Cisco 2621 IOS VPN to Cisco VPN Client with Local Authentication

you can setup username passwords locally in the router to act that way it will be authentication local ect let me see if I can find decent configs

Thanks
Scott

Here's a basic config guide that includes local user authentication.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml

By the way, if you have any Windows 2000/2003 servers you already have RADIUS and could have users using their own domain logins for the vpn.. Only one place to handle passwords then..

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN1750

!--- Local authentication username and password, for EzVPN client.


username jerry password 0 wells123
username cisco password 0 letmein

here is a link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008032cd24.shtml

thanks
Scott

I thought there was a way to use win2k/2k3 servers for RADIUS (We are running 2003 SBS). I haven’t been able to find any thing on the net to it up.  I would like to be able to set up local login first to make sure the VPN works then implement RADIUS.

I would leave the local login as well that way if there is a problem with radius it can fall back to local.

Thanks
Scott

The radius authentication on the router is virtually identical to the setup for the pix:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

This document sets up the VPN client to use Radius:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml

Setup the Radius server exactly as shown in the first example, and the router as shown in the second.

i followed the example from
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml

authentacation seems to be taking place. since i can only get this far if i enter the correct group, key, username and password.

i am having an issue connecting on the client.

The Error on the client Is:

"1      12:28:14.687  07/03/06  Sev=Warning/2      IKE/0xA3000062
Attempted incoming connection from <public ip of router> . Inbound connections are not allowed."

The Error on the Router is:

*Mar  1 02:29:33.259: %SEC-6-IPACCESSLOGP: list 112 permitted udp <client public ip>(500) -> <router public ip>(500), 1 packet
*Mar  1 02:29:33.259: %SEC-6-IPACCESSLOGP: list 112 permitted udp <client public ip>(4500) -> <router public ip>(4500), 2 packets
*Mar  1 02:29:35.347: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-md5-hmac comp-lzs }
*Mar  1 02:29:35.351: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-sha-hmac comp-lzs }
*Mar  1 02:29:35.355: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes esp-md5-hmac comp-lzs }
*Mar  1 02:29:35.355: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes esp-sha-hmac comp-lzs }
*Mar  1 02:29:35.359: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-md5-hmac }
*Mar  1 02:29:35.359: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-sha-hmac }
*Mar  1 02:29:35.363: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes esp-md5-hmac }
*Mar  1 02:29:35.363: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-aes esp-sha-hmac }
*Mar  1 02:29:35.367: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-md5-hmac comp-lzs }
*Mar  1 02:29:35.371: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-sha-hmac comp-lzs }
*Mar  1 02:29:35.371: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-md5-hmac }
*Mar  1 02:29:35.375: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-sha-hmac }
*Mar  1 02:29:35.375: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-des esp-md5-hmac comp-lzs }
*Mar  1 02:29:35.379: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-des esp-md5-hmac }
*Mar  1 02:29:35.383: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-null esp-md5-hmac }
*Mar  1 02:29:35.383: IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-null esp-sha-hmac }
*Mar  1 02:29:38.903: %SEC-6-IPACCESSLOGP: list 112 permitted udp <client public ip>(4500) -> <router public ip>(4500), 5 packets

Thanks in advance! should i start a new question with this? i will post the current config if any one would like to see it. i will post the working config when it works.

Please post your current running config. Only mask part of public IP so that we can still see uniqueness..

here it is: we are allowing two users remote access to a workstation through rdp

sh run
Building configuration...

