Untrusted VPN Server Certificate

We just upgraded our AnyConnect to Ver 3.1.01065 and we are using a self signed cert with it. We haven't had any issues with the before but now when ever a customer logs on to the VPN using AnyConnect we get " Security warning: Untrusted VPN Server Certificate!" and it says that AnyConnect cannot verify the VPN server.
Then i can connect anyways or cancel.
Because this is my server and i trust the cert i am fine just clicking Connect anyways. My customers freak out a bit when they see this, I know this has to be a simple fix but i can't figure out how to get my local boxes to trust the cert. Has anyone run in to this with Ver 3.1.01065 and how did you fix it?
Thanks,
Jeremy

Cisco is really trying to make people stop using self-signed certificates with AC 3.1. You have to either use a trusted root CA (either private or public) or turn off the certificate checking altogether.

Similar Messages

Security warning for any connect VPN " Untrusted VPN server Certificate"

Is there any way to disable this security warning ( " Untrusted VPN server Certificate") with self sign certificate on the ASA

Hi Anton,
Please have a look at the link below:
http://docs.acl.com/ex/300/index.jsp?topic=%2Fcom.acl.ax.exception.installguide%2Fexception%2Finstallation%2Ft_installing_the_self-signed_certificate.html
This is for IE. You should get steps for FF and CHROME out there easily as well.
Regards,
Kanwal
Note: Please mark answers if they are helpful.

AnyConnect 3.1 - removing Security Warning: Untrusted VPN Server Certificate!

Hi guys,
Is there a way to disable the warning generated from using self signed certs?
I would like to make the process as seamless as possible.
AnyConnect 3.1
ASA 8.4(2)
Thanks.

Hi,
We had problem with the above error message with our certificate when we moved to AnyConnect 3.1
We were instructed to request a new one
Also here is the link to Cisco site we were provided that explains the changes in 3.1
IPSec and SSL connections require server certificates to contain Key Usage attributes of Digital Signature and Key Encipherment, as well as an Enhanced Key Usage attribute of Server Authentication or IKE Intermediate. Note that IPSec server certificates not containing a Key Usage are considered invalid for all Key Usages, and similarly an IPSec server certificate not containing an Enhanced Key Usage is considered invalid for all Enhanced Key Usages.
Link to document
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp1049936
Sadly I dont dable with certificates myself so I'm not really familiar with this.
- Jouni

Untrusted VPN Server Blocked after a reload

Hi
I have an ASA5510 in failover, after a reload, a message "Untrusted VPN Server Blocked" appears after the first attempt to connect to the VPN, if we uncheck the "Block connections to untrusted servers" in preference settings the profile is updated and the connection is successful.
If I disconnect the VPN and try again it appears another profile.
I try this step for another link, but the result is the same for me
Try the following steps,
1. Click on Anyconnect Client profile
2. Edit Anyconnect_Group profile
3. Edit Server list
4. Add or Edit the hostname (You will see IP address, however, your cert is URL address ) So you have to add it or delete the IP address and keep URL )
5. Host display: Remote.exmaple.com and FQDN: Remote.example.com
** Your cert that you applied for the interface must match the URL otherwise it won't work. So you can make your Cert
(( *.example.com )) and it should match any URL you give
Does anyone knows what could be the cause of this problem?
Regards

Ricardo,
it sounds like you don't have a certificate installed on the ASA, so the ASA uses a non-persistent self-signed certificate.
This doc explains how to create a persistent self-signed certificate:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml
Better still would be to purchase a 'real' certificate from a 3rd party CA, the doc below has more details on how to do this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml
hth
Herbert

Automate VPN server certificate distribution

Hi!
I'm using SSTP VPN for remote access which needs VPN server certificate to be trusted.
For domain computers I just deploy Root CA certificate with group policy.
I would like to automate installation of the certificate for non domain joined computers cause it's a bit tricky for some users to import certificate to Computer store. :)
Does anyone have any ideas how to do this?
Regards, Alexey

