RDP over Easy VPN Server fails, ping works
Dear experts,
What can I do to troubleshout this problem?
This is our router configuration with the Easy VPN Server enabled:
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
hostname ####
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret ###########################
aaa new-model
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
no ipv6 cef
no ip source-route
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.29
ip dhcp excluded-address 192.168.1.59
ip dhcp excluded-address 192.168.1.99
ip dhcp excluded-address 192.168.1.182
ip dhcp excluded-address 192.168.1.192
ip dhcp excluded-address 192.168.1.193
ip dhcp excluded-address 192.168.1.198
ip dhcp excluded-address 192.168.1.238
ip dhcp excluded-address 192.168.1.240
ip dhcp excluded-address 192.168.1.243
ip dhcp excluded-address 192.168.1.245
ip dhcp excluded-address 192.168.1.215
ip dhcp excluded-address 192.168.1.122
ip dhcp excluded-address 192.168.1.33
ip dhcp excluded-address 192.168.1.10
ip dhcp excluded-address 192.168.1.11
ip dhcp excluded-address 192.168.1.201
no ip bootp server
ip dhcp-server ##########
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-############
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-############
revocation-check none
crypto pki certificate chain TP-self-signed-############
certificate self-signed 01
quit
license udi pid CISCO1941/K9 sn ##########
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
username #### privilege 15 secret ####################.
username #### secret ####################
username #### secret ####################
username #### secret ####################
redundancy
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ###########
key ##########
dns 192.168.1.4 192.168.1.6
domain ####.local
pool SDM_POOL_1
acl 102
include-local-lan
crypto isakmp profile ciscocp-ike-profile-1
match identity group ##############
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ########### esp-aes 256 esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ###########
set isakmp-profile ciscocp-ike-profile-1
interface Null0
no ip unreachables
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description $FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 23 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 ###########
logging esm config
logging trap debugging
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 101 deny ip any host 184.82.162.163
access-list 101 deny ip any host 184.22.103.202
access-list 101 deny ip any host 76.191.104.39
access-list 101 permit ip any any
access-list 102 permit tcp any any eq 3389
access-list 102 permit ip any any
access-list 102 permit icmp any any
access-list 700 permit 000d.6066.0d02 0000.0000.0000
no cdp run
snmp-server group ICT v3 priv
control-plane
banner exec ^C
Welcome ####^C
banner login ^C
Unauthorized access prohibited
##################################^C
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 23 in
password 7 ##################
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler allocate 20000 1000
end
In the server debug, I see this:
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH -2020890165 ...
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 -2020890165 CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013): sending packet to 109.59.232.39 my_port 500 peer_port 500 (R) CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Oct 13 09:25:49.850: ISAKMP (2013): received packet from 109.59.232.39 dport 500 sport 500 Global (R) CONF_XAUTH
*Oct 13 09:25:49.850: ISAKMP:(2013):processing transaction payload from 109.59.232.39. message ID = -2020890165
*Oct 13 09:25:49.850: ISAKMP: Config payload REPLY
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received
*Oct 13 09:25:49.850: ISAKMP:(2013):peer does not do paranoid keepalives.
Is it something with the above line ?
/Jesper
Similar Messages
-
Easy VPN Server? Hmmm.. Not so Easy...
I used the Cisco Configuration Professional to add an Easy VPN Server to my 3825. I'm able to connect when remote but I can't ping the default gateway of 192.168.1.1 which is in the same network as the VPN DHCP pool. I can access every single other device on the VLAN segments but not the default gateway which means when i connect I can't look at my router. And there's more, I cannot ping anything offnet (ie 75.75.75.75). Below is my config. Attached are some images which show some details from the client during the VPN connect and a few from the router (i had to use the lan switch as a jump host). If you can figure this out before I go back to the coffee shop to test this tomorrow I will send you a cake.
One thing I just thought of, does the virtual-tempalte 1 interface have to have "nat inside" applied?
