VPN Client 4.0.x to IOS

Discussion in 'Cisco' started by Chris Ames-Farrow, Sep 3, 2004.

  1. I've been trying to get a couple of machines running VPN client
    version 4.6.00.0049 and 4.0.5 to connect to a 3745 running 12.3(5),
    but with no luck. I've based my configurations on the sample configs
    on CCO for "IOS IPSec NAT Transparency with VPN Client" and
    "Configuring Cisco VPN Client 3.5 for Windows to IOS Using Local
    Extended Authentication."

    The PCs in question are behind a Linksys cable router, with IPSec
    passthrough turned on - I don't believe this router to be the issue ,
    as I can connect to a PIX at another location using the same client
    versions.

    Editted highlights of the router config:


    aaa authentication login userauthen local
    aaa authorization network groupauthor local

    username test password likeimgonnatellyou

    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2

    crypto isakmp keepalive 40 5
    crypto isakmp nat keepalive 20

    crypto isakmp client configuration group vpnusers
    key iwasntbornyesterday
    pool ippool
    acl remote

    crypto ipsec transform-set 3desvpn esp-3des esp-sha-hmac

    crypto dynamic-map dynmap 10
    set transform-set 3desvpn

    crypto map VPNClient client authentication list userauthen
    crypto map VPNclient isakmp authorization list groupauthor
    crypto map VPNclient client configuration address respond
    crypto map VPNClient 10 ipsec-isakmp dynamic dynmap

    ! This is a .1q subinterface of a 100Mbps circuit to one of our ISPs
    interface f0/1.78
    crytpo map VPNclient

    ip local pool ippool 10.10.3.100 10.10.3.200

    ip access-list extended remote
    permit ip 172.31.251.0 0.0.0.255 10.10.3.0 0.0.0.255

    Comparing the configuration with the PIX on another site, the
    transforms and encryptions are the same, but when I try to connect to
    the router, the last message in the debug window on the client is "
    DEL_REASON_IKE_NEG_FAILED" - I don't have the full logs from the
    router or the client as I'd been working on this until 3 a.m. and
    decided that putting the router back to it's starting point and
    getting some sleep would be the better option.

    So, will the above configuration work, or have I missed anything out?

    I'll be attempting to get this to work again tonight, so if there's
    any other debug information to capture, let me know.

    --
    Chris Ames-Farrow
     
    Chris Ames-Farrow, Sep 3, 2004
    #1
    1. Advertising

  2. Chris Ames-Farrow

    PES Guest

    "Chris Ames-Farrow" <> wrote in message
    news:...
    > I've been trying to get a couple of machines running VPN client
    > version 4.6.00.0049 and 4.0.5 to connect to a 3745 running 12.3(5),
    > but with no luck. I've based my configurations on the sample configs
    > on CCO for "IOS IPSec NAT Transparency with VPN Client" and
    > "Configuring Cisco VPN Client 3.5 for Windows to IOS Using Local
    > Extended Authentication."
    >
    > The PCs in question are behind a Linksys cable router, with IPSec
    > passthrough turned on - I don't believe this router to be the issue ,
    > as I can connect to a PIX at another location using the same client
    > versions.
    >
    > Editted highlights of the router config:
    >
    >
    > aaa authentication login userauthen local
    > aaa authorization network groupauthor local
    >
    > username test password likeimgonnatellyou
    >
    > crypto isakmp policy 3
    > encr 3des
    > authentication pre-share
    > group 2
    >
    > crypto isakmp keepalive 40 5
    > crypto isakmp nat keepalive 20
    >
    > crypto isakmp client configuration group vpnusers
    > key iwasntbornyesterday
    > pool ippool
    > acl remote
    >
    > crypto ipsec transform-set 3desvpn esp-3des esp-sha-hmac
    >
    > crypto dynamic-map dynmap 10
    > set transform-set 3desvpn
    >
    > crypto map VPNClient client authentication list userauthen
    > crypto map VPNclient isakmp authorization list groupauthor
    > crypto map VPNclient client configuration address respond
    > crypto map VPNClient 10 ipsec-isakmp dynamic dynmap
    >
    > ! This is a .1q subinterface of a 100Mbps circuit to one of our ISPs
    > interface f0/1.78
    > crytpo map VPNclient
    >
    > ip local pool ippool 10.10.3.100 10.10.3.200
    >
    > ip access-list extended remote
    > permit ip 172.31.251.0 0.0.0.255 10.10.3.0 0.0.0.255
    >
    > Comparing the configuration with the PIX on another site, the
    > transforms and encryptions are the same, but when I try to connect to
    > the router, the last message in the debug window on the client is "
    > DEL_REASON_IKE_NEG_FAILED" - I don't have the full logs from the
    > router or the client as I'd been working on this until 3 a.m. and
    > decided that putting the router back to it's starting point and
    > getting some sleep would be the better option.
    >
    > So, will the above configuration work, or have I missed anything out?
    >
    > I'll be attempting to get this to work again tonight, so if there's
    > any other debug information to capture, let me know.
    >
    > --
    > Chris Ames-Farrow


