Solved

VPN Client Configuration via CLI

Posted on 2007-12-05
5
1,196 Views
Last Modified: 2012-05-05
Greetings! I tried enabling VPN client access on this router through the SDM and entered what looked like the correct parameters, but upon testing the interface the result is that VPN policy is not turned on.

I prefer the CLI but I really don't know the command set to implement this manually or what order to start in. Any help would be greatly appreciated. Thanks!

Current config:


Current configuration : 10420 bytes
!
! Last configuration change at 16:24:51 EST Wed Dec 5 2007
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ORL-ISR1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
 server 172.16.1.2 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 group radius
aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 group sdm-vpn-server-group-1
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
!
!
ip cef
!
!
ip domain name grg.local
ip inspect name INET_INSPECT ddns-v3
ip inspect name INET_INSPECT dns
ip inspect name INET_INSPECT ftp
ip inspect name INET_INSPECT ftps
ip inspect name INET_INSPECT h323
ip inspect name INET_INSPECT h323callsigalt
ip inspect name INET_INSPECT h323gatestat
ip inspect name INET_INSPECT http
ip inspect name INET_INSPECT https
ip inspect name INET_INSPECT ica
ip inspect name INET_INSPECT icabrowser
ip inspect name INET_INSPECT icmp
ip inspect name INET_INSPECT imap
ip inspect name INET_INSPECT imap3
ip inspect name INET_INSPECT imaps
ip inspect name INET_INSPECT l2tp
ip inspect name INET_INSPECT pop3
ip inspect name INET_INSPECT pop3s
ip inspect name INET_INSPECT pptp
ip inspect name INET_INSPECT rtsp
ip inspect name INET_INSPECT sip
ip inspect name INET_INSPECT sip-tls
ip inspect name INET_INSPECT skinny
ip inspect name INET_INSPECT smtp
ip inspect name INET_INSPECT snmp
ip inspect name INET_INSPECT socks
ip inspect name INET_INSPECT sqlnet
ip inspect name INET_INSPECT ssh
ip inspect name INET_INSPECT tcp
ip inspect name INET_INSPECT udp
ip inspect name INET_INSPECT telnet
ip inspect name INET_INSPECT telnets
ip inspect name INET_INSPECT tftp
!
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3805255413
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3805255413
 revocation-check none
 rsakeypair TP-self-signed-3805255413
!
!
crypto pki certificate chain TP-self-signed-3805255413
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383035 32353534 3133301E 170D3037 31313237 31373332
  35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38303532
  35353431 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CD90 DE43D1FF 05FBAA83 07907EBC 255D8080 F8060F47 6BFB9702 DF75EE09
  FCB10C46 951900CE F8068492 A8C7F75F 7372B76B 52230B25 BE5DEFE4 5C8767F6
  760FDAA3 BAC41066 CD852652 A5616A97 85B86FCD 9B3FB3CD 9320DDAF D947C033
  E87BCA89 E8DEB8E9 37985324 327F7C48 E4534D5D 364D290C C335E165 DA349470
  78170203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14A0C15D 372CEFC6 F8EAE240 DE72C330 E1A74EF4
  FA301D06 03551D0E 04160414 A0C15D37 2CEFC6F8 EAE240DE 72C330E1 A74EF4FA
  300D0609 2A864886 F70D0101 04050003 81810084 6B84A8EA E5102C77 A47456DF
  FF353837 ABF44D63 0DF8D754 21F4A74B 0212E328 68AC314D 551F2BBA 451CFC19
  5CDEB83C 0A913BE0 9B6EC844 0628B766 E1D43133 91D038ED CCC4A3A8 AEC0783E
  F9DB9D7B C0977038 D970B6EA B22E9446 F1B785C5 77BD4B05 19EE634B B821C09B
  7F3E768F BD7A1492 5D413C57 F964D316 5288B4
  quit
username dfox privilege 15 password 7 110C1751141719
username msharkey privilege 15 password 7 110C1751141719
username fjimenez privilege 15 password 7 050E085B22495C