Current configuration : 12356 bytes
! Last configuration change at 17:21:16 EDT Sat Nov 24 2012 by cluettr
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router-wan
boot-start-marker
boot system flash:c3825-advipservicesk9-mz.151-4.M5.bin
boot-end-marker
logging buffered 100000000
enable password xxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone EDT -4 0
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 172.16.2.1 172.16.2.199
ip dhcp excluded-address 172.16.3.1 172.16.3.199
ip dhcp excluded-address 172.16.4.1 172.16.4.199
ip dhcp pool 192.168.1.0
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.1.1
lease infinite
ip dhcp pool 172.16.2.0
network 172.16.2.0 255.255.255.0
dns-server 172.168.2.1
default-router 172.168.2.1
lease 0 4
ip dhcp pool 172.16.3.0
network 172.16.3.0 255.255.255.0
dns-server 172.16.3.1
default-router 172.16.3.1
lease infinite
ip dhcp pool 172.16.4.0
network 172.16.4.0 255.255.255.0
dns-server 172.16.4.1
default-router 172.16.4.1
lease 0 4
ip dhcp pool 172.16.5.0
network 172.16.5.0 255.255.255.0
dns-server 172.16.5.1
default-router 172.16.5.1
lease infinite
ip cef
ip domain name robcluett.net
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
voice service voip
allow-connections sip to sip
sip
registrar server expires max 600 min 60
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-423317436
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-423317436
revocation-check none
rsakeypair TP-self-signed-423317436
archive
log config
hidekeys
vtp domain robcluett.net
vtp mode transparent
vtp version 2
username xxxxxxx privilege 15 secret 5 $1$q8RN$N/gL80J2Rj9qOILvzXPgS.
redundancy
vlan 3-5
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group cisco
key xxxxxxxxxxxxxxxxxxxx
dns 75.75.75.75
domain robcluett.net
pool SDM_POOL_2
crypto isakmp profile ciscocp-ike-profile-1
description "VPN Default Profile for Group Cisco"
match identity group cisco
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
client configuration group cisco
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
description "Circuitless IP Address / Router Source IP"
ip address 172.16.1.1 255.255.255.254
interface GigabitEthernet0/0
description "WAN :: COMCAST via DHCP"
ip address dhcp client-id GigabitEthernet0/0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
media-type rj45
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
no mop enabled
interface GigabitEthernet1/0
description "Uplink to switch-core-lan (Catalyst 2948G-GE-TX)"
switchport mode trunk
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description "LAN :: VLAN 1 :: PRIVATE 192.168.1.0"
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan2
description "LAN :: VLAN 2 :: PUBLIC 172.16.2.0"
ip address 172.16.2.1 255.255.255.0
ip access-group 102 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan3
description "WLAN :: VLAN 3 :: PRIVATE SSID=wlan-ap-private (not broadcast)"
ip address 172.16.3.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan4
description "WLAN :: VLAN 4 :: PUBLIC SSID=wlan-ap-public"
ip address 172.16.4.1 255.255.255.0
ip access-group 104 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
rate-limit input 1024000 192000 384000 conform-action transmit exceed-action drop
rate-limit output 5120000 960000 1920000 conform-action transmit exceed-action drop
interface Vlan5
description "EDMZ :: VLAN 5 :: 10.10.10.0"
ip address 10.10.10.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan6
description "IDMZ :: VLAN 6 :: 10.19.19.0"
ip address 10.19.19.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan7
description "LAN :: VLAN 7 :: Voice 172.16.5.0
ip address 172.16.5.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip local pool SDM_POOL_2 192.168.1.200 192.168.1.254
ip forward-protocol nd
ip flow-export source Loopback0
ip flow-top-talkers
top 10
sort-by bytes
ip dns server
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 10.10.10.51 443 interface GigabitEthernet0/0 443
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 2
logging trap debugging
logging source-interface Loopback0
access-list 2 remark NAT
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 172.16.2.0 0.0.0.255
access-list 2 permit 172.16.3.0 0.0.0.255
access-list 2 permit 172.16.4.0 0.0.0.255
access-list 2 permit 172.16.5.0 0.0.0.255
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 permit 10.19.19.0 0.0.0.255
access-list 100 remark WAN Firewall Access List
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit tcp any any eq www
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any any established
access-list 100 deny ip any any log-input
access-list 102 remark VLAN 2 Prevent Public LAN Access to Other Networks
access-list 102 deny ip 172.16.2.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 102 permit ip any any
access-list 104 remark VLAN 4 Prevent Public Wifi Access to Other Networks
access-list 104 deny ip 172.16.4.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 104 permit ip any any
access-list 105 remark VLAN 5 Prevent EDMZ Access to Other Networks
access-list 105 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 105 deny ip 10.10.10.0 0.0.0.255 10.19.19.0 0.0.0.255 log
access-list 105 permit ip any any
snmp-server trap-source Loopback0
snmp-server location xxxxxxxxxxxxxxxxxxxxx
snmp-server contact xxxxxxxxxxxxxxxxxxxxxxx
control-plane
mgcp profile default
telephony-service
max-conferences 12 gain -6
web admin system name cluettr password 11363894
dn-webedit
transfer-system full-consult
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
transport output all
line vty 5 15
transport input telnet ssh
transport output all
scheduler allocate 20000 1000
ntp logging
ntp source Loopback0
end
router-wan#I was under the impression that using the virtual template and ip unnumbered allows the interface to respond to the DHCP IP provided to Gi0/0 by my ISP. If I were to make, say, VLAN 1 the VPN interface how would I then access it from the WAN given that it has a Nat'd LAN IP? I guess port forwarding would work if that would have to be in addition to using a VLAN?
