Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do you implement IPSEC VPN on a Cisco IOS router using Microsoft IAS authentication?

Posted on 2007-11-20
4
Medium Priority
?
1,685 Views
Last Modified: 2010-04-21
We have a working configuration of IPSEC VPN authenticating Cisco VPN clients against a Microsoft IAS server on a PIX515e.  We need help migrating that configuration to a Cisco 2821 ISR.  We still want to use IPSEC and IAS to authenticate the VPN clients.

Cisco VPN Client ----- Cisco 2821 IPSEC VPN ----- Microsoft IAS

I am having trouble finding good resources for implementing this solution.  Can anyone recommend a link or config sample?
0
Comment
Question by:AvidSolutions
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:RouterDude
ID: 20322525
This should work, just adjust where your information (IP's and encryption) is different.
aaa new-model
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key VPNkey
dns 10.1.1.10
wins 10.1.1.20
domain whatever.com
pool VPNSERS
!

crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0/0
 crypto map clientmap
!
ip local pool ippool  10.16.20.1 10.16.20.200
i
!
ip local pool VPNUSERS  10.16.20.1 10.16.20.200
radius-server host 172.18.124.96 auth-port 1645 acct-port 1646 key radiuskey
radius-server retransmit 3
0
 

Author Comment

by:AvidSolutions
ID: 20323137
Thanks for the info.  One question though...in our pix we have defined vpngroups.  Where does that get defined?  Thanks.

vpngroup Group1 address-pool Group1_Pool
vpngroup Group1 dns-server 172.16.1.2 172.16.1.27
vpngroup Group1 wins-server 172.16.1.2
vpngroup Group1 default-domain dom.local
vpngroup Group1 split-tunnel Group1_splitTunnelAcl
vpngroup Group1 split-dns dom.local
vpngroup Group1 idle-time 1800
vpngroup Group1 authentication-server RADIUS
vpngroup Group1 user-authentication
vpngroup Group1 password ********
vpngroup Group2 address-pool Group2_Pool
vpngroup Group2 dns-server 172.16.1.2 172.16.1.27
vpngroup Group2 wins-server 172.16.1.2
vpngroup Group2 default-domain dom.local
vpngroup Group2 idle-time 1800
vpngroup Group2 authentication-server RADIUS
vpngroup Group2 user-authentication
vpngroup Group2 password ********
0
 
LVL 3

Accepted Solution

by:
RouterDude earned 1000 total points
ID: 20323701
Create additional "crypto isakmp client configuration group" with a different pool. Think of "crypto isakmp client configuration group" as the vpngroup and you should be fine.

BTW this was a typo and not meant to be part of the configuration.

"ip local pool ippool  10.16.20.1 10.16.20.200"
0
 

Author Closing Comment

by:AvidSolutions
ID: 31412687
Thanks for the help...
0

Featured Post

Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question