871 Easy VPN server
Can establish VPN connection and can ping the 871 internal IP address but cannot ping all others devices in same subnet.
These are the troubleshooting methodologies :
Be aware of any changes to an active Cisco Easy VPN Remote configuration or IP address changes to the involved interfaces.
Enable debugging of the Cisco Easy VPN Remote feature using the debug crypto ipsec client ezvpn command.
Enable debugging of IKE events using the debug crypto ipsec and debug crypto isakmp commands.
Display the active IPsec VPN connections using the show crypto engine connections active command.
To reset the VPN connection, use the clear crypto ipsec client ezvpn command.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html#wp1192045
Similar Messages
-
VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client
Hello,
I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP.
VPN is working when I replace ASA5505 with ASA5510 correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
Can you help me, how can I debug or troubleshoot this problem ?
I am unable to update software on ASA5505 side.Hello,
Hire is what my config look like:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP
tunnel-group HW-CLIENT-GROUP ipsec-attributes
pre-shared-key *******
group-policy HW-CLIENT-GROUP internal
group-policy HW-CLIENT-GROUP attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
nem enable -
RDP over Easy VPN Server fails, ping works
Dear experts,
What can I do to troubleshout this problem?
This is our router configuration with the Easy VPN Server enabled:
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
hostname ####
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret ###########################
aaa new-model
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
no ipv6 cef
no ip source-route
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.29
ip dhcp excluded-address 192.168.1.59
ip dhcp excluded-address 192.168.1.99
ip dhcp excluded-address 192.168.1.182
ip dhcp excluded-address 192.168.1.192
ip dhcp excluded-address 192.168.1.193
ip dhcp excluded-address 192.168.1.198
ip dhcp excluded-address 192.168.1.238
ip dhcp excluded-address 192.168.1.240
ip dhcp excluded-address 192.168.1.243
ip dhcp excluded-address 192.168.1.245
ip dhcp excluded-address 192.168.1.215
ip dhcp excluded-address 192.168.1.122
ip dhcp excluded-address 192.168.1.33
ip dhcp excluded-address 192.168.1.10
ip dhcp excluded-address 192.168.1.11
ip dhcp excluded-address 192.168.1.201
no ip bootp server
ip dhcp-server ##########
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-############
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-############
revocation-check none
crypto pki certificate chain TP-self-signed-############
certificate self-signed 01
quit
license udi pid CISCO1941/K9 sn ##########
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
username #### privilege 15 secret ####################.
username #### secret ####################
username #### secret ####################
username #### secret ####################
redundancy
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ###########
key ##########
dns 192.168.1.4 192.168.1.6
domain ####.local
pool SDM_POOL_1
acl 102
include-local-lan
crypto isakmp profile ciscocp-ike-profile-1
match identity group ##############
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ########### esp-aes 256 esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ###########
set isakmp-profile ciscocp-ike-profile-1
interface Null0
no ip unreachables
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description $FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 23 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 ###########
logging esm config
logging trap debugging
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 101 deny ip any host 184.82.162.163
access-list 101 deny ip any host 184.22.103.202
access-list 101 deny ip any host 76.191.104.39
access-list 101 permit ip any any
access-list 102 permit tcp any any eq 3389
access-list 102 permit ip any any
access-list 102 permit icmp any any
access-list 700 permit 000d.6066.0d02 0000.0000.0000
no cdp run
snmp-server group ICT v3 priv
control-plane
banner exec ^C
Welcome ####^C
banner login ^C
Unauthorized access prohibited
##################################^C
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 23 in
password 7 ##################
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler allocate 20000 1000
endIn the server debug, I see this:
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH -2020890165 ...
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 -2020890165 CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013): sending packet to 109.59.232.39 my_port 500 peer_port 500 (R) CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Oct 13 09:25:49.850: ISAKMP (2013): received packet from 109.59.232.39 dport 500 sport 500 Global (R) CONF_XAUTH
*Oct 13 09:25:49.850: ISAKMP:(2013):processing transaction payload from 109.59.232.39. message ID = -2020890165
*Oct 13 09:25:49.850: ISAKMP: Config payload REPLY
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received
*Oct 13 09:25:49.850: ISAKMP:(2013):peer does not do paranoid keepalives.
Is it something with the above line ?
/Jesper -
Easy VPN Server? Hmmm.. Not so Easy...