username mvain privilege 15 password 7 0210145518031B345C
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group GRG-ORL-IT
 key orl-isr1
 dns 172.16.1.2 172.16.1.27
 wins 172.16.1.2
 domain grg.local
 pool SDM_POOL_1
 max-users 150
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group grg-orl-it
   client authentication list sdm_vpn_xauth_ml_2
   isakmp authorization list sdm_vpn_group_ml_2
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
!
interface GigabitEthernet0/0
 description - LINK TO PAETEC INTERNET
 ip address xx.xxx.x.34 255.255.255.240
 ip access-group INET_IN_ACL in
 ip access-group INET_OUT_ACL out
 ip nat outside
 ip inspect INET_INSPECT out
 ip virtual-reassembly
 duplex full
 speed 100
!
interface GigabitEthernet0/1
 description - LINK TO INSIDE NETWORK
 ip address 172.16.0.2 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description - LINK TO xxxxx WAN
 duplex full
 speed 100
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Virtual-Template2 type tunnel
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 ip address 10.10.16.2 255.255.255.252
!
ip local pool SDM_POOL_1 192.168.75.1 192.168.75.62
ip route 0.0.0.0 0.0.0.0 xx.xxx.x.33 permanent
ip route 10.10.17.0 255.255.255.252 10.10.16.1 permanent
ip route 10.10.18.0 255.255.255.252 10.10.16.1 permanent
ip route 10.10.19.0 255.255.255.252 10.10.16.1 permanent
ip route 10.10.20.0 255.255.255.252 10.10.16.1 permanent
ip route 10.10.21.0 255.255.255.252 10.10.16.1 permanent
ip route 10.10.22.0 255.255.255.252 10.10.16.1 permanent
ip route 10.10.23.0 255.255.255.252 10.10.16.1 permanent
ip route 10.10.24.0 255.255.255.252 10.10.16.1 permanent
ip route 10.10.25.0 255.255.255.252 10.10.16.1 permanent
ip route 10.10.26.0 255.255.255.252 10.10.16.1 permanent
ip route 172.17.0.0 255.255.0.0 10.10.16.1 permanent
ip route 172.18.0.0 255.255.0.0 10.10.16.1 permanent
ip route 172.19.0.0 255.255.0.0 10.10.16.1 permanent
ip route 172.20.0.0 255.255.0.0 10.10.16.1 permanent
ip route 172.21.0.0 255.255.0.0 10.10.16.1 permanent
ip route 172.22.0.0 255.255.0.0 10.10.16.1 permanent
ip route 172.23.0.0 255.255.0.0 10.10.16.1 permanent
ip route 172.24.0.0 255.255.0.0 10.10.16.1 permanent
ip route 172.25.0.0 255.255.0.0 10.10.16.1 permanent
ip route 172.26.0.0 255.255.0.0 10.10.16.1 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list NAT_LIST interface GigabitEthernet0/0 overload
ip nat inside source static 172.16.0.10 xx.xxx.x.35 extendable
ip nat inside source static 172.16.1.26 xx.xxx.x.36 extendable
ip nat inside source static 172.16.1.5 xx.xxx.x.37 extendable
ip nat inside source static 172.16.1.12 xx.xxx.x.38 extendable
ip nat inside source static 172.16.100.100 xx.xxx.x.41 extendable
ip nat inside source static 172.16.1.2 xx.xxx.x.42 extendable
ip nat inside source static 172.16.1.13 xx.xxx.x.43 extendable
ip nat inside source static 172.16.10.50 xx.xxx.x.44 extendable
ip nat inside source static 172.16.10.51 xx.xxx.x.45
ip nat inside source static 172.19.1.12 xx.xxx.x.46 extendable
!
ip access-list extended EMERG_OPEN_IN
 permit ip any any
ip access-list extended EMERG_OPEN_OUT
 permit ip any any
ip access-list extended INET_IN_ACL
 remark SDM_ACL Category=17
 remark Auto generated by SDM for NTP (123) 198.72.72.10
 permit udp host 198.72.72.10 eq ntp host xx.xxx.x.34 eq ntp
 remark Auto generated by SDM for NTP (123) 128.194.254.9
 permit udp host 128.194.254.9 eq ntp host xx.xxx.x.34 eq ntp
 permit udp any host xx.xxx.x.34 eq non500-isakmp
 permit udp any host xx.xxx.x.34 eq isakmp
 permit esp any host xx.