[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 404
  • Last Modified:

CISCO VPN between 837 router and VPN client 4.6

I would like to create a VPN between a CISCO vpn client 4.6 and an 837 router. Here is my poor attempt at a script. Thankyou

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXX
!
enable secret XXXXXXXXX!
username XXXXXX password XXXXXX
clock timezone AEST 10
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
no ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group 3000client
 key XXXXXX
 dns XXXXXXX
 wins XXXXXXX
 domain XXXXX
 pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
 ! Incomplete
 set peer XXXXXXXX
 set transform-set myset
 match address 100
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 192.168.0.100 255.255.255.0
 ip nat inside
 crypto map clientmap
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 dsl power-cutback 0
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname XXXXXXx
ppp chap password XXXXXXX
 ppp pap sent-username XXXXXXX password XXXXXXXX
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip nat inside source list 8 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
access-list 8 permit 192.168.0.0 0.0.0.255
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 120 0
 password XXXXXXXXXXX
!
scheduler max-task-time 5000
end
0
spoonerism
Asked:
spoonerism
  • 3
  • 2
1 Solution
 
lrmooreCommented:
you're almost there.... can you connect, but can't see/ping any systems once you do?

It's a nat issue now. You need to create a nat exemption policy:

access-list 101 deny ip 192.168.0.0 0.0.0.255 14.1.1.0 255.255.255.0
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
route-map nonat permit 10
 match address 101
no ip nat inside source list 8 interface Dialer0 overload
ip nat inside source route-map nonat interface Dialer0 overload

0
 
spoonerismAuthor Commented:
Thanks for the reply
I can't connect. Below is the vpn client log. Also should the incomplete! warning be present?

1      09:58:42.578  06/07/06  Sev=Info/4      CM/0x63100002
Begin connection process

2      09:58:42.640  06/07/06  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

3      09:58:42.640  06/07/06  Sev=Info/4      CM/0x63100003
Establish secure connection using dialup services

4      09:58:42.906  06/07/06  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

5      09:58:42.906  06/07/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

6      09:58:42.906  06/07/06  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (XXXXXXXXX)

7      09:58:43.156  06/07/06  Sev=Info/4      PPP/0x63200014
Dialing "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk" "Bigpond".

8      09:58:43.218  06/07/06  Sev=Info/4      PPP/0x63200023
RAS connection entry has 1 subentries

9      09:59:03.015  06/07/06  Sev=Info/4      PPP/0x6320000A
PPP session is up

10     09:59:03.015  06/07/06  Sev=Info/4      CM/0x6310000B
PPP session established

11     09:59:03.015  06/07/06  Sev=Info/4      CM/0x63100024
Attempt connection with server "XXXXXXXXX"

12     09:59:03.031  06/07/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with XXXXXXXX.

13     09:59:03.046  06/07/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to XXXXXXX

14     09:59:08.093  06/07/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

15     09:59:08.093  06/07/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to XXXXXXXX

16     09:59:13.093  06/07/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

17     09:59:13.093  06/07/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to XXXXXXXXX

18     09:59:18.093  06/07/06  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

19     09:59:18.093  06/07/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to XXXXXXXXX

20     09:59:23.109  06/07/06  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=93860A00BC86D691 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

21     09:59:23.609  06/07/06  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=93860A00BC86D691 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

22     09:59:23.609  06/07/06  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "XXXXXXXXX" because of "DEL_REASON_PEER_NOT_RESPONDING"

23     09:59:23.609  06/07/06  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

24     09:59:23.750  06/07/06  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

25     09:59:23.765  06/07/06  Sev=Info/4      IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

26     09:59:23.796  06/07/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

27     09:59:23.796  06/07/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

28     09:59:23.796  06/07/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

29     09:59:23.796  06/07/06  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

30     09:59:24.515  06/07/06  Sev=Info/4      PPP/0x63200018
Disconnecting "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk" "Bigpond". SilentDisconnect: 1

31     09:59:26.343  06/07/06  Sev=Info/4      PPP/0x6320001A
PPP session terminated
0
 
lrmooreCommented:
can you manually initiate the dialup connection, ping the VPN router, then try launching the client?

>Also should the incomplete! warning be present?
Where?
crypto map clientmap 1 ipsec-isakmp
 ! Incomplete  <== this?

That line should be:
  crypto map clientmap 1 ipsec-isakmp dynamic dynmap    
 
Also try adding the hash command to the crypto policy to match your transform set

crypto isakmp policy 3
 encr 3des
 hash md5  <== add this

You also have to apply the crypto map to the interface

interface dialer0
 crypto map clientmap

Use this config guide line-by-line and you can see some mistakes
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

In that example, Ethernet 0/0 represents the WAN interface. Substitute Dialer0 for your application
0
 
lrmooreCommented:
Here's another example that puts it all together for you..
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db.shtml
       
0
 
spoonerismAuthor Commented:
Thanks for the tips.

Got it to work as follows.

version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXXXXXX
!
enable secret XXXXXXXXXXXX.
!
username XXXXX password XXXXXXXX
clock timezone AEST 10
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group 3000client
 key XXXXXXX
 dns XXXXXXXX
 wins XXXXXXX
 domain XXXXXXX
 pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 192.168.0.100 255.255.255.0
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 dsl power-cutback 0
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface Dialer0
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname XXXXXXXXX
 ppp chap password XXXXXXXX
 ppp pap sent-username XXXXXXXX password XXXXXX
 crypto map clientmap
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 25
no ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
!
access-list 101 deny   ip 192.168.0.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
route-map nonat permit 10
 match ip address 101
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 exec-timeout 120 0
 password XXXXXXXX
!
scheduler max-task-time 5000
end
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now