Current configuration : 3181 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco2621
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
logging rate-limit 10
enable secret 5 <deleted>
enable password 7 <deleted>
!
aaa new-model
!
!
aaa authentication login vpnusers local
aaa authorization network vpngroup local
aaa session-id common
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name ecstore.local
!
ip inspect name firewall http timeout 60
ip inspect name firewall smtp timeout 60
ip inspect name firewall tcp timeout 60
ip inspect name firewall ftp timeout 60
ip inspect name firewall udp timeout 60
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username thomasj password 7 <deleted>
username ianm password 7 <deleted>
username cisco password 7 <deleted>
!
!
!
crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group cisco
 key <deleted>
 pool ippool
 acl 120
!
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
crypto ipsec transform-set foo esp-3des esp-md5-hmac
!
crypto ipsec profile greprotect
!
!
crypto dynamic-map dynmap 1
 set transform-set foo
 match address 199
crypto dynamic-map dynmap 10
!
!
crypto map test client authentication list vpnusers
crypto map test isakmp authorization list vpngroup
crypto map test client configuration address respond
crypto map test 20 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
 description Connected to Lan
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Connected to WAN
 ip address 207.154.xxx.xxx 255.255.255.0
 ip access-group 112 in
 ip nat outside
 ip inspect firewall out
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map test
!
ip local pool ippool 172.16.1.1 172.16.1.250
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip nat inside source static tcp 10.1.1.101 3389 interface FastEthernet0/1 3389
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
logging origin-id ip
logging facility syslog
logging source-interface FastEthernet0/0
logging 10.1.1.2
! Access to vty
access-list 2 permit 68.6.xxx.xxx log
access-list 2 permit 10.1.1.0 0.0.0.255 log
! nat
access-list 110 deny   ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 permit ip 10.1.1.0 0.0.0.255 any
! access for remote clients
access-list 112 permit ip host 24.113.xxx.xxx any log
access-list 112 permit ip host 68.6.xxx.xxx any log
! crypto
access-list 120 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255 log
! intersting traffic
access-list 199 permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 199 permit ip host 207.154.xxx.xxx 172.16.1.0 0.0.0.255
!
route-map nonat permit 10
 match ip address 110
!
!
!
!
!
!
line con 0
 password 7 1517081F102539217962
line aux 0
line vty 0 4
 access-class 2 in
 password 7 09494D1A0D0A05175A5D
 transport input telnet ssh
line vty 5 15
!
!
end

cisco2621#

>interface FastEthernet0/1
> ip access-group 112 in

Try removing this very restrictive acl from the interface and test again. If it works, then we just need to refine the acl.
At the very least you will need to permit traffic from 172.16.1.0/24 in this acl

I removed the ACL and no luck (even saved and rebooted). Here’s the result. I think it may be something on the client. However the client is on a DMZ with all firewalls disabled for test purposes.

Here is the VPN client log:
1      15:32:32.750  07/03/06  Sev=Warning/2      IKE/0xA3000062
Attempted incoming connection from 207.154.xxx.xxx. Inbound connections are not allowed.


Also in the syslog I found:
07-03-2006      15:43:52      Syslog.Info      10.1.1.1      18: 10.1.1.1: *Mar  1 00:03:34.823: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 68.6.xxx.xxx

I agree that it is something with the client PC. Any chance to test with a different one?
Disable any firewalls on that PC?
What version VPN client? If it isn't 4.8 and XP/SP2 then you have weird problems like this.

The client is 4.0.2. I will be able to change the client later today @ 7PM.

OK I used a different computer and got a lot more debuging info.

Cisco Systems VPN Client Version 4.0.2 (D)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600

413    18:12:14.585  07/03/06  Sev=Info/4      CM/0x63100002
Begin connection process

414    18:12:14.595  07/03/06  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

415    18:12:14.595  07/03/06  Sev=Info/4      CM/0x63100024
Attempt connection with server "207.154.xxx.xxx"

416    18:12:14.615  07/03/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 207.154.xxx.xxx.

417    18:12:14.635  07/03/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 207.154.xxx.xxx

418    18:12:15.216  07/03/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 207.154.xxx.xxx

419    18:12:15.216  07/03/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 207.154.xxx.xxx

420    18:12:15.216  07/03/06  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

421    18:12:15.216  07/03/06  Sev=Info/5      IKE/0x63000001
Peer supports DPD

422    18:12:15.216  07/03/06  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

423    18:12:15.216  07/03/06  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

424    18:12:15.216  07/03/06  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

425    18:12:15.236  07/03/06  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

426    18:12:15.236  07/03/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 207.154.xxx.xxx

427    18:12:15.236  07/03/06  Sev=Info/6      IKE/0x63000054
Sent a keepalive on the IPSec SA

428    18:12:15.236  07/03/06  Sev=Info/4      IKE/0x63000082
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194

429    18:12:15.236  07/03/06  Sev=Info/5      IKE/0x63000071
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

430    18:12:15.236  07/03/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

431    18:12:15.296  07/03/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 207.154.xxx.xxx

432    18:12:15.296  07/03/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 207.154.xxx.xxx

433    18:12:15.296  07/03/06  Sev=Info/5      IKE/0x63000044
RESPONDER-LIFETIME notify has value of 86400 seconds

434    18:12:15.296  07/03/06  Sev=Info/5      IKE/0x63000046
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

435    18:12:15.306  07/03/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 207.154.xxx.xxx

436    18:12:15.306  07/03/06  Sev=Warning/2      IKE/0xA3000062
Attempted incoming connection from 207.154.xxx.xxx. Inbound connections are not allowed.