    If this is a true cut and paste, you have two crypto maps. One is VPNClient
    and one is VPNclient. The VPNclient is bound to the interface. It does not
    have an authentication method. In any case, I think this will work much
    better after some sleep. Also, make sure your acl on your outside interface
    is compatible. And once connected, some sort of nat bypass may be required.
     
    PES, Sep 4, 2004
    #2
    1. Advertising

  3. On Fri, 3 Sep 2004 19:51:39 -0400, "PES"
    <NO*SPAMpestewartREMOVE**SUCKS> wrote:

    >
    >"Chris Ames-Farrow" <> wrote in message
    >news:...
    >> I've been trying to get a couple of machines running VPN client

    [snip]
    >
    >If this is a true cut and paste, you have two crypto maps. One is VPNClient
    >and one is VPNclient. The VPNclient is bound to the interface. It does not
    >have an authentication method. In any case, I think this will work much
    >better after some sleep. Also, make sure your acl on your outside interface
    >is compatible. And once connected, some sort of nat bypass may be required.
    >


    Thanks for the response - after sleep, coffee and starting from
    scratch, with the necessary configuration planned on paper, it's now
    working. Now for the inevitable complaints from the users about split
    tunnelling not being implemented.

    --
    Chris Ames-Farrow
     
    Chris Ames-Farrow, Sep 4, 2004
    #3
  4. Chris Ames-Farrow

    PES Guest

    "Chris Ames-Farrow" <> wrote in message
    news:...
    > On Fri, 3 Sep 2004 19:51:39 -0400, "PES"
    > <NO*SPAMpestewartREMOVE**SUCKS> wrote:
    >
    >>
    >>"Chris Ames-Farrow" <> wrote in message
    >>news:...
    >>> I've been trying to get a couple of machines running VPN client

    > [snip]
    >>
    >>If this is a true cut and paste, you have two crypto maps. One is
    >>VPNClient
    >>and one is VPNclient. The VPNclient is bound to the interface. It does
    >>not
    >>have an authentication method. In any case, I think this will work much
    >>better after some sleep. Also, make sure your acl on your outside
    >>interface
    >>is compatible. And once connected, some sort of nat bypass may be
    >>required.
    >>

    >
    > Thanks for the response - after sleep, coffee and starting from
    > scratch, with the necessary configuration planned on paper, it's now
    > working. Now for the inevitable complaints from the users about split
    > tunnelling not being implemented.


    That will be easy. Have fun.
     
    PES, Sep 4, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hk
    Replies:
    0
    Views:
    1,954
  2. MP
    Replies:
    2
    Views:
    12,305
  3. jarcar
    Replies:
    0
    Views:
    608
    jarcar
    Feb 12, 2004
  4. Jaros³aw Skórka

    VPN - Cisco IOS <-> VPN Client - problem

    Jaros³aw Skórka, Feb 1, 2005, in forum: Cisco
    Replies:
    1
    Views:
    3,131
  5. Mike Rahl
    Replies:
    1
    Views:
    1,255
    Trendkill
    May 30, 2007
Loading...

Share This Page