> Here's a follow up question which you or someone might be able to answer for me. Sorry for dumping the added question on you. My ultimate goal is to have a WAN accessible VPN and a VPN residing on the local LAN. Reason is so I can secure with encryption any wifi clients I have on the LAN (preventing man-in-the-middle attacks) and be secured at, for exmaple, a coffe shop. I'm not sure if there's a means to have the same configured VPN work when attached locally or remotely? And if roaming in regards to a VPN is something that can be acheived...
As an aside my reason for going to these lengths for security are valid. I've recently encountered a situation where I was hacked (this is my home network) using a MIMA and what I assume to be SSLstrip or some derivative to obtain my email address and password. Wasn't fun, wasn't pretty. -
VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client
Hello,
I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP.
VPN is working when I replace ASA5505 with ASA5510 correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
Can you help me, how can I debug or troubleshoot this problem ?
I am unable to update software on ASA5505 side.Hello,
Hire is what my config look like:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP
tunnel-group HW-CLIENT-GROUP ipsec-attributes
pre-shared-key *******
group-policy HW-CLIENT-GROUP internal
group-policy HW-CLIENT-GROUP attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
nem enable -
Cisco 28xx easy vpn server & MS NPS (RADIUS server)
Здравстуйте.
Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
Ниже выдежка из сонфига cisco 2821:
aaa new-model
aaa authentication login rausrs local
aaa authentication login VPN-XAUTH group radius
aaa authorization network ragrps local
aaa authorization network VPN-GROUP local
aaa session-id common
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration address-pool local RAPOOL
crypto isakmp client configuration group ra1grp
key key-for-remote-access
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp client configuration group EasyVPN
key qwerty123456
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp profile RA-profile
description profile for remote access VPN
match identity group ra1grp
client authentication list rausrs
isakmp authorization list ragrps
client configuration address respond
crypto isakmp profile VPN-IKMP-PROFILE
description profile for remote access VPN via RADIUS
match identity group EasyVPN
client authentication list VPN-XAUTH
isakmp authorization list VPN-GROUP
client configuration address respond
crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
crypto dynamic-map dyn-cmap 100
set transform-set tset1
set isakmp-profile RA-profile
reverse-route
crypto dynamic-map dyn-cmap 101
set transform-set tset1
set isakmp-profile VPN-IKMP-PROFILE
reverse-route
crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
int Gi0/1
descrition -- to WAN --
crypto map stat-cmap
В результате на cisco вылезает следующая ошибка (выделено жирным):
RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
RADIUS: AAA Unsupported Attr: interface [157] 14
RADIUS: 31 39 34 2E 38 38 2E 31 33 39 2E 31 [194.88.139.1]
RADIUS(000089E0): Config NAS IP: 192.168.11.1
RADIUS/ENCODE(000089E0): acct_session_id: 35296
RADIUS(000089E0): sending
RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
RADIUS: authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
RADIUS: User-Name [1] 9 "EasyVPN"
RADIUS: User-Password [2] 18 *
RADIUS: Calling-Station-Id [31] 16 "aaa.bbb.ccc.137"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-Port [5] 6 1
RADIUS: NAS-Port-Id [87] 16 "aaa.bbb.ccc.136"
RADIUS: Service-Type [6] 6 Outbound [5]
RADIUS: NAS-IP-Address [4] 6 192.168.11.1
RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
RADIUS: authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
RADIUS(000089E0): Received from id 1645/61
MS NAS выдает ошибку 6273:
Сервер сетевых политик отказал пользователю в доступе.