I used the Cisco Configuration Professional to add an Easy VPN Server to my 3825. I'm able to connect when remote but I can't ping the default gateway of 192.168.1.1 which is in the same network as the VPN DHCP pool. I can access every single other device on the VLAN segments but not the default gateway which means when i connect I can't look at my router. And there's more, I cannot ping anything offnet (ie 75.75.75.75). Below is my config. Attached are some images which show some details from the client during the VPN connect and a few from the router (i had to use the lan switch as a jump host). If you can figure this out before I go back to the coffee shop to test this tomorrow I will send you a cake.
One thing I just thought of, does the virtual-tempalte 1 interface have to have "nat inside" applied?
Current configuration : 12356 bytes
! Last configuration change at 17:21:16 EDT Sat Nov 24 2012 by cluettr
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router-wan
boot-start-marker
boot system flash:c3825-advipservicesk9-mz.151-4.M5.bin
boot-end-marker
logging buffered 100000000
enable password xxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone EDT -4 0
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 172.16.2.1 172.16.2.199
ip dhcp excluded-address 172.16.3.1 172.16.3.199
ip dhcp excluded-address 172.16.4.1 172.16.4.199
ip dhcp pool 192.168.1.0
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.1.1
lease infinite
ip dhcp pool 172.16.2.0
network 172.16.2.0 255.255.255.0
dns-server 172.168.2.1
default-router 172.168.2.1
lease 0 4
ip dhcp pool 172.16.3.0
network 172.16.3.0 255.255.255.0
dns-server 172.16.3.1
default-router 172.16.3.1
lease infinite
ip dhcp pool 172.16.4.0
network 172.16.4.0 255.255.255.0
dns-server 172.16.4.1
default-router 172.16.4.1
lease 0 4
ip dhcp pool 172.16.5.0
network 172.16.5.0 255.255.255.0
dns-server 172.16.5.1
default-router 172.16.5.1
lease infinite
ip cef
ip domain name robcluett.net
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
voice service voip
allow-connections sip to sip
sip
registrar server expires max 600 min 60
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-423317436
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-423317436
revocation-check none
rsakeypair TP-self-signed-423317436
archive
log config
hidekeys
vtp domain robcluett.net
vtp mode transparent
vtp version 2
username xxxxxxx privilege 15 secret 5 $1$q8RN$N/gL80J2Rj9qOILvzXPgS.
redundancy
vlan 3-5
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group cisco
key xxxxxxxxxxxxxxxxxxxx
dns 75.75.75.75
domain robcluett.net
pool SDM_POOL_2
crypto isakmp profile ciscocp-ike-profile-1
description "VPN Default Profile for Group Cisco"
match identity group cisco
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
client configuration group cisco
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
description "Circuitless IP Address / Router Source IP"
ip address 172.16.1.1 255.255.255.254
interface GigabitEthernet0/0
description "WAN :: COMCAST via DHCP"
ip address dhcp client-id GigabitEthernet0/0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
media-type rj45
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
no mop enabled
interface GigabitEthernet1/0
description "Uplink to switch-core-lan (Catalyst 2948G-GE-TX)"
switchport mode trunk
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description "LAN :: VLAN 1 :: PRIVATE 192.168.1.0"
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan2
description "LAN :: VLAN 2 :: PUBLIC 172.16.2.0"
ip address 172.16.2.1 255.255.255.0
ip access-group 102 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan3
description "WLAN :: VLAN 3 :: PRIVATE SSID=wlan-ap-private (not broadcast)"
ip address 172.16.3.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan4
description "WLAN :: VLAN 4 :: PUBLIC SSID=wlan-ap-public"
ip address 172.16.4.1 255.255.255.0
ip access-group 104 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
rate-limit input 1024000 192000 384000 conform-action transmit exceed-action drop
rate-limit output 5120000 960000 1920000 conform-action transmit exceed-action drop
interface Vlan5
description "EDMZ :: VLAN 5 :: 10.10.10.0"
ip address 10.10.10.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan6
description "IDMZ :: VLAN 6 :: 10.19.19.0"
ip address 10.19.19.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan7
description "LAN :: VLAN 7 :: Voice 172.16.5.0
ip address 172.16.5.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip local pool SDM_POOL_2 192.168.1.200 192.168.1.254
ip forward-protocol nd
ip flow-export source Loopback0
ip flow-top-talkers
top 10
sort-by bytes
ip dns server
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 10.10.10.51 443 interface GigabitEthernet0/0 443
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 2
logging trap debugging
logging source-interface Loopback0
access-list 2 remark NAT
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 172.16.2.0 0.0.0.255
access-list 2 permit 172.16.3.0 0.0.0.255
access-list 2 permit 172.16.4.0 0.0.0.255
access-list 2 permit 172.16.5.0 0.0.0.255
