spoonerism
asked on
CISCO VPN between 837 router and VPN client 4.6
I would like to create a VPN between a CISCO vpn client 4.6 and an 837 router. Here is my poor attempt at a script. Thankyou
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXX
!
enable secret XXXXXXXXX!
username XXXXXX password XXXXXX
clock timezone AEST 10
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
no ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key XXXXXX
dns XXXXXXX
wins XXXXXXX
domain XXXXX
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
! Incomplete
set peer XXXXXXXX
set transform-set myset
match address 100
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.100 255.255.255.0
ip nat inside
crypto map clientmap
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
dsl power-cutback 0
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXx
ppp chap password XXXXXXX
ppp pap sent-username XXXXXXX password XXXXXXXX
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip nat inside source list 8 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
access-list 8 permit 192.168.0.0 0.0.0.255
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
password XXXXXXXXXXX
!
scheduler max-task-time 5000
end
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXX
!
enable secret XXXXXXXXX!
username XXXXXX password XXXXXX
clock timezone AEST 10
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
no ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key XXXXXX
dns XXXXXXX
wins XXXXXXX
domain XXXXX
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
! Incomplete
set peer XXXXXXXX
set transform-set myset
match address 100
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.100 255.255.255.0
ip nat inside
crypto map clientmap
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
dsl power-cutback 0
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXx
ppp chap password XXXXXXX
ppp pap sent-username XXXXXXX password XXXXXXXX
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip nat inside source list 8 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
access-list 8 permit 192.168.0.0 0.0.0.255
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
password XXXXXXXXXXX
!
scheduler max-task-time 5000
end
ASKER
Thanks for the reply
I can't connect. Below is the vpn client log. Also should the incomplete! warning be present?
1 09:58:42.578 06/07/06 Sev=Info/4 CM/0x63100002
Begin connection process
2 09:58:42.640 06/07/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
3 09:58:42.640 06/07/06 Sev=Info/4 CM/0x63100003
Establish secure connection using dialup services
4 09:58:42.906 06/07/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
5 09:58:42.906 06/07/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
6 09:58:42.906 06/07/06 Sev=Info/4 IPSEC/0x6370000D
Key(s) deleted by Interface (XXXXXXXXX)
7 09:58:43.156 06/07/06 Sev=Info/4 PPP/0x63200014
Dialing "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Con
8 09:58:43.218 06/07/06 Sev=Info/4 PPP/0x63200023
RAS connection entry has 1 subentries
9 09:59:03.015 06/07/06 Sev=Info/4 PPP/0x6320000A
PPP session is up
10 09:59:03.015 06/07/06 Sev=Info/4 CM/0x6310000B
PPP session established
11 09:59:03.015 06/07/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "XXXXXXXXX"
12 09:59:03.031 06/07/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with XXXXXXXX.
13 09:59:03.046 06/07/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to XXXXXXX
14 09:59:08.093 06/07/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
15 09:59:08.093 06/07/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to XXXXXXXX
16 09:59:13.093 06/07/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
17 09:59:13.093 06/07/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to XXXXXXXXX
18 09:59:18.093 06/07/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
19 09:59:18.093 06/07/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to XXXXXXXXX
20 09:59:23.109 06/07/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=93860A00BC86D691
21 09:59:23.609 06/07/06 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=93860A00BC86D691
22 09:59:23.609 06/07/06 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "XXXXXXXXX" because of "DEL_REASON_PEER_NOT_RESPO
23 09:59:23.609 06/07/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
24 09:59:23.750 06/07/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
25 09:59:23.765 06/07/06 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully
26 09:59:23.796 06/07/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
27 09:59:23.796 06/07/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
28 09:59:23.796 06/07/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
29 09:59:23.796 06/07/06 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
30 09:59:24.515 06/07/06 Sev=Info/4 PPP/0x63200018
Disconnecting "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Con
31 09:59:26.343 06/07/06 Sev=Info/4 PPP/0x6320001A
PPP session terminated
I can't connect. Below is the vpn client log. Also should the incomplete! warning be present?