За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
Пользователь:
ИД безопасности: domain\VladimirK
Имя учетной записи: VladimirK
Домен учетной записи: domain
Полное имя учетной записи: domain.local/Users/VladimirK
Компьютер клиента:
ИД безопасности: NULL SID
Имя учетной записи: -
Полное имя учетной записи: -
Версия ОС: -
Идентификатор вызываемой станции: -
Идентификатор вызывающей станции: aaa.bbb.ccc.137
NAS:
Адрес IPv4 NAS: 192.168.11.1
Адрес IPv6 NAS: -
Идентификатор NAS: -
Тип порта NAS: Виртуальная
Порт NAS: 0
RADIUS-клиент:
Понятное имя клиента: Cisco2821
IP-адрес клиента: 192.168.11.1
Сведения о проверке подлинности:
Имя политики запроса на подключение: Использовать проверку подлинности Windows для всех пользователей
Имя сетевой политики: Подключения к другим серверам доступа
Поставщик проверки подлинности: Windows
Сервер проверки подлинности: DC01.domain.local
Тип проверки подлинности: PAP
Тип EAP: -
Идентификатор сеанса учетной записи: -
Результаты входа в систему: Сведения об учетных данных были записаны в локальный файл журнала.
Код причины: 66
Причина: Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
Если кто практиковал подобное, прошу дать направление для поиска решения.Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
replace the authorization from radius to local
and
changing the encryption type in transform set
However, in your configuration, your configuration already have those changes.
Here you can check the same : https://supportforums.cisco.com/thread/2226065
Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
~BR
Jatin Katyal
**Do rate helpful posts** -
Can't connect to Easy VPN Server using Windows 7 inbuilt VPN client
Hi Everyone,
I would like your help to resolve a vpn issue I am having with my Windows 7 inbuilt vpn client. I am trying to connect to an Easy vpn server on a Cisco 2951 ISR G2. Well, I can connect using Cisco vpn client v5.07 but I can't connect using Windows 7 inbuilt vpn client. Is there any configuration that I am missing so that I can connect using Windows 7 inbuilt vpn client to connect to the vpn server?
Thank you.Hi MindaugasKa,
Base on your description, your case must is the NPS client can’t pass the NPS policy.
The NPS client can’t connect the network may have many reason, such as the Network Access Protection Agent service not started successful, the certificate not issued properly,
please offer us information when your Windows 7 client denied, such as event id, original error information, screenshot.
More information:
Extensible Authentication Protocol (EAP) Settings for Network Access
http://technet.microsoft.com/en-us/library/hh945104.aspx
Network Access Protection in NPS
http://msdn.microsoft.com/en-us/library/cc754378.aspx
Appendix A: NAP Requirements
http://technet.microsoft.com/en-us/library/dd125301(v=ws.10).aspx
802.1X Authenticated Wireless Access Overview
http://technet.microsoft.com/en-us/library/hh994700.aspx
Connecting to Wireless Networks with Windows 7
http://technet.microsoft.com/library/ff802404.aspx
The related thread:
NPS 2012 rejects windows 7 clients after upgrade from 2008 R2. Requested EAP methods not available
http://social.technet.microsoft.com/Forums/windowsserver/en-US/44af171f-6155-4f2e-b6c7-f89a2d755908/nps-2012-rejects-windows-7-clients-after-upgrade-from-2008-r2-requested-eap-methods-not-available?forum=winserverNAP
I’m glad to be of help to you!
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
The negotiation with the VPN server failed. Verify the server address and try reconnecting
Hi folks,
I am unable to connect VPN, While connecting error occurred. Can anyone advice how to solve this issue.
"The negotiation with the VPN server failed. Verify the server address and try reconnecting"
Thanks
VinothThis might help, at least from Harald's post onwards.
-
10.6 VPN client - 10.5.8 VPN server - Cant ping past server on l2tp or pptp
Since installing 10.6 on my macbook and my mini, i can authenticate to MacPro 10.5.8 server over either l2tp or pptp. I cannot access any clients or ping any ip past the server on the local net.