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 permit 10.19.19.0 0.0.0.255
access-list 100 remark WAN Firewall Access List
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit tcp any any eq www
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any any established
access-list 100 deny ip any any log-input
access-list 102 remark VLAN 2 Prevent Public LAN Access to Other Networks
access-list 102 deny ip 172.16.2.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 102 permit ip any any
access-list 104 remark VLAN 4 Prevent Public Wifi Access to Other Networks
access-list 104 deny ip 172.16.4.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 104 permit ip any any
access-list 105 remark VLAN 5 Prevent EDMZ Access to Other Networks
access-list 105 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 10.19.19.0 0.0.0.255 log
access-list 105 permit ip any any
snmp-server trap-source Loopback0
snmp-server location xxxxxxxxxxxxxxxxxxxxx
snmp-server contact xxxxxxxxxxxxxxxxxxxxxxx
control-plane
mgcp profile default
telephony-service
max-conferences 12 gain -6
web admin system name cluettr password 11363894
dn-webedit
transfer-system full-consult
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
transport output all
line vty 5 15
transport input telnet ssh
transport output all
scheduler allocate 20000 1000
ntp logging
ntp source Loopback0
end
router-wan#I was under the impression that using the virtual template and ip unnumbered allows the interface to respond to the DHCP IP provided to Gi0/0 by my ISP. If I were to make, say, VLAN 1 the VPN interface how would I then access it from the WAN given that it has a Nat'd LAN IP? I guess port forwarding would work if that would have to be in addition to using a VLAN?
> Here's a follow up question which you or someone might be able to answer for me. Sorry for dumping the added question on you. My ultimate goal is to have a WAN accessible VPN and a VPN residing on the local LAN. Reason is so I can secure with encryption any wifi clients I have on the LAN (preventing man-in-the-middle attacks) and be secured at, for exmaple, a coffe shop. I'm not sure if there's a means to have the same configured VPN work when attached locally or remotely? And if roaming in regards to a VPN is something that can be acheived...
As an aside my reason for going to these lengths for security are valid. I've recently encountered a situation where I was hacked (this is my home network) using a MIMA and what I assume to be SSLstrip or some derivative to obtain my email address and password. Wasn't fun, wasn't pretty. -
Cisco 28xx easy vpn server & MS NPS (RADIUS server)
Здравстуйте.
Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
Ниже выдежка из сонфига cisco 2821:
aaa new-model
aaa authentication login rausrs local
aaa authentication login VPN-XAUTH group radius
aaa authorization network ragrps local
aaa authorization network VPN-GROUP local
aaa session-id common
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration address-pool local RAPOOL
crypto isakmp client configuration group ra1grp
key key-for-remote-access
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp client configuration group EasyVPN
key qwerty123456
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp profile RA-profile
description profile for remote access VPN
match identity group ra1grp
client authentication list rausrs
isakmp authorization list ragrps
client configuration address respond
crypto isakmp profile VPN-IKMP-PROFILE
description profile for remote access VPN via RADIUS
match identity group EasyVPN
client authentication list VPN-XAUTH
isakmp authorization list VPN-GROUP
client configuration address respond
crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
crypto dynamic-map dyn-cmap 100
set transform-set tset1
set isakmp-profile RA-profile
reverse-route
crypto dynamic-map dyn-cmap 101
set transform-set tset1
set isakmp-profile VPN-IKMP-PROFILE
reverse-route
crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
int Gi0/1
descrition -- to WAN --
crypto map stat-cmap
В результате на cisco вылезает следующая ошибка (выделено жирным):
RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
RADIUS: AAA Unsupported Attr: interface [157] 14
RADIUS: 31 39 34 2E 38 38 2E 31 33 39 2E 31 [194.88.139.1]
RADIUS(000089E0): Config NAS IP: 192.168.11.1
RADIUS/ENCODE(000089E0): acct_session_id: 35296
RADIUS(000089E0): sending
RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
RADIUS: authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
RADIUS: User-Name [1] 9 "EasyVPN"
RADIUS: User-Password [2] 18 *
RADIUS: Calling-Station-Id [31] 16 "aaa.bbb.ccc.137"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-Port [5] 6 1
RADIUS: NAS-Port-Id [87] 16 "aaa.bbb.ccc.136"
RADIUS: Service-Type [6] 6 Outbound [5]
RADIUS: NAS-IP-Address [4] 6 192.168.11.1
RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
RADIUS: authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
RADIUS(000089E0): Received from id 1645/61
MS NAS выдает ошибку 6273:
Сервер сетевых политик отказал пользователю в доступе.
За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
Пользователь:
ИД безопасности: domain\VladimirK
Имя учетной записи: VladimirK
Домен учетной записи: domain
Полное имя учетной записи: domain.local/Users/VladimirK
Компьютер клиента:
ИД безопасности: NULL SID
Имя учетной записи: -
Полное имя учетной записи: -
Версия ОС: -
Идентификатор вызываемой станции: -
Идентификатор вызывающей станции: aaa.bbb.ccc.137
NAS:
Адрес IPv4 NAS: 192.168.11.1
Адрес IPv6 NAS: -
Идентификатор NAS: -
Тип порта NAS: Виртуальная
Порт NAS: 0
RADIUS-клиент:
Понятное имя клиента: Cisco2821
IP-адрес клиента: 192.168.11.1
Сведения о проверке подлинности:
Имя политики запроса на подключение: Использовать проверку подлинности Windows для всех пользователей
Имя сетевой политики: Подключения к другим серверам доступа
Поставщик проверки подлинности: Windows
Сервер проверки подлинности: DC01.domain.local
Тип проверки подлинности: PAP
Тип EAP: -
Идентификатор сеанса учетной записи: -
Результаты входа в систему: Сведения об учетных данных были записаны в локальный файл журнала.
Код причины: 66
Причина: Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
Если кто практиковал подобное, прошу дать направление для поиска решения.Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
replace the authorization from radius to local
and
changing the encryption type in transform set
However, in your configuration, your configuration already have those changes.
Here you can check the same : https://supportforums.cisco.com/thread/2226065
Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
~BR
Jatin Katyal
**Do rate helpful posts** -
Can't connect to Easy VPN Server using Windows 7 inbuilt VPN client
Hi Everyone,
I would like your help to resolve a vpn issue I am having with my Windows 7 inbuilt vpn client. I am trying to connect to an Easy vpn server on a Cisco 2951 ISR G2. Well, I can connect using Cisco vpn client v5.07 but I can't connect using Windows 7 inbuilt vpn client. Is there any configuration that I am missing so that I can connect using Windows 7 inbuilt vpn client to connect to the vpn server?
Thank you.Hi MindaugasKa,
Base on your description, your case must is the NPS client can’t pass the NPS policy.
The NPS client can’t connect the network may have many reason, such as the Network Access Protection Agent service not started successful, the certificate not issued properly,
please offer us information when your Windows 7 client denied, such as event id, original error information, screenshot.
More information:
Extensible Authentication Protocol (EAP) Settings for Network Access
http://technet.microsoft.com/en-us/library/hh945104.aspx
Network Access Protection in NPS
http://msdn.microsoft.com/en-us/library/cc754378.aspx
Appendix A: NAP Requirements
http://technet.microsoft.com/en-us/library/dd125301(v=ws.10).aspx
802.1X Authenticated Wireless Access Overview
http://technet.microsoft.com/en-us/library/hh994700.aspx
Connecting to Wireless Networks with Windows 7
http://technet.microsoft.com/library/ff802404.aspx
The related thread:
NPS 2012 rejects windows 7 clients after upgrade from 2008 R2. Requested EAP methods not available
http://social.technet.microsoft.com/Forums/windowsserver/en-US/44af171f-6155-4f2e-b6c7-f89a2d755908/nps-2012-rejects-windows-7-clients-after-upgrade-from-2008-r2-requested-eap-methods-not-available?forum=winserverNAP
I’m glad to be of help to you!
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Communication problem from the vpn-anyconnect to easy-vpn-remote
Hi Team,
I have a communication problem from the vpn-anyconnect to easy-vpn-remote, I´ll explain better bellow and see the attached
topology:
1) VPN Tunnel between HQ to Branch Office - That´s OK
2) VPN Tunnel between Client AnyConnect to HQ - That´s OK
The idea is that the Client Anyconnect is to reach the LAN at Branch Office, but did not reach.
The communication is stablished just when I start a session (icmp and/or rdp) from Branch Office to the Client AnyConnect,
in this way, the communication is OK, but just during a few minutes.
Could you help me?
Bellow the IOS version and configurations
ASA5505 Version 8.4(7)23 (headquarters)
ASA5505 Version 8.4(7)23 (Branch)
**************** Configuration Easy VPN Server (HQ) ****************
crypto dynamic-map DYNAMIC-MAP 5 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-link-2_map 1 ipsec-isakmp dynamic DYNAMIC-MAP
crypto map outside-link-2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-link-2_map interface outside-link-2
access-list ACL_EZVPN standard permit 10.0.0.0 255.255.255.0
access-list ACL_EZVPN standard permit 192.168.1.0 255.255.255.0
access-list ACL_EZVPN standard permit 192.168.50.0 255.255.255.0
access-list ACL_EZVPN standard permit 10.10.0.0 255.255.255.0
group-policy EZVPN_GP internal
group-policy EZVPN_GP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_EZVPN
nem enable
tunnel-group EZVPN_TG type remote-access
tunnel-group EZVPN_TG general-attributes
default-group-policy EZVPN_GP
tunnel-group EZVPN_TG ipsec-attributes
ikev1 pre-shared-key *****
object-group network Obj_VPN_anyconnect-local
network-object 192.168.1.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
network-object 192.168.50.0 255.255.255.0
object-group network NAT_EZVPN_Source
network-object 192.168.1.0 255.255.255.0
network-object 10.10.0.0 255.255.255.0
object-group network NAT_EZVPN_Destination
network-object 10.0.0.0 255.255.255.0
nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-
anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination
NAT_EZVPN_Destination no-proxy-arp route-lookup
nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static
NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookup
**************** Configuration VPN AnyConnect (HQ) ****************
webvpn
enable outside-link-2
default-idle-timeout 60
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles Remote_Connection_for_TS_Users disk0:/remote_connection_for_ts_users.xml
anyconnect enable
tunnel-group-list enable
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
access-list split-tunnel standard permit 192.168.15.0 255.255.255.0
access-list split-tunnel standard permit 10.0.0.0 255.255.255.0
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server none
dns-server value 192.168.1.41
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value ipconnection.com.br
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect profiles value Remote_Connection_for_TS_Users type user
anyconnect ask none default anyconnect
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
authentication-server-group DC03
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias IPConnection-vpn-anyconnect enable
object-group network Obj_VPN_anyconnect-local
network-object 192.168.1.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
network-object 192.168.50.0 255.255.255.0
object-group network NAT_EZVPN_Source
network-object 192.168.1.0 255.255.255.0
network-object 10.10.0.0 255.255.255.0
object-group network NAT_EZVPN_Destination
network-object 10.0.0.0 255.255.255.0
nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-
anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination
NAT_EZVPN_Destination no-proxy-arp route-lookup
nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static
NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookupHi,
the communication works when you send traffic from easyvpn branch side because it froms the IPSEC SA for local subnet and anyconnect HQ pool. The SA will only form when branch initiates the connection as this is dynamic peer connection to HQ ASA.
when there no SA between branch and HQ for this traffic, HQ ASA has no clue about where to send the traffic from anyconnect to branch network.
I hope it explains the cause.
Regards,
Abaji. -
Setting up Easy VPN in Cisco Configuration Professional, external access problems!
Hi
I have a Cisco 857 router which is flashed with Cisco Configuration Express 2.6.
Cisco Configuration Professional 2.6 is installed on my PC and I'm trying to configure Easy VPN for access away from the office.
The steps I have taken are as follows:
1) I launched the Easy VPN Server Wizard
2) IP address of Virtual Tunnel Interface is unnumbered to Vlan1 from the drop down menu - Authentication, Pre Shared Key
3) IKE Proposals set to the default option thats already there
4) Transform set is the default which is already there
5) Method list for group policy Lookup is LOCAL
6) User authentication is LOCAL ONLY, the admin account shows up in ADD USER CREDENTIALS which is the account i'm going to test the connection with
7) I have set up a GROUP POLICY which i've named, created a PRE SHARED KEY, created an IP address pool & subnet mask to the same range as the routers addresses and left all other options to default
8) I left cTCP unticked and disabled
9) I delivered the commands succesfully
10) I click TEST VPN SERVER and get 3 ticks successful for Server configuration, dependant components & Firewall
11) I open the cisco client and access the VPN internally using the routers LAN address, it prompts for my user name and password, I type it in and connect successfully
12) When I go home I configure my client to the same settings except I change the LAN address for the external WAN ip address, but I get an error message which says "Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding"
VPN Client settings are as follows
Group Authentication
Enable Transparent Tunneling- IPSec over UDP (NAT / PAT)
Currently I have a dynamic external IP address, I intend to get a static one once I know I can get this to work.
I would be extremely greatful if someone could help me solve this issue and work out why I can't connect externally.
I have no knowledge of CLI but will use it if given some instructions.
Thanks.
P.S. I have turned off all antivirus and firewall programs on the client computer when trying to connect.Your nat exemption acl is backwards...
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
should be...
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 -
Does Cisco 857 router support Easy VPN?!!
Hi,
I've a Cisco 857 router with a 12.4(6)T IOS.
I want to configure it to act as an Easy VPN server, to allow my remote clients -using cisco vpn clients- to access the internal resourses behind the router.
Is it applicable with this router model?!!
thanks and regards,
AlaAla, upsolutely, you would probably need advance k9 security image, check at software advisory tools and slect software features for your platform.
sofware advisory
http://tools.cisco.com/Support/Fusion/FusionHome.do
857 Models See table 3 Software feature
http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps6195/product_data_sheet0900aecd8028a9a9_ps380_Products_Data_Sheet.html
HTH
Rgds
Jorge -
How do I view/log Easy VPN users connections?
I have a 2811 as an Easy VPN server. How do I view and log users who login via local accounts? This can be by either CLI or SDM access.
Thanks
LeighLeigh,
Long time no talk :-))
On the 2811, do a "show aaa user all" and check if you are able to see the users connected. In case you dont see any outputs, enable AAA Accounting on the 2811 and then run the command again.
Please refer the below URL for enabling VPN Accounting.
http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps1839/products_feature_guide09186a00801541ba.html
Let me know if it helps.
Regards,
Arul -
ASA 5505 as a SSL VPN Server and Easy VPN Client at the same time?
Is it possible to configure and operate the ASA 5505 as a SSL VPN server and Easy VPN Client at the same time? We would like to configure a few of these without having to purchase additional ASA 5505 and use a 2 device method (1 SSL VPN Server and 1 Easy VPN Client). Thanks in advance.
I don't think it is possible. Following links may help you
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008068dabe.html
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml -
VPN server on 871 already functioning as DMVPN spoke?
Last week I was sitting in an hotel far away from my family. I wanted to use Skype or MSNMessenger to contact them with Webcam. It didn't work, because there was some huge firewall, blocking several ports. So I decided to setup a VPN server @home, so I could access to everything I wanted, and not be blocked by the firewall of an islamic state... :-)
My 871w @home is functioning as a DMVPN spoke which works well.
Is it possible to contact my router from far away, and then be able to access the internet and my home-lan?
If someone can point me to a (simple :-) config, I will be very thankful...Try these links:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801eafcb.shtml
http://www.cisco.com/en/US/products/ps6660/products_white_paper0900aecd803e7ee9.shtml -
VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN
Hi
my scenario is as follows
SERVER1 on lan (192.168.1.4)
|
|
CISCO-887 (192.168.1.254)
|
|
INTERNET
|
|
VPN Cisco client on windows 7 machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Perhaps ACL problem?
Building configuration...