1 09:58:42.578 06/07/06 Sev=Info/4 CM/0x63100002
Begin connection process
2 09:58:42.640 06/07/06 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully
3 09:58:42.640 06/07/06 Sev=Info/4 CM/0x63100003
Establish secure connection using dialup services
4 09:58:42.906 06/07/06 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
5 09:58:42.906 06/07/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
6 09:58:42.906 06/07/06 Sev=Info/4 IPSEC/0x6370000D
Key(s) deleted by Interface (XXXXXXXXX)
7 09:58:43.156 06/07/06 Sev=Info/4 PPP/0x63200014
Dialing "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Con
8 09:58:43.218 06/07/06 Sev=Info/4 PPP/0x63200023
RAS connection entry has 1 subentries
9 09:59:03.015 06/07/06 Sev=Info/4 PPP/0x6320000A
PPP session is up
10 09:59:03.015 06/07/06 Sev=Info/4 CM/0x6310000B
PPP session established
11 09:59:03.015 06/07/06 Sev=Info/4 CM/0x63100024
Attempt connection with server "XXXXXXXXX"
12 09:59:03.031 06/07/06 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with XXXXXXXX.
13 09:59:03.046 06/07/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to XXXXXXX
14 09:59:08.093 06/07/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
15 09:59:08.093 06/07/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to XXXXXXXX
16 09:59:13.093 06/07/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
17 09:59:13.093 06/07/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to XXXXXXXXX
18 09:59:18.093 06/07/06 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
19 09:59:18.093 06/07/06 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to XXXXXXXXX
20 09:59:23.109 06/07/06 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=93860A00BC86D691
21 09:59:23.609 06/07/06 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=93860A00BC86D691
22 09:59:23.609 06/07/06 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "XXXXXXXXX" because of "DEL_REASON_PEER_NOT_RESPO
23 09:59:23.609 06/07/06 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
24 09:59:23.750 06/07/06 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
25 09:59:23.765 06/07/06 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully
26 09:59:23.796 06/07/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
27 09:59:23.796 06/07/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
28 09:59:23.796 06/07/06 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
29 09:59:23.796 06/07/06 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
30 09:59:24.515 06/07/06 Sev=Info/4 PPP/0x63200018
Disconnecting "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Con
31 09:59:26.343 06/07/06 Sev=Info/4 PPP/0x6320001A
PPP session terminated
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here's another example that puts it all together for you..
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db.shtml
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db.shtml
ASKER
Thanks for the tips.
Got it to work as follows.
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXXXXX
!
enable secret XXXXXXXXXXXX.
!
username XXXXX password XXXXXXXX
clock timezone AEST 10
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key XXXXXXX
dns XXXXXXXX
wins XXXXXXX
domain XXXXXXX
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.100 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
dsl power-cutback 0
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXXXX
ppp chap password XXXXXXXX
ppp pap sent-username XXXXXXXX password XXXXXX
crypto map clientmap
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
access-list 101 deny ip 192.168.0.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
route-map nonat permit 10
match ip address 101
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
password XXXXXXXX
!
scheduler max-task-time 5000
end
Got it to work as follows.
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXXXXX
!
enable secret XXXXXXXXXXXX.
!
username XXXXX password XXXXXXXX
clock timezone AEST 10
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key XXXXXXX
dns XXXXXXXX
wins XXXXXXX
domain XXXXXXX
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.100 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
dsl power-cutback 0
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXXXXX
ppp chap password XXXXXXXX
ppp pap sent-username XXXXXXXX password XXXXXX
crypto map clientmap
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
access-list 101 deny ip 192.168.0.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
route-map nonat permit 10
match ip address 101
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
exec-timeout 120 0
password XXXXXXXX
!
scheduler max-task-time 5000
end
It's a nat issue now. You need to create a nat exemption policy:
access-list 101 deny ip 192.168.0.0 0.0.0.255 14.1.1.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
route-map nonat permit 10
match address 101
no ip nat inside source list 8 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload