Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do you implement IPSEC VPN on a Cisco IOS router using Microsoft IAS authentication?

Posted on 2007-11-20
4
Medium Priority
?
1,679 Views
Last Modified: 2010-04-21
We have a working configuration of IPSEC VPN authenticating Cisco VPN clients against a Microsoft IAS server on a PIX515e.  We need help migrating that configuration to a Cisco 2821 ISR.  We still want to use IPSEC and IAS to authenticate the VPN clients.

Cisco VPN Client ----- Cisco 2821 IPSEC VPN ----- Microsoft IAS

I am having trouble finding good resources for implementing this solution.  Can anyone recommend a link or config sample?
0
Comment
Question by:AvidSolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:RouterDude
ID: 20322525
This should work, just adjust where your information (IP's and encryption) is different.
aaa new-model
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key VPNkey
dns 10.1.1.10
wins 10.1.1.20
domain whatever.com
pool VPNSERS
!

crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0/0
 crypto map clientmap
!
ip local pool ippool  10.16.20.1 10.16.20.200
i
!
ip local pool VPNUSERS  10.16.20.1 10.16.20.200
radius-server host 172.18.124.96 auth-port 1645 acct-port 1646 key radiuskey
radius-server retransmit 3
0
 

Author Comment

by:AvidSolutions
ID: 20323137
Thanks for the info.  One question though...in our pix we have defined vpngroups.  Where does that get defined?  Thanks.

vpngroup Group1 address-pool Group1_Pool
vpngroup Group1 dns-server 172.16.1.2 172.16.1.27
vpngroup Group1 wins-server 172.16.1.2
vpngroup Group1 default-domain dom.local
vpngroup Group1 split-tunnel Group1_splitTunnelAcl
vpngroup Group1 split-dns dom.local
vpngroup Group1 idle-time 1800
vpngroup Group1 authentication-server RADIUS
vpngroup Group1 user-authentication
vpngroup Group1 password ********
vpngroup Group2 address-pool Group2_Pool
vpngroup Group2 dns-server 172.16.1.2 172.16.1.27
vpngroup Group2 wins-server 172.16.1.2
vpngroup Group2 default-domain dom.local
vpngroup Group2 idle-time 1800
vpngroup Group2 authentication-server RADIUS
vpngroup Group2 user-authentication
vpngroup Group2 password ********
0
 
LVL 3

Accepted Solution

by:
RouterDude earned 1000 total points
ID: 20323701
Create additional "crypto isakmp client configuration group" with a different pool. Think of "crypto isakmp client configuration group" as the vpngroup and you should be fine.

BTW this was a typo and not meant to be part of the configuration.

"ip local pool ippool  10.16.20.1 10.16.20.200"
0
 

Author Closing Comment

by:AvidSolutions
ID: 31412687
Thanks for the help...
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question