I can connect and ping from win machine at work and ping and connect to all machines on local net.
Server vpn log shows authentification and connected with 10.6 machines. 10.5.8 machines work fine. Win machines work fine. Only 10.6 machines have issues.
Any help would be appreciatedAfter a complete rebuild of the sever, I have determined that the problem is related to setting client information. I rebuilt the server, added the vpn, and it worked with L2TP from 10.6 machines. I went back and added the client information exactly the way it worked with 10.5 machines and the vpn would fail. I have removed the information from the client information screen on the server, and it is workin fine with both 10.5 and 10.6 machines.
-
Setting up VPN Server fails in Windows 8.1
Hello Folks
I'm trying to set up VPN server in my Windows 8.1 box to receive incoming connections. It fails at the last step (http://www.diaryofaninja.com/blog/2012/09/11/setting-up-a-vpn-server-on-windows-7-or-windows-8-ndash-secure-your-internet-use-while-away)
of the process (Allow Access) with the following error. I binged a lot but none of the trouble shooting mechanisms worked for me. I made sure that concerned service (Routing and Remote Access) can be started and stopped manually. Also, the same step works
in Windows 7.
Please see attached for error details.
Highly appreciate any help for fixing the issue.
Cheers
ManoharHi Manooh,
Besides disabling IP v6, try reset the TCP/IP in the way below:
Open the command line windows as an administrator and type the command “nets hint ip reset” hit enter, or you can try the fix it below:
http://support.microsoft.com/kb/299357
We usually modify the default RDP port 3389 to another value, if you followed this too, you should add an port exception through a firewall in the way below:
1.Open Windows Firewall
2.In the left pane, click Advanced settings.
3.In the Windows Firewall with Advanced Security dialog box, in the left pane, click Inbound Rules, and then, in the right pane, click New Rule.
4. Choose “port” and input the port number as allowed to connect.
Regards
Wade Liu
TechNet Community Support -
VPN server does not work when a second network adapter is enabled
I have an Xserve providing DNS, filesharing, and VPN services on an office LAN. The server sits behind a gateway router and is set as a DMZ host.
VPN has been working absoluely flawlessly on the server for some time. However, I've recently discovered that this all changes when the Xserve's second ethernet adapter is enabled.
To illustrate:
en0: static IP 192.168.2.250
en1: disabled
VPN works perfectly
en0: static IP 192.168.2.250
en1: static IP 192.168.2.251
DNS settings unchanged, DMZ host unchanged
VPN doesn't work
The above is even true when attempting to connect internally.
VPN is configured for L2TP, and when the second NIC is connected the VPN server logs the following (below). There are a number of other users of Lion Server users that seem to be experiencing the same log pattern, but there doesn't seem to be a definitive solution.
I was wondering if anyone has any advice on how I could solve this problem? Is it possible to bind the VPN server to a specified network adapter?
Thanks in advance for any help or ideas.
(And to preempt the question of "why do you need to use both NICs", the two interfaces are to be used for load balancing. See https://discussions.apple.com/message/17655599?ac_cid=142432)
Wed Feb 22 15:53:53 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:53:53 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:53:53 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:53:53 2012 : L2TP received SCCRQ
Wed Feb 22 15:53:53 2012 : L2TP sent SCCRP
2012-02-22 15:53:54 GMT Incoming call... Address given to client = 192.168.2.229
Wed Feb 22 15:53:54 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:53:54 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:53:54 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:53:54 2012 : L2TP received SCCRQ
Wed Feb 22 15:53:54 2012 : L2TP sent SCCRP
2012-02-22 15:53:56 GMT Incoming call... Address given to client = 192.168.2.220
Wed Feb 22 15:53:56 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:53:56 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:53:56 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:53:56 2012 : L2TP received SCCRQ
Wed Feb 22 15:53:56 2012 : L2TP sent SCCRP
2012-02-22 15:54:00 GMT Incoming call... Address given to client = 192.168.2.221
Wed Feb 22 15:54:00 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:54:00 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:54:00 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:54:00 2012 : L2TP received SCCRQ
Wed Feb 22 15:54:00 2012 : L2TP sent SCCRP
2012-02-22 15:54:04 GMT Incoming call... Address given to client = 192.168.2.222
Wed Feb 22 15:54:04 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:54:04 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:54:04 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:54:04 2012 : L2TP received SCCRQ
Wed Feb 22 15:54:04 2012 : L2TP sent SCCRP
2012-02-22 15:54:08 GMT Incoming call... Address given to client = 192.168.2.226
Wed Feb 22 15:54:08 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:54:08 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:54:08 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:54:08 2012 : L2TP received SCCRQ
Wed Feb 22 15:54:08 2012 : L2TP sent SCCRP
2012-02-22 15:54:12 GMT Incoming call... Address given to client = 192.168.2.223
Wed Feb 22 15:54:12 2012 : Directory Services Authentication plugin initialized
Wed Feb 22 15:54:12 2012 : Directory Services Authorization plugin initialized
Wed Feb 22 15:54:12 2012 : L2TP incoming call in progress from 'xxx.xxx.xxx.xxx'...
Wed Feb 22 15:54:12 2012 : L2TP received SCCRQ
Wed Feb 22 15:54:12 2012 : L2TP sent SCCRP
2012-02-22 15:54:13 GMT --> Client with address = 192.168.2.228 has hungup
2012-02-22 15:54:14 GMT --> Client with address = 192.168.2.229 has hungup
2012-02-22 15:54:16 GMT --> Client with address = 192.168.2.220 has hungup
2012-02-22 15:54:20 GMT --> Client with address = 192.168.2.221 has hungup
2012-02-22 15:54:24 GMT --> Client with address = 192.168.2.222 has hungup
2012-02-22 15:54:28 GMT --> Client with address = 192.168.2.226 has hungup
2012-02-22 15:54:32 GMT --> Client with address = 192.168.2.223 has hungupTry switching the order of the services in System Preferences > Network.
Put the second one at the top.
HTH,
b. -
Trying to setup my yahoo mail on my new iPod touch. I keep getting the message "failed to connect with server". It works fine on my iPad though.
See if this previous discussion helps:
Re: Yahoo server unavailable. I am not able to get into yahoo account. iPhone 4S -
Can establish VPN connection and can ping the 871 internal IP address but cannot ping all others devices in same subnet.
These are the troubleshooting methodologies :
Be aware of any changes to an active Cisco Easy VPN Remote configuration or IP address changes to the involved interfaces.
Enable debugging of the Cisco Easy VPN Remote feature using the debug crypto ipsec client ezvpn command.
Enable debugging of IKE events using the debug crypto ipsec and debug crypto isakmp commands.
Display the active IPsec VPN connections using the show crypto engine connections active command.
To reset the VPN connection, use the clear crypto ipsec client ezvpn command.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html#wp1192045 -
EASY VPN hardware client not working.
Hello,
I'm experiencing an issue. I have the following topology:
192.168.12.0 /24 --- inside192.168.12.1(ASA5502)192.168.1.71 dhcp ---192.168.1.254 ISP GATEWAY ===201.144.194.226 PEER --Inside 192.168.0.0
I have VPNCLIENT configured correctly but can't seem to pass traffic or get the tunnel up. I'm attaching debug crypto isakmp 10, debug crypto ipsec 10, logging debug messages. Also find the config attached.
I'm trying to reach from 192.168.12.10 to a server 192.168.1.200 on remote.
Running version 8.2(5)
Any idea of what i have configured wrong?
Thanks
TonyCouple of quick comments:
1. I do not see 192.168.0.0 part of that inside_outbound_nat0_acl ACL.
2. I see a crypto map instance 40 with "incomplete" crypto map, which is actually missing a match address.
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 set peer 216.27.161.109
crypto map outside_map 40 set transform-set ESP-DES-MD5
! Incomplete
Not sure if this is the current configuration from the pix. If there is a crypto map instance with a incomplete match address, all traffic will be encrypted.
Regards,
Arul -
Mail, iCal Server and iChat server will not work over VPN
I have an Airport Extreme Base Station at the office running the network. Behind it sits a Mac Mini Snow Leopard server running 10.6.3. The ports necessary for Mail, iCal Server and iChat work fine through that external connection. I can also connect with VPN from my 10.6.3 clients.
HOWEVER, when I connect with the VPN clients, I am suddenly unable to access the Mail, iCal Server, Wiki server and iChat server. All connections time out. I can ping the server and I can do other things that do NOT work on the public Airport like ssh or VNC. ssh and VNC are closed at the airport extreme.