Current configuration : 4921 bytes
! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname TestLab
boot-start-marker
boot-end-marker
enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3013130599
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3013130599
revocation-check none
rsakeypair TP-self-signed-3013130599
crypto pki certificate chain TP-self-signed-3013130599
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
CBB28E7A E91A090D 53DAD1A0 3F66A3
quit
no ip domain lookup
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn ***********
username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key NetasTest
dns 8.8.4.4
pool VPN-Pool
acl 120
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip address 192.168.2.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ****
ppp chap password 0 *********
ppp pap sent-username ****** password 0 *******
no cdp enable
ip local pool VPN-Pool 192.168.2.210 192.168.2.215
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 100 remark
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 remark
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 remark
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
line con 0
exec-timeout 5 30
password ******
no modem enable
line aux 0
line vty 0 4
password ******
transport input all
end
Best Regards,I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
router#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Uptime: 00:40:37
Session status: UP-ACTIVE
Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.1.100
Desc: (none)
IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active
Capabilities:(none) connid:2001 lifetime:07:19:22
IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0
Active SAs: 4, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162 -
VPN client connect to CISCO 887 VPN Server bat they stop at router!!
Hi
my scenario is as follows
SERVER1 on lan (192.168.5.2/24)
|
|
CISCO-887 (192.168.5.4) with VPN server
|
|
INTERNET
|
|
VPN Cisco client on xp machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.
They can ping only router!!!
They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Peraps ACL problem?
Building configuration...
Current configuration : 5019 bytes
! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname gate
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-453216506
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-453216506
revocation-check none
rsakeypair TP-self-signed-453216506
crypto pki certificate chain TP-self-signed-453216506
certificate self-signed 01
quit
ip name-server 212.216.112.222
ip cef
no ipv6 cef
password encryption aes
license udi pid CISCO887VA-K9 sn ********
username adm privilege 15 secret 5 *****************
username user1 secret 5 ******************
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key 6 *********\*******
dns 192.168.5.2
wins 192.168.5.2
domain domain.local
pool SDM_POOL_1
save-password
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
ip address 10.10.10.10 255.255.255.0
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.5.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******@*******.****
ppp chap password 0 alicenewag
ppp pap sent-username ******@*******.**** password 0 *********
ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
line con 0
line aux 0
line vty 0 4
transport input all
endHello,
Your pool of VPN addresses is overlapping with the interface vlan1.
Since proxy-arp is disabled on that interface, it will never work
2 solutions
1- Pool uses a different network than 192.168.5
2- Enable ip proxy-arp on interface vlan1
Cheers,
Olivier -
How to make a SL Mac Mini a VPN server?
I'd like to set up my Mac Mini at home as a VPN server. I have read online that it can be done in non server SL, but I see in network where to add a VPN, but that looks more like a connecting into one rather than setting one up. Is there a way to set up a VPN server on this Mini, and at that, for free?
If you have a new enough Mac mini you could use Mountain Lion and Server.app however for Snow Leopard you can in theory do it also so.
For Snow Leopard (client) you can try following various howto guides on setting up the included VPN server software via the command-line. The user version of OS X has always contained the same basic server software such as DHCP, DNS, http, and in this case VPN but does not include the Apple tools for making it easy to setup.
Here are some links
http://dreaming-artemis.com/2011/07/18/setting-up-vpn-on-the-imac-osx-snow-leopa rd-10-6-8/
http://stormrook.com/2010/05/31/setting-up-a-vpn-server-on-osx/#more-39
There is also the option of buying a relatively cheap GUI utility which does the setting up for you, see
http://macserve.org.uk/projects/ivpn/
Maybe you are looking for
-
Hi, Does anyone know, if a rent a movie in the iTunes store would it be viewable on a tv by connecting the computer to an HDMI input on the tv.. all info. on the iTunes points to using an apple tv and I don't own an apple tv and I really don't want t
-
New computer doesn't recognize iphone in itunes?
My new computer does not recognize my iphone in itunes?
-
HT201210 how do i recover my pass code that i forgot?
i need to get on my ipad but i forgot the passcode and i tryed to updade back up but i have to put in the pass code. how do i recover it or access my ipad without lossing my photos, notes, ect??? help me please.
-
Why my subqueries all get ORA-00933 when I execute them?
Everytime I try to run a subquery, I always get the following error: [error] ORA-00933: SQL command not properly ended [error] Here are two examples. The 1st is a large one, and the 2nd one is more paired down, because I'm trying to figure out where
-
Difficulty in printing the smartform
hello friends, i desingend a smartform everything is working fine but when i want to print this form i am getting totally black in the place of main window when i check this in sp01 print preview it is showing the correct one but when print it is com