crypto isakmp client conf group???

I have a Cisco 1720 with Cisco IOS 12.2.16 IP\FW\IDS PLUS IPSEC 3DES

I am trying to configure group authentication for a VPN tunnel from a Cisco VPN client but it no longer allows me to enter the command to do this.

I can enter the following command:

crypto isakmp client conf address-pool

However i want to use the Cisco VPN client group authentication with pre-shared keys?

Anyideas?
tdampierAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pharaohCommented:
Dear tdampier,

You may have to move to the T train of code to support this functionality.  Here is the page that describes it and how to configure it:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087d1e.html

pharaoh
0
tdampierAuthor Commented:
Thanks for the link it helps somewhat but it still does not work and I should not have to downgrade to get this feature should I ?

The link says :

Release    Modification  
12.2(8)T  This feature was introduced.

I read this as from this point forward this feature is included but not prior.  So if I am on 12.2.16 then I should be able to use the group and it still does not work properly as following the instructions on the link you gave.  

Perhaps I am missing something.

Thanks,

Troy
 
0
pharaohCommented:
Dear Troy,

Note the "T" after the code rev level.  This reveals that the software is part of the "T" or "Technical" train of software for that product.  The "T" train supports advanced features not found in mainline code.  Cisco's customer can therefore work with mainline and move towards GD code which represents the most stable code offered, or utilize "T" code and get advanced features that haven't been tested as extensively.

The trains are split at some point off of mainline and developed independently.  So there is no indicator that 12.2(8)T is any less "advanced" than 12.2.16.  The final number indicates how many revisions of bug fixes have been released.  No new features have been added.

pharaoh
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

tdampierAuthor Commented:
You are absolutely correct.  For those of you who want to search on feature set this feature is called Easy VPN Server and the latest release of Cisco IOS that supports it is 12.2(15)T.  I would highly suggest using the new feature navigator available at Cisco's web site.

Now the real question is since I don't want to go back to that version of the IOS what are my options to use a Cisco VPN client to connect to the Cisco 1720 that I have?  

Thanks,

Troy
0
lrmooreCommented:
0
pharaohCommented:
Dear tdampier,

lrmoore's link will not help you.  I'm assuming that by "Cisco VPN client" you are speaking of the current client, which Cisco calls "Unity."  This is the client that uses username-password, groupname-password and server as configuration options.  It is the client that is the currently downloadable client from Cisco's website.

This client is not supported by IOS outside of the T train.  If I wasn't clear enough earlier, by moving to the T train you are not moving backwards.  It is a completely different set of code than mainline, therefore its minor revision numbers (which are quarterly bug-fix releases) are totally unrelated to the mainline revision numbers.  You would be moving _laterally_ to a code level that supports the functionality you seek.  "Easy VPN Server" is what you're looking for, it's the only way to do what you want, and it's supported only in 12.2.x T.

The client referred to in lrmoore's link is the old Compatible Systems client from the VPN5000 aquisition.

pharaoh
0
tdampierAuthor Commented:
My question would be does it support the other features of the 12.2.16 release of code that is not T release like the enhanced AAA, IDS Plus and FW code set?

I will be doing a feature set comparison today on the two different versions of IOS code.

Thanks,

Troy
0
pharaohCommented:
Dear Troy,

The answer is "yes," the T train always supports all 12.2 features from mainline, _plus_ the T features.

The only difference between 12.2.16 and 12.2.1 is 15 bug fix releases.

pharaoh
0
tdampierAuthor Commented:
Actually you are part right:

c1700-k9o3sy-mz.12.2-16

contains these additional features:

HSRP over ISL
HTTP Security
IGMP Version 1
IGMP Version 2
IGRP
Internet Protocol Control Protocol (IPCP) address ...
NAT-Support of IP Phone to Cisco Call Manager
PPTP with MPPE

over the

c1700-k9o3sy7-mz.12.2-15.T  Version

and this:

HSRP over ISL
IGMP Version 1
IGMP Version 2

over the

c1700-k9o3sy7-mz.12.2-8.T

Now the question is should I use the c1700-k9o3sy7-mz.12.2-8.T or the  c1700-k9o3sy7-mz.12.2-15.T?  

When you compare these two it looks like the big loss is pptp over mppe.  It does appear however to support the l2tp.  Which one do you think is more secure.  I am looking for two things:

1)  Ability to use the Cisco Client for some people
2)  Support standard 2000 & XP stacks for remote connectivity.  


So which do you think is better pptp or l2tp for this purpose?

Thanks,

Troy
0
pharaohCommented:
Dear tdampier,

The latest release in a particular train is usually the most stable.  Given a bug scrub with the Bug Toolkit, I'd choose the latest T update.

As for the clients, I'd use the Cisco client on them all.  I'd do so for two reasons:

1.  Uses standard IPSEC rather than MS protocols, and
2.  Consistency.  You don't have to support multiple configs on the VPN server or the remote end.  Plus you can take advantage of policy push when it arrives in IOS and control the filtering on the client end from the VPN server device.

pharaoh
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
tdampier,
No comment has been added lately (74 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to pharaoh

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers,
please post comments here where a Moderator will see it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.