437    18:12:15.316  07/03/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 207.154.xxx.xxx

438    18:12:15.316  07/03/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 207.154.xxx.xxx

439    18:12:15.316  07/03/06  Sev=Info/4      CM/0x63100015
Launch xAuth application

440    18:12:20.303  07/03/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 207.154.xxx.xxx

441    18:12:20.303  07/03/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from 207.154.xxx.xxx

442    18:12:21.204  07/03/06  Sev=Info/4      CM/0x63100017
xAuth application returned

443    18:12:21.204  07/03/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 207.154.xxx.xxx

444    18:12:21.274  07/03/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 207.154.xxx.xxx

445    18:12:21.274  07/03/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 207.154.xxx.xxx

446    18:12:21.274  07/03/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 207.154.xxx.xxx

447    18:12:21.274  07/03/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

448    18:12:21.314  07/03/06  Sev=Info/5      IKE/0x6300005D
Client sending a firewall request to concentrator

449    18:12:21.314  07/03/06  Sev=Info/5      IKE/0x6300005C
Firewall Policy: Product=Cisco Systems Integrated Client, Capability= (Centralized Protection Policy).

450    18:12:21.324  07/03/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 207.154.xxx.xxx

451    18:12:21.394  07/03/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 207.154.xxx.xxx

452    18:12:21.394  07/03/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 207.154.xxx.xxx

453    18:12:21.394  07/03/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 172.16.1.15

454    18:12:21.394  07/03/06  Sev=Info/5      IKE/0xA3000017
MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) attribute and value (-1408237297) is not supported

455    18:12:21.394  07/03/06  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

456    18:12:21.394  07/03/06  Sev=Info/5      IKE/0x6300000F
SPLIT_NET #1
      subnet = 10.1.1.0
      mask = 255.255.255.0
      protocol = 0
      src port = 0
      dest port=0

457    18:12:21.394  07/03/06  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.3(18), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Wed 15-Mar-06 14:16 by dchih

458    18:12:21.394  07/03/06  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

459    18:12:21.394  07/03/06  Sev=Info/4      CM/0x63100019
Mode Config data received

460    18:12:21.424  07/03/06  Sev=Info/4      IKE/0x63000055
Received a key request from Driver: Local IP = 172.16.1.15, GW IP = 207.154.xxx.xxx, Remote IP = 0.0.0.0

461    18:12:21.424  07/03/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 207.154.xxx.xxx

462    18:12:21.545  07/03/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 207.154.xxx.xxx

463    18:12:21.545  07/03/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 207.154.xxx.xxx

464    18:12:21.555  07/03/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 207.154.xxx.xxx

465    18:12:21.555  07/03/06  Sev=Info/4      IKE/0x63000048
Discarding IPsec SA negotiation, MsgID=808733DF

466    18:12:21.555  07/03/06  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=68B5C2971DDFF75B R_Cookie=82C6E6F12B384A6B) reason = DEL_REASON_IKE_NEG_FAILED

467    18:12:24.739  07/03/06  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=68B5C2971DDFF75B R_Cookie=82C6E6F12B384A6B) reason = DEL_REASON_IKE_NEG_FAILED

468    18:12:24.739  07/03/06  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

469    18:12:24.739  07/03/06  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

470    18:12:24.749  07/03/06  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

I am increasing points! happy 4th.

Anyone? I'm almost there! Please give me a hand.

>VPN Client Version 4.0.2 (D)
If the client is XP with SP2 you're going to have to update the client.

>Attempted incoming connection from 207.154.xxx.xxx. Inbound connections are not allowed.
Interesting..

>RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN)
Looks like a phase 2 issue with the policy

>access-list 199 permit ip host 207.154.xxx.xxx 172.16.1.0 0.0.0.255
Remove this line from the acl

do you have the updated client.

what is the most recent version?

Most recent version is 4.8
You have to download from Cisco and you have to have CCO account to get it. I cannot provide it to you.

Did you remove that line from the acl and try again? That might fix it until you can update the client

yes i removed the line from the access-list and still get the same error. how can we fix phase 2?

I will post a new question when i get the updated client. Thanks.