So it's pretty odd. When I'm connected via the VPN, all ports that are forwarded to the Snow Leopard server time out over the VPN.
I've tried various and sundry configurations with the VPN client. This includes trying to send all traffic over the VPN, moving it up in the service order, etc. etc. Nothing fixes it. DNS resolution is working fine, however when I do a wireshark capture of ppp0 traffic, I notice that SSL and TLSv1 handshakes appear to occur on the public IP address instead of the private network IP address... and they're all resets.
Has anyone gotten this to work successfully? Like I said, all ports that are NOT forwarded through the Airport work fine over the VPN, but will not work when connected to the VPN. It's really bizarre.New data: any ports that are normally forwarded on the Airport Extreme to the Mac Mini server will not work when connected to the VPN.
For instance, if I have imaps/993 forwarded from the Airport Extreme to the Mac Mini, it works fine over the Internet. If I connect to the VPN, I can connect to all OTHER services on the Mac Mini, but Mail, for instance, will not work. -
Communication problem from the vpn-anyconnect to easy-vpn-remote
Hi Team,
I have a communication problem from the vpn-anyconnect to easy-vpn-remote, I´ll explain better bellow and see the attached
topology:
1) VPN Tunnel between HQ to Branch Office - That´s OK
2) VPN Tunnel between Client AnyConnect to HQ - That´s OK
The idea is that the Client Anyconnect is to reach the LAN at Branch Office, but did not reach.
The communication is stablished just when I start a session (icmp and/or rdp) from Branch Office to the Client AnyConnect,
in this way, the communication is OK, but just during a few minutes.
Could you help me?
Bellow the IOS version and configurations
ASA5505 Version 8.4(7)23 (headquarters)
ASA5505 Version 8.4(7)23 (Branch)
**************** Configuration Easy VPN Server (HQ) ****************
crypto dynamic-map DYNAMIC-MAP 5 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside-link-2_map 1 ipsec-isakmp dynamic DYNAMIC-MAP
crypto map outside-link-2_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-link-2_map interface outside-link-2
access-list ACL_EZVPN standard permit 10.0.0.0 255.255.255.0
access-list ACL_EZVPN standard permit 192.168.1.0 255.255.255.0
access-list ACL_EZVPN standard permit 192.168.50.0 255.255.255.0
access-list ACL_EZVPN standard permit 10.10.0.0 255.255.255.0
group-policy EZVPN_GP internal
group-policy EZVPN_GP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL_EZVPN
nem enable
tunnel-group EZVPN_TG type remote-access
tunnel-group EZVPN_TG general-attributes
default-group-policy EZVPN_GP
tunnel-group EZVPN_TG ipsec-attributes
ikev1 pre-shared-key *****
object-group network Obj_VPN_anyconnect-local
network-object 192.168.1.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
network-object 192.168.50.0 255.255.255.0
object-group network NAT_EZVPN_Source
network-object 192.168.1.0 255.255.255.0
network-object 10.10.0.0 255.255.255.0
object-group network NAT_EZVPN_Destination
network-object 10.0.0.0 255.255.255.0
nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-
anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination
NAT_EZVPN_Destination no-proxy-arp route-lookup
nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static
NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookup
**************** Configuration VPN AnyConnect (HQ) ****************
webvpn
enable outside-link-2
default-idle-timeout 60
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles Remote_Connection_for_TS_Users disk0:/remote_connection_for_ts_users.xml
anyconnect enable
tunnel-group-list enable
access-list split-tunnel standard permit 192.168.1.0 255.255.255.0
access-list split-tunnel standard permit 192.168.15.0 255.255.255.0
access-list split-tunnel standard permit 10.0.0.0 255.255.255.0
group-policy clientgroup internal
group-policy clientgroup attributes
wins-server none
dns-server value 192.168.1.41
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value ipconnection.com.br
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect profiles value Remote_Connection_for_TS_Users type user
anyconnect ask none default anyconnect
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool vpnpool
authentication-server-group DC03
default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
group-alias IPConnection-vpn-anyconnect enable
object-group network Obj_VPN_anyconnect-local
network-object 192.168.1.0 255.255.255.0
network-object 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
network-object 192.168.50.0 255.255.255.0
object-group network NAT_EZVPN_Source
network-object 192.168.1.0 255.255.255.0
network-object 10.10.0.0 255.255.255.0
object-group network NAT_EZVPN_Destination
network-object 10.0.0.0 255.255.255.0
nat (inside,outside-link-2) source static Obj_VPN_anyconnect-local Obj_VPN_anyconnect-local destination static Obj-VPN-
anyconnect-remote Obj-VPN-anyconnect-remote no-proxy-arp route-lookup
nat (inside,outside-link-2) source static NAT_EZVPN_Source NAT_EZVPN_Source destination static NAT_EZVPN_Destination
NAT_EZVPN_Destination no-proxy-arp route-lookup
nat (outside-link-2,outside-link-2) source static Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote destination static
NAT_EZVPN_Destination NAT_EZVPN_Destination no-proxy-arp route-lookupHi,
the communication works when you send traffic from easyvpn branch side because it froms the IPSEC SA for local subnet and anyconnect HQ pool. The SA will only form when branch initiates the connection as this is dynamic peer connection to HQ ASA.
