Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How do you implement IPSEC VPN on a Cisco IOS router using Microsoft IAS authentication?

Posted on 2007-11-20
4
1,656 Views
Last Modified: 2010-04-21
We have a working configuration of IPSEC VPN authenticating Cisco VPN clients against a Microsoft IAS server on a PIX515e.  We need help migrating that configuration to a Cisco 2821 ISR.  We still want to use IPSEC and IAS to authenticate the VPN clients.

Cisco VPN Client ----- Cisco 2821 IPSEC VPN ----- Microsoft IAS

I am having trouble finding good resources for implementing this solution.  Can anyone recommend a link or config sample?
0
Comment
Question by:AvidSolutions
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:RouterDude
ID: 20322525
This should work, just adjust where your information (IP's and encryption) is different.
aaa new-model
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key VPNkey
dns 10.1.1.10
wins 10.1.1.20
domain whatever.com
pool VPNSERS
!

crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0/0
 crypto map clientmap
!
ip local pool ippool  10.16.20.1 10.16.20.200
i
!
ip local pool VPNUSERS  10.16.20.1 10.16.20.200
radius-server host 172.18.124.96 auth-port 1645 acct-port 1646 key radiuskey
radius-server retransmit 3
0
 

Author Comment

by:AvidSolutions
ID: 20323137
Thanks for the info.  One question though...in our pix we have defined vpngroups.  Where does that get defined?  Thanks.

vpngroup Group1 address-pool Group1_Pool
vpngroup Group1 dns-server 172.16.1.2 172.16.1.27
vpngroup Group1 wins-server 172.16.1.2
vpngroup Group1 default-domain dom.local
vpngroup Group1 split-tunnel Group1_splitTunnelAcl
vpngroup Group1 split-dns dom.local
vpngroup Group1 idle-time 1800
vpngroup Group1 authentication-server RADIUS
vpngroup Group1 user-authentication
vpngroup Group1 password ********
vpngroup Group2 address-pool Group2_Pool
vpngroup Group2 dns-server 172.16.1.2 172.16.1.27
vpngroup Group2 wins-server 172.16.1.2
vpngroup Group2 default-domain dom.local
vpngroup Group2 idle-time 1800
vpngroup Group2 authentication-server RADIUS
vpngroup Group2 user-authentication
vpngroup Group2 password ********
0
 
LVL 3

Accepted Solution

by:
RouterDude earned 250 total points
ID: 20323701
Create additional "crypto isakmp client configuration group" with a different pool. Think of "crypto isakmp client configuration group" as the vpngroup and you should be fine.

BTW this was a typo and not meant to be part of the configuration.

"ip local pool ippool  10.16.20.1 10.16.20.200"
0
 

Author Closing Comment

by:AvidSolutions
ID: 31412687
Thanks for the help...
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question