Hi Alexey,
As far as I know, we can't install the certificate into workgroup computer automatically.
As a work around, we can import the certificate by powershell script.
Here is the powershell command used to import the certificate,
Import-Certificate [-FilePath] <String> [-CertStoreLocation <String> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
For detailed information, please refer to the link below,
http://technet.microsoft.com/en-us/library/hh848630.aspx
Best Regards.
Steven Lee
TechNet Community Support

SSL VPN Failed to validate server certificate (cannot access https)

Hi all,
I have the next problem.
I've configured in an UC520 a SSL VPN.
I can access properly and I can see the labels, but I only can access urls which are http, not https:
I can access the default ip of the uc520 (192.168.1.10) but
When I try to get access to a secure url I get the msg: Failed to validate server certificate
I'm trying to access a Cisco Digital Media Manager, whose url is https://pc.sumkio.local:8080
Does the certificate of both hardware has to be the same?
How can I add a https?
Here is the config of the router:
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address 192.168.1.254 port 443
ssl trustpoint TP-self-signed-2977472073
inservice
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
url-list "Intranet"
   heading "Corporate Intranet"
   url-text "DMM Sumkio" url-value "http://pc.sumkio.local:8080"
   url-text "Impresora" url-value "http://192.168.10.100"
   url-text "DMM" url-value "https://pc.sumkio.local:8443"
   url-text "DMM 1" url-value "http://192.168.10.10:8080"
   url-text "UC520" url-value "http://192.168.10.1"
policy group SDM_WEBVPN_POLICY_1
   url-list "Intranet"
   mask-urls
   svc dns-server primary 192.168.10.250
   svc dns-server secondary 8.8.8.8
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
max-users 10
inservice
Any help would be apreciatted.
Thank you

Hi, thanks for your advise.
I'm trying to copy the certificate via cut and paste, but I'm getting a
% Error in saving certificate: status = FAIL
I dont know if I'm doing this right.
I open the https page from the DMM with Mozilla Firefox, and in options I export the certificate in PEM format.
I get a file which if I open with notepad is like
-----BEGIN CERTIFICATE-----
MIICOzCCAaSgAwIBAgIET7EwyzANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJV
KoZIhvcNAQEFBQADgYEAdk7n+tJi0igrTD2o7RD9ty8MLTyHN4uk8km+7DbpEy0g
mxLY0UZswYvbj15kPdd8QbeGEdDR6SXOYePsfIRJzL0mqMON4oiUhsqAK5y2yC6R
nqy4wWQ2fGVEYAeLpb1jGKdZWpuag/CO90NMHcMiobfBh+4eTqm7kRPTEyma6V0=
-----END CERTIFICATE-----
If I try to authenticate the trustpoint, I get that error.
how can I export the certificate from the DMM?
I think that this file is not the right file.
and then, do I have to make some changes in
webvpn gateway SDM_WEBVPN_GATEWAY_1?
Should I choose the new trustpoint?
I understand that the old trustpoint is for the outside connection, no for the LAN connection.
Dont worry about me, answer when you can but I really need to fix this.
Thank you so much

Error: Untrusted Server Certificate

When i click on Query Interfaces (IPS Manager: Configuration > Settings > Interfaces) i get the following error:
An error occurred trying to get the interface information. An error occurred while trying to determine the sensor version. Detail = Error occurred while communicating with 172.17.xx.xx: java.security.cert.CertificateException: Untrusted Server Certificate Chain
Any suggestion?
Thank you,

That is a pretty strange message. Have you had a chance to reach out to Windows Live?
TamaraH_VZW
Follow us on Twitter @VZWSupport

