynmap isakmp authorization list groupvpn
    crypto map dynmap client configuration address respond
    crypto map dynmap 10 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface FastEthernet0/0
    description
    !
    no mop enabled
    !
    interface FastEthernet0/1
    description PUBLIC INTERFACE
    ip address 10.32.152.1 255.255.255.0
    ip route-cache flow
    speed 100
    full-duplex
    crypto map dynmap
    !
    interface Serial1/0
    !
    ip local pool vpn-pool 192.168.0.150 192.168.0.160
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial1/0
    !
    ip flow-export source FastEthernet0/1
    ip flow-export version 5
    ip flow-export destination 192.168.0.57 9996
    !
    ip http server
    ip http secure-server
    ip nat inside source list insideout interface Serial1/0 overload
    !
    !
    logging trap debugging
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip x.x.x.x 0.0.0.3 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 deny ip 192.168.0.0 0.0.3.255 any
    access-list 101 permit icmp any host 65.194.75.2 echo-reply
    access-list 101 permit icmp any host 65.194.75.2 time-exceeded
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    access-list 102 permit tcp any host x.x.x.x eq ftp
    access-list 102 permit tcp any host x.x.x.x eq ftp-data
    access-list 103 deny tcp any host x.x.x.x eq ftp
    access-list 103 deny tcp any host x.x.x.x eq ftp-data
    access-list 103 permit tcp any any
    access-list 104 remark VPN Traffic
    access-list 104 permit ip any 192.168.1.0 0.0.0.255
    access-list 104 permit tcp any 192.168.1.0 0.0.0.255
    snmp-server ifindex persist
    !
    !
    control-plane
    !
    !
    !
    end


    pix501 as Client

    > > > > vpnclient server 10.32.152.1
    > > > > vpnclient mode network-extension-mode
    > > > > vpnclient vpngroup groupvpn password TESTING
    > > > > vpnclient username ezvpn-user password TESTING123
    > > > > vpnclient management tunnel 192.168.0.56 255.255.255.248
    > > > > vpnclient enable


    I told them to add just that block into their PIX. ACL 104 (I think)
    should direct the traffic to 192.168.1.0/24 which is my DMZ.

    Thanks.
    psychogenic, Apr 12, 2006
    #1
    1. Advertising

  2. psychogenic

    joeblack Guest

    Can you be more specific? Does to ezvpn client connection? Do you see
    active SA's for the connection? If is makes a connection then it should
    download all of the isakmp policies. If not, then you have something
    else wrong with the configuration. Please send me more information and
    I will help you as best as I can.


    --
    joeblack

    Thanks,
    JoeBlack
    ------------------------------------------------------------------------
    joeblack's Profile: http://www.CertificationChat.com/member.php?userid=9
    View this thread: http://www.CertificationChat.com/showthread.php?t=8054
    joeblack, Apr 12, 2006
    #2
    1. Advertising

  3. psychogenic

    psychogenic Guest

    I'm not sure what other info you need. It's my first time setting this
    up (you may have seen other posts I have made here about it) and I'm
    trying to do Easy VPN between myself and a remote site. Not using the
    easy vpn software.

    And I didn't see any active SA's. One of the big problems is I'm here
    in the U.S. and the remote site is over in Thailand. I'm going to check
    again tonight and see my router shows anything. In the meantime though,
    i want to make sure my config is right.

    joeblack wrote:
    > Can you be more specific? Does to ezvpn client connection? Do you see
    > active SA's for the connection? If is makes a connection then it should
    > download all of the isakmp policies. If not, then you have something
    > else wrong with the configuration. Please send me more information and
    > I will help you as best as I can.
    >
    >
    > --
    > joeblack
    >
    > Thanks,
    > JoeBlack
    > ------------------------------------------------------------------------
    > joeblack's Profile: http://www.CertificationChat.com/member.php?userid=9
    > View this thread: http://www.CertificationChat.com/showthread.php?t=8054
    psychogenic, Apr 12, 2006
    #3
  4. psychogenic

    psychogenic Guest

    I should also add that the router also includes ACLs for FTP testing
    incase you get a little confused why I have certain things in ACLs
    100-103.

    ---------- Forwarded message ----------
    From: psychogenic
    Date: 12 Apr 2006 11:42:10 -0700
    Subject: Re: Easy VPN - client doesn't get config from server
    To:

    I'm not sure what other info you need. It's my first time setting this
    up (you may have seen other posts I have made here about it) and I'm
    trying to do Easy VPN between myself and a remote site. Not using the
    easy vpn software.

    And I didn't see any active SA's. One of the big problems is I'm here
    in the U.S. and the remote site is over in Thailand. I'm going to check
    again tonight and see my router shows anything. In the meantime though,
    i want to make sure my config is right.

    joeblack wrote:
    > Can you be more specific? Does to ezvpn client connection? Do you see
    > active SA's for the connection? If is makes a connection then it should
    > download all of the isakmp policies. If not, then you have something
    > else wrong with the configuration. Please send me more information and
    > I will help you as best as I can.
    >
    >
    > --
    > joeblack
    >
    > Thanks,
    > JoeBlack
    > ------------------------------------------------------------------------
    > joeblack's Profile: http://www.CertificationChat.com/member.php?userid=9
    > View this thread: http://www.CertificationChat.com/showthread.php?t=8054
    psychogenic, Apr 12, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Masud Reza
    Replies:
    2
    Views:
    7,398
    Masud Reza
    Oct 20, 2003
  2. POL
    Replies:
    0
    Views:
    614
  3. mack
    Replies:
    0
    Views:
    838
  4. Al
    Replies:
    0
    Views:
    5,188
  5. melvynbrown

    easy vpn client/server problem

    melvynbrown, Sep 10, 2007, in forum: Cisco
    Replies:
    0
    Views:
    576
    melvynbrown
    Sep 10, 2007
Loading...

Share This Page