when there no SA between branch and HQ for this traffic, HQ ASA has no clue about where to send the traffic from anyconnect to branch network.
I hope it explains the cause.
Regards,
Abaji. -
Setting up Easy VPN in Cisco Configuration Professional, external access problems!
Hi
I have a Cisco 857 router which is flashed with Cisco Configuration Express 2.6.
Cisco Configuration Professional 2.6 is installed on my PC and I'm trying to configure Easy VPN for access away from the office.
The steps I have taken are as follows:
1) I launched the Easy VPN Server Wizard
2) IP address of Virtual Tunnel Interface is unnumbered to Vlan1 from the drop down menu - Authentication, Pre Shared Key
3) IKE Proposals set to the default option thats already there
4) Transform set is the default which is already there
5) Method list for group policy Lookup is LOCAL
6) User authentication is LOCAL ONLY, the admin account shows up in ADD USER CREDENTIALS which is the account i'm going to test the connection with
7) I have set up a GROUP POLICY which i've named, created a PRE SHARED KEY, created an IP address pool & subnet mask to the same range as the routers addresses and left all other options to default
8) I left cTCP unticked and disabled
9) I delivered the commands succesfully
10) I click TEST VPN SERVER and get 3 ticks successful for Server configuration, dependant components & Firewall
11) I open the cisco client and access the VPN internally using the routers LAN address, it prompts for my user name and password, I type it in and connect successfully
12) When I go home I configure my client to the same settings except I change the LAN address for the external WAN ip address, but I get an error message which says "Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding"
VPN Client settings are as follows
Group Authentication
Enable Transparent Tunneling- IPSec over UDP (NAT / PAT)
Currently I have a dynamic external IP address, I intend to get a static one once I know I can get this to work.
I would be extremely greatful if someone could help me solve this issue and work out why I can't connect externally.
I have no knowledge of CLI but will use it if given some instructions.
Thanks.
P.S. I have turned off all antivirus and firewall programs on the client computer when trying to connect.Your nat exemption acl is backwards...
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
should be...
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Maybe you are looking for
-
How to fix my newly acquired ipod nano 6th gen? i cannot sync it because it always appear to my screen that it cannot be synced. the required folder cannot be found? how is it?
-
LSMW POSTING WITH PROG RFB1BL00
Hi, I'm using LSMW with program RFB1BL00 to post legacy AP open items. This works great except the field for the vendor terms is not available for posting. error message: Field BSEG-ZTERM does not exist in the screen SAPMF05A 0302. I need to be ab
-
When to use CLASSPATH for .jar files
I find I must put newly added .jar files in my classpath in order to avoid "does not exist" errors when I compile. Where should .jar files be placed in order to avoid hardcoding this in my classpath?
-
Hi , I have 100s tables into Database. I want to create a same TABLES with _GET suffix . Means If Table name is SALES than table with Name "SALES_GET" should be created with same structure as SALES have. I want to do this on 100s tables in automated
-
Targeted C compilation for Solaris 8
Hi I'm running Solaris 10. I need to build a C application - a socket based server daemon - which will run on Solaris 8, AFAICT on different h/w platforms, though all sparc I think. So I assume I need to configure my compile/link for the target platf