Untrusted Server Certificate Chain error

I am trying to use a certificate (digital signature) on the client, when accessing a Webservice. This fails with the following error :
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain
My code is :
KeyStore ks = null;
String strURL = "https://myserver.com/myurl/lookup.asmx";
SSLSocketFactory sslSocketFactory = null;
System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// Load certificate dynamically
SSLContext sslContext = SSLContext.getInstance("SSLv3");
TrustManagerFactory trustMgtFactory = TrustManagerFactory.getInstance("SunX509");
CertificateFactory cert = CertificateFactory.getInstance("X.509");
FileInputStream lo_fileinputstream = null;
lo_fileinputstream = new FileInputStream("c:\\temp\\digital.cer");
X509Certificate servercacert = (X509Certificate)cert.generateCertificate(lo_fileinputstream);
lo_fileinputstream.close();
String s1 = servercacert.getSerialNumber().toString();
if(ks == null)
ks = KeyStore.getInstance("JKS");
ks.load(null, null);
ks.setCertificateEntry(s1, servercacert);
trustMgtFactory.init(ks);
sslContext.init(null, trustMgtFactory.getTrustManagers(), null);
sslSocketFactory = sslContext.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);
// Call webservice
URL cascadeURL = new URL(strURL);
HttpsURLConnection conn = (HttpsURLConnection) cascadeURL.openConnection();
String inputline=null;
if (conn instanceof HttpsURLConnection) {
conn.connect();
BufferedReader in = new BufferedReader(
new InputStreamReader(
conn.getInputStream()));
while ((inputline = in.readLine()) != null) {
System.out.println(inputline);
in.close();
Please help - I am on a very tight deadline (as usual).

Found the problem. I simply needed to add another certificate.

Has anyone had this problem with VPN iPad vpn connection could not validate the server certificate

Has anyone had this problem with IPad 3 after upgrade to IOS 7,
trying to to connect VPN , but I get this messag, "could not validate the server certificate".
I am trying to connect to Oracle VPN.

Has anyone found a solution for this yet? I am still getting the could not validate server certificate error. I have tried importing the entire certificate chain as well as importing each individual cert in the chain. My certificate works perfectly with the cisco vpn on my pc.
This is my first experience owning an apple product, and I am very disappointed with the customer support that I have received. I tried calling the help line and no one would even attempt to answer my question. I was then told that the Mac "geniuses" wouldn't know either and that I may be able to find an answer on the message boards. So I am reaching out to the community...Has anyone been able to figure out how to resolve this issue or even the specific cause? Any help is appreciated.

Problem with HTTPS requests to host with untrusted server certificate

Hi,
I develop an iPhone framework which sends HTTPS requests in order to communicate with a publicly available backend server. Currently I have a big problem regarding untrusted server certificates.
The certificate of the backend server is not signed by a trusted CA, so my first approach was to use NSURLRequest's private allowsAnyHTTPSCertificateForHost. While this worked as expected an was fine as temporary workaround, our customer demands a clean solution as final result. Therefore I wrote a method which allows to install a provided certificate from the file system in the keychain, but this method does not work as expected in the iPhone Simulator. The certificate is installed in the host machine's Mac OS X keychain instead. Unfortunately, if I call NSURLConnection's sendSynchronousRequest method, I retrieve an "untrusted server certificate" error. It seems as if NSURLConnection is not able to access the host's Mac OS X keychain to retrieve the certificate.
Is my guess correct or did I miss something?
Would my approach work if I ran my app on a real iPhone device instead (I do not have one available yet)?
Does there exist a keychain in the iPhone Simulator at all?
Is it at all possible to send HTTPS requests to a server with an untrusted certificate on the iPhone Simulator or do I have to use precompiler directives to implement different routines depending on the underlying platform (simulator or device, respectively)?
Any help is highly appreciated.
Thanks,
Matthias

Indeed this would be a clean and simple solution. But our customer is not willing to get a real certificate, for whatever reasons.
The question that remains is if the HTTPS requests would succeed on the iPhone device itself if the server certificate was installed in the keychain by the same app beforehand.

VPN client connect to CISCO 887 VPN Server bat they stop at router!!

