?
Solved

crypto isakmp client conf group???

Posted on 2003-03-30
12
Medium Priority
?
789 Views
Last Modified: 2012-06-27
I have a Cisco 1720 with Cisco IOS 12.2.16 IP\FW\IDS PLUS IPSEC 3DES

I am trying to configure group authentication for a VPN tunnel from a Cisco VPN client but it no longer allows me to enter the command to do this.

I can enter the following command:

crypto isakmp client conf address-pool

However i want to use the Cisco VPN client group authentication with pre-shared keys?

Anyideas?
0
Comment
Question by:tdampier
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
12 Comments
 
LVL 3

Expert Comment

by:pharaoh
ID: 8237074
Dear tdampier,

You may have to move to the T train of code to support this functionality.  Here is the page that describes it and how to configure it:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087d1e.html

pharaoh
0
 

Author Comment

by:tdampier
ID: 8238677
Thanks for the link it helps somewhat but it still does not work and I should not have to downgrade to get this feature should I ?

The link says :

Release    Modification  
12.2(8)T  This feature was introduced.

I read this as from this point forward this feature is included but not prior.  So if I am on 12.2.16 then I should be able to use the group and it still does not work properly as following the instructions on the link you gave.  

Perhaps I am missing something.

Thanks,

Troy
 
0
 
LVL 3

Expert Comment

by:pharaoh
ID: 8239612
Dear Troy,

Note the "T" after the code rev level.  This reveals that the software is part of the "T" or "Technical" train of software for that product.  The "T" train supports advanced features not found in mainline code.  Cisco's customer can therefore work with mainline and move towards GD code which represents the most stable code offered, or utilize "T" code and get advanced features that haven't been tested as extensively.

The trains are split at some point off of mainline and developed independently.  So there is no indicator that 12.2(8)T is any less "advanced" than 12.2.16.  The final number indicates how many revisions of bug fixes have been released.  No new features have been added.

pharaoh
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:tdampier
ID: 8239923
You are absolutely correct.  For those of you who want to search on feature set this feature is called Easy VPN Server and the latest release of Cisco IOS that supports it is 12.2(15)T.  I would highly suggest using the new feature navigator available at Cisco's web site.

Now the real question is since I don't want to go back to that version of the IOS what are my options to use a Cisco VPN client to connect to the Cisco 1720 that I have?  

Thanks,

Troy
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8240362
0
 
LVL 3

Expert Comment

by:pharaoh
ID: 8243811
Dear tdampier,

lrmoore's link will not help you.  I'm assuming that by "Cisco VPN client" you are speaking of the current client, which Cisco calls "Unity."  This is the client that uses username-password, groupname-password and server as configuration options.  It is the client that is the currently downloadable client from Cisco's website.

This client is not supported by IOS outside of the T train.  If I wasn't clear enough earlier, by moving to the T train you are not moving backwards.  It is a completely different set of code than mainline, therefore its minor revision numbers (which are quarterly bug-fix releases) are totally unrelated to the mainline revision numbers.  You would be moving _laterally_ to a code level that supports the functionality you seek.  "Easy VPN Server" is what you're looking for, it's the only way to do what you want, and it's supported only in 12.2.x T.

The client referred to in lrmoore's link is the old Compatible Systems client from the VPN5000 aquisition.

pharaoh
0
 

Author Comment

by:tdampier
ID: 8245609
My question would be does it support the other features of the 12.2.16 release of code that is not T release like the enhanced AAA, IDS Plus and FW code set?

I will be doing a feature set comparison today on the two different versions of IOS code.

Thanks,

Troy
0
 
LVL 3

Expert Comment

by:pharaoh
ID: 8247611
Dear Troy,

The answer is "yes," the T train always supports all 12.2 features from mainline, _plus_ the T features.

The only difference between 12.2.16 and 12.2.1 is 15 bug fix releases.

pharaoh
0
 

Author Comment

by:tdampier
ID: 8247985
Actually you are part right:

c1700-k9o3sy-mz.12.2-16

contains these additional features:

HSRP over ISL
HTTP Security
IGMP Version 1
IGMP Version 2
IGRP
Internet Protocol Control Protocol (IPCP) address ...
NAT-Support of IP Phone to Cisco Call Manager
PPTP with MPPE

over the

c1700-k9o3sy7-mz.12.2-15.T  Version

and this:

HSRP over ISL
IGMP Version 1
IGMP Version 2

over the

c1700-k9o3sy7-mz.12.2-8.T

Now the question is should I use the c1700-k9o3sy7-mz.12.2-8.T or the  c1700-k9o3sy7-mz.12.2-15.T?  

When you compare these two it looks like the big loss is pptp over mppe.  It does appear however to support the l2tp.  Which one do you think is more secure.  I am looking for two things:

1)  Ability to use the Cisco Client for some people
2)  Support standard 2000 & XP stacks for remote connectivity.  


So which do you think is better pptp or l2tp for this purpose?

Thanks,

Troy
0
 
LVL 3

Accepted Solution

by:
pharaoh earned 200 total points
ID: 8250083
Dear tdampier,

The latest release in a particular train is usually the most stable.  Given a bug scrub with the Bug Toolkit, I'd choose the latest T update.

As for the clients, I'd use the Cisco client on them all.  I'd do so for two reasons:

1.  Uses standard IPSEC rather than MS protocols, and
2.  Consistency.  You don't have to support multiple configs on the VPN server or the remote end.  Plus you can take advantage of policy push when it arrives in IOS and control the filtering on the client end from the VPN server device.

pharaoh
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8725686
tdampier,
No comment has been added lately (74 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to pharaoh

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers,
please post comments here where a Moderator will see it.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question