Hi
my scenario is as follows
SERVER1 on lan (192.168.5.2/24)
|
|
CISCO-887 (192.168.5.4) with VPN server
|
|
INTERNET
|
|
VPN Cisco client on xp machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.
They can ping only router!!!
They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Peraps ACL problem?
Building configuration...
Current configuration : 5019 bytes
! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname gate
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-453216506
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-453216506
revocation-check none
rsakeypair TP-self-signed-453216506
crypto pki certificate chain TP-self-signed-453216506
certificate self-signed 01
        quit
ip name-server 212.216.112.222
ip cef
no ipv6 cef
password encryption aes
license udi pid CISCO887VA-K9 sn ********
username adm privilege 15 secret 5 *****************
username user1 secret 5 ******************
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key 6 *********\*******
dns 192.168.5.2
wins 192.168.5.2
domain domain.local
pool SDM_POOL_1
save-password
crypto isakmp profile ciscocp-ike-profile-1
   match identity group EXTERNALS
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
ip address 10.10.10.10 255.255.255.0
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.5.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******@*******.****
ppp chap password 0 alicenewag
ppp pap sent-username ******@*******.**** password 0 *********
ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
line con 0
line aux 0
line vty 0 4
transport input all
end

Hello,
Your pool of VPN addresses is overlapping with the interface vlan1.
Since proxy-arp is disabled on that interface, it will never work
2 solutions
1- Pool uses a different network than 192.168.5
2- Enable ip proxy-arp on interface vlan1
Cheers,
Olivier

VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN

Hi
my scenario is as follows
SERVER1 on lan (192.168.1.4)
|
|
CISCO-887 (192.168.1.254)
|
|
INTERNET
|
|
VPN Cisco client on windows 7 machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Perhaps ACL problem?
Building configuration...
Current configuration : 4921 bytes
! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname TestLab
boot-start-marker
boot-end-marker
enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3013130599
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3013130599
revocation-check none
rsakeypair TP-self-signed-3013130599
crypto pki certificate chain TP-self-signed-3013130599
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
CBB28E7A E91A090D 53DAD1A0 3F66A3
quit
no ip domain lookup
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn ***********
username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key NetasTest
dns 8.8.4.4
pool VPN-Pool
acl 120
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip address 192.168.2.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ****
ppp chap password 0 *********
ppp pap sent-username ****** password 0 *******
no cdp enable
ip local pool VPN-Pool 192.168.2.210 192.168.2.215
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 100 remark
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 remark
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 remark
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
line con 0
exec-timeout 5 30
password ******
no modem enable
line aux 0
line vty 0 4
password ******
transport input all
end
Best Regards,

I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
router#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Uptime: 00:40:37
Session status: UP-ACTIVE
Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.1.100
Desc: (none)
IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active
Capabilities:(none) connid:2001 lifetime:07:19:22
IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0
Active SAs: 4, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162

RDP over Easy VPN Server fails, ping works

Dear experts,
What can I do to troubleshout this problem?
This is our router configuration with the Easy VPN Server enabled:
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
hostname ####
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret ###########################
aaa new-model
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
no ipv6 cef
no ip source-route
ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.29
ip dhcp excluded-address 192.168.1.59
ip dhcp excluded-address 192.168.1.99
ip dhcp excluded-address 192.168.1.182
ip dhcp excluded-address 192.168.1.192
ip dhcp excluded-address 192.168.1.193
ip dhcp excluded-address 192.168.1.198
ip dhcp excluded-address 192.168.1.238
ip dhcp excluded-address 192.168.1.240
ip dhcp excluded-address 192.168.1.243
ip dhcp excluded-address 192.168.1.245
ip dhcp excluded-address 192.168.1.215
ip dhcp excluded-address 192.168.1.122
ip dhcp excluded-address 192.168.1.33
ip dhcp excluded-address 192.168.1.10
ip dhcp excluded-address 192.168.1.11
ip dhcp excluded-address 192.168.1.201
no ip bootp server
ip dhcp-server ##########
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-############
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-############
revocation-check none
crypto pki certificate chain TP-self-signed-############
certificate self-signed 01
        quit
license udi pid CISCO1941/K9 sn ##########
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
username #### privilege 15 secret ####################.
username #### secret ####################
username #### secret ####################
username #### secret ####################
redundancy
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ###########
key ##########
dns 192.168.1.4 192.168.1.6
domain ####.local
pool SDM_POOL_1
acl 102
include-local-lan
crypto isakmp profile ciscocp-ike-profile-1
   match identity group ##############
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ########### esp-aes 256 esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ###########
set isakmp-profile ciscocp-ike-profile-1
interface Null0
no ip unreachables
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description $FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 23 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 ###########
logging esm config
logging trap debugging
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 101 deny   ip any host 184.82.162.163
access-list 101 deny   ip any host 184.22.103.202
access-list 101 deny   ip any host 76.191.104.39
access-list 101 permit ip any any
access-list 102 permit tcp any any eq 3389
access-list 102 permit ip any any
access-list 102 permit icmp any any
access-list 700 permit 000d.6066.0d02   0000.0000.0000
no cdp run
snmp-server group ICT v3 priv
control-plane
banner exec ^C
Welcome ####^C
banner login ^C
Unauthorized access prohibited
##################################^C
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 23 in
password 7 ##################
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler allocate 20000 1000
end

In the server debug, I see this:
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 CONF_XAUTH    -2020890165 ...
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP (2013): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Oct 13 09:25:46.662: ISAKMP:(2013): retransmitting phase 2 -2020890165 CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013): sending packet to 109.59.232.39 my_port 500 peer_port 500 (R) CONF_XAUTH
*Oct 13 09:25:46.662: ISAKMP:(2013):Sending an IKE IPv4 Packet.
*Oct 13 09:25:49.850: ISAKMP (2013): received packet from 109.59.232.39 dport 500 sport 500 Global (R) CONF_XAUTH
*Oct 13 09:25:49.850: ISAKMP:(2013):processing transaction payload from 109.59.232.39. message ID = -2020890165
*Oct 13 09:25:49.850: ISAKMP: Config payload REPLY
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Oct 13 09:25:49.850: ISAKMP/xauth: Expected attribute XAUTH_TYPE_V2 not received
*Oct 13 09:25:49.850: ISAKMP:(2013):peer does not do paranoid keepalives.
Is it something with the above line ?
/Jesper

Cisco VPN server internal connection

I have a cisco 1841 router which I use as VPN server. This is the configuration:
Cisco#show running-config Building configuration...Current configuration : 6382 bytes!version 15.1service tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Cisco!boot-start-markerboot-end-marker!!enable secret 5 $1$Xg19$MKt1eIm4yrmDwcYn1z0x2/enable password qwerty!aaa new-model!!aaa authentication login default localaaa authentication login ciscocp_vpn_xauth_ml_1 localaaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! !! !! aaa session-id common! dot11 syslogip source-route!! !! !ip cef no ipv6 cef! multilink bundle-name authenticated! crypto pki token default removal timeout 0! crypto pki trustpoint TP-self-signed-947112914 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-947242914 revocation-check none rsakeypair TP-self-signed-947182914! !crypto pki certificate chain TP-self-signed-947142914 certificate self-signed 01 3082023B 308201A4 A0030201 02020101 300D0609 2A874886 F70D1101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 39343731 34325931 34301E17 0D313131 31323532 30353931 325A170D 32303031 30313030 30303030 5A303031 2E302C06 03559403 1325444F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3934 37313432 39313430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 B4C6CC16 5EA2210F D4A0234B 90D9E29C E1132F0D 491CC9BC F513EF57 A5986C31 C03BC061 B3B4E103 0005F992 A7CA2605 8C46FCB2 C22AAC4B 739D1DC2 49EA3883 253D553C A1E7BD3A 26D49347 86414B11 5C03F4E6 A4BD5306 CD857F99 0A567B85 FD639414 C2E25161 74A52A7B 32753F25 AE8FDC73 EC859EEC D8A1C9C4 D8A50EED 02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D 11040930 07820543 6973636F 301F0603 551D2304 18301680 14414AD6 2A674283 54CC008C A6B81E1D 7A3B09A4 8C301D06 03551D0E 04160414 414AD62A 67428354 CC008CA6 B81E1D7A 3B09A48C 300D0609 2A864886 F70D0101 04050003 8181007B 00264BAE A55C3CB0 20F83B46 A047F400 3B5748CA D8C64A49 5484FE1E 7588949F A8E5EBAE BE5FAD22 0C89FC92 671E0BB6 1155EB76 21E72F07 68F76AE3 2F0CB2C6 EC26A8C1 C3EA1300 CE284F9B 3E3F6BB9 7807CF63 8154BC4B AD33392E 68347E0B F78AE625 818C3A4E 6E0302D8 26DF4890 08E42063 37BF9026 BF4E251D A86EEA quit!! license udi pid CISCO1841 sn FCZ150218ACusername root privilege 15 password 0 qwertyusername admin secret 5 $1$78MV2Yc72fwt5PoEm.eK33PlKw1username test privilege 15 password 0 test_123!redundancy!! ! crypto ctcp keepalive 6crypto ctcp port 443 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2crypto isakmp keepalive 10 10 periodiccrypto isakmp nat keepalive 20! crypto isakmp client configuration group cisco key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_client include-local-lan max-users 1000 netmask 255.255.255.0!crypto isakmp client configuration group server_1 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_1 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_2 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_2 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_3 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_3 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_4 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_4 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_5 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_5 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_6 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_6 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_7 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_7 save-password include-local-lan netmask 255.255.255.0! crypto isakmp client configuration group server_8 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_8 include-local-lan netmask 255.255.255.0! crypto isakmp client configuration group server_9 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_9 include-local-lan netmask 255.255.255.0! crypto isakmp client configuration group server_10 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_10 include-local-lan netmask 255.255.255.0! crypto ipsec security-association lifetime seconds 86400crypto ipsec security-association idle-time 86400!crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac !crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route!! crypto map SDM_CMAP_1 local-address FastEthernet0/0crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1crypto map SDM_CMAP_1 client configuration address respondcrypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! !! !! interface Loopback0 ip address 172.16.0.1 255.255.255.255!interface FastEthernet0/0 ip address 192.168.1.130 255.255.255.0 ip flow ingress speed auto full-duplex no mop enabled crypto map SDM_CMAP_1!interface FastEthernet0/1 no ip address shutdown speed auto full-duplex no mop enabled! ip local pool SDM_POOL_client 10.10.10.51 10.10.10.190ip local pool SDM_POOL_server_1 10.10.10.1ip local pool SDM_POOL_server_2 10.10.10.2ip local pool SDM_POOL_server_3 10.10.10.3ip local pool SDM_POOL_server_4 10.10.10.4ip local pool SDM_POOL_server_5 10.10.10.5ip local pool SDM_POOL_server_6 10.10.10.6ip local pool SDM_POOL_server_7 10.10.10.7ip local pool SDM_POOL_server_8 10.10.10.8ip local pool SDM_POOL_server_9 10.10.10.9ip local pool SDM_POOL_server_10 10.10.10.10ip forward-protocol ndip http serverip http authentication localip http secure-server! !ip route 0.0.0.0 0.0.0.0 192.168.1.1!logging esm configaccess-list 100 remark CCP_ACL Category=4access-list 100 permit ip 10.10.0.0 0.0.255.255 any!! !! !! !! control-plane! !! line con 0line aux 0line vty 0 4 password qwerty transport input telnet ssh! scheduler allocate 20000 1000end Cisco#
I have a VPN clients which can connect to the VPN server and communicate each other. I want to connect dedicated server to port FE 0/1 and all VPN clients to be able to see and communicate with the server. How I can connect the two networks?

Ideally, VPN connectivity is tested from devices behind the endpoint devices that do the encryption, yet many users test VPN connectivity with the ping command on the devices that do the encryption. While the ping generally works for this purpose, it is important to source your ping from the correct interface. If the ping is sourced incorrectly, it can appear that the VPN connection has failed when it really works. If ping works continuously then the problem can be that the xauth times out. Increase the timeout value for AAA server in order to resolve this issue.
For further information about troubleshoot the VPN connectivity click this link.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solunf

Easy VPN Server? Hmmm.. Not so Easy...

I used the Cisco Configuration Professional to add an Easy VPN Server to my 3825. I'm able to connect when remote but I can't ping the default gateway of 192.168.1.1 which is in the same network as the VPN DHCP pool. I can access every single other device on the VLAN segments but not the default gateway which means when i connect I can't look at my router. And there's more, I cannot ping anything offnet (ie 75.75.75.75). Below is my config. Attached are some images which show some details from the client during the VPN connect and a few from the router (i had to use the lan switch as a jump host). If you can figure this out before I go back to the coffee shop to test this tomorrow I will send you a cake.
One thing I just thought of, does the virtual-tempalte 1 interface have to have "nat inside" applied?
Current configuration : 12356 bytes
! Last configuration change at 17:21:16 EDT Sat Nov 24 2012 by cluettr
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router-wan
boot-start-marker
boot system flash:c3825-advipservicesk9-mz.151-4.M5.bin
boot-end-marker
logging buffered 100000000
enable password xxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone EDT -4 0
dot11 syslog
no ip source-route
ip dhcp excluded-address 192.168.1.1 192.168.1.199
ip dhcp excluded-address 172.16.2.1 172.16.2.199
ip dhcp excluded-address 172.16.3.1 172.16.3.199
ip dhcp excluded-address 172.16.4.1 172.16.4.199
ip dhcp pool 192.168.1.0
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.1.1
lease infinite
ip dhcp pool 172.16.2.0
network 172.16.2.0 255.255.255.0
dns-server 172.168.2.1
default-router 172.168.2.1
lease 0 4
ip dhcp pool 172.16.3.0
network 172.16.3.0 255.255.255.0
dns-server 172.16.3.1
default-router 172.16.3.1
lease infinite
ip dhcp pool 172.16.4.0
network 172.16.4.0 255.255.255.0
dns-server 172.16.4.1
default-router 172.16.4.1
lease 0 4
ip dhcp pool 172.16.5.0
network 172.16.5.0 255.255.255.0
dns-server 172.16.5.1
default-router 172.16.5.1
lease infinite
ip cef
ip domain name robcluett.net
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
voice service voip
allow-connections sip to sip
sip
registrar server expires max 600 min 60
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-423317436
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-423317436
revocation-check none
rsakeypair TP-self-signed-423317436
archive
log config
hidekeys
vtp domain robcluett.net
vtp mode transparent
vtp version 2
username xxxxxxx privilege 15 secret 5 $1$q8RN$N/gL80J2Rj9qOILvzXPgS.
redundancy
vlan 3-5
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group cisco
key xxxxxxxxxxxxxxxxxxxx
dns 75.75.75.75
domain robcluett.net
pool SDM_POOL_2
crypto isakmp profile ciscocp-ike-profile-1
   description "VPN Default Profile for Group Cisco"
   match identity group cisco
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   client configuration group cisco
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
description "Circuitless IP Address / Router Source IP"
ip address 172.16.1.1 255.255.255.254
interface GigabitEthernet0/0
description "WAN :: COMCAST via DHCP"
ip address dhcp client-id GigabitEthernet0/0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
media-type rj45
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
no mop enabled
interface GigabitEthernet1/0
description "Uplink to switch-core-lan (Catalyst 2948G-GE-TX)"
switchport mode trunk
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description "LAN :: VLAN 1 :: PRIVATE 192.168.1.0"
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan2
description "LAN :: VLAN 2 :: PUBLIC 172.16.2.0"
ip address 172.16.2.1 255.255.255.0
ip access-group 102 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan3
description "WLAN :: VLAN 3 :: PRIVATE SSID=wlan-ap-private (not broadcast)"
ip address 172.16.3.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan4
description "WLAN :: VLAN 4 :: PUBLIC SSID=wlan-ap-public"
ip address 172.16.4.1 255.255.255.0
ip access-group 104 in
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
rate-limit input 1024000 192000 384000 conform-action transmit exceed-action drop
rate-limit output 5120000 960000 1920000 conform-action transmit exceed-action drop
interface Vlan5
description "EDMZ :: VLAN 5 :: 10.10.10.0"
ip address 10.10.10.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan6
description "IDMZ :: VLAN 6 :: 10.19.19.0"
ip address 10.19.19.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Vlan7
description "LAN :: VLAN 7 :: Voice 172.16.5.0
ip address 172.16.5.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip local pool SDM_POOL_2 192.168.1.200 192.168.1.254
ip forward-protocol nd
ip flow-export source Loopback0
ip flow-top-talkers
top 10
sort-by bytes
ip dns server
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.10.10.10 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 10.10.10.51 443 interface GigabitEthernet0/0 443
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 2
logging trap debugging
logging source-interface Loopback0
access-list 2 remark NAT
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 172.16.2.0 0.0.0.255
access-list 2 permit 172.16.3.0 0.0.0.255
access-list 2 permit 172.16.4.0 0.0.0.255
access-list 2 permit 172.16.5.0 0.0.0.255
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 2 permit 10.19.19.0 0.0.0.255
access-list 100 remark WAN Firewall Access List
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit tcp any any eq www
access-list 100 permit udp any eq domain any
access-list 100 permit tcp any any established
access-list 100 deny   ip any any log-input
access-list 102 remark VLAN 2 Prevent Public LAN Access to Other Networks
access-list 102 deny   ip 172.16.2.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 102 deny   ip 172.16.2.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 102 permit ip any any
access-list 104 remark VLAN 4 Prevent Public Wifi Access to Other Networks
access-list 104 deny   ip 172.16.4.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 log
access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 104 deny   ip 172.16.4.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 104 permit ip any any
access-list 105 remark VLAN 5 Prevent EDMZ Access to Other Networks
access-list 105 deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.2.0 0.0.0.255 log
access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.3.0 0.0.0.255 log
access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.4.0 0.0.0.255 log
access-list 105 deny   ip 10.10.10.0 0.0.0.255 172.16.5.0 0.0.0.255 log
access-list 105 deny   ip 10.10.10.0 0.0.0.255 10.19.19.0 0.0.0.255 log
access-list 105 permit ip any any
snmp-server trap-source Loopback0
snmp-server location xxxxxxxxxxxxxxxxxxxxx
snmp-server contact xxxxxxxxxxxxxxxxxxxxxxx
control-plane
mgcp profile default
telephony-service
max-conferences 12 gain -6
web admin system name cluettr password 11363894
dn-webedit
transfer-system full-consult
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
transport output all
line vty 5 15
transport input telnet ssh
transport output all
scheduler allocate 20000 1000
ntp logging
ntp source Loopback0
end
router-wan#

I was under the impression that using the virtual template and ip unnumbered allows the interface to respond to the DHCP IP provided to Gi0/0 by my ISP. If I were to make, say, VLAN 1 the VPN interface how would I then access it from the WAN given that it has a Nat'd LAN IP? I guess port forwarding would work if that would have to be in addition to using a VLAN?
> Here's a follow up question which you or someone might be able to answer for me. Sorry for dumping the added question on you. My ultimate goal is to have a WAN accessible VPN and a VPN residing on the local LAN. Reason is so I can secure with encryption any wifi clients I have on the LAN (preventing man-in-the-middle attacks) and be secured at, for exmaple, a coffe shop. I'm not sure if there's a means to have the same configured VPN work when attached locally or remotely? And if roaming in regards to a VPN is something that can be acheived...
As an aside my reason for going to these lengths for security are valid. I've recently encountered a situation where I was hacked (this is my home network) using a MIMA and what I assume to be SSLstrip or some derivative to obtain my email address and password. Wasn't fun, wasn't pretty.

Untrusted VPN Server Certificate

Similar Messages

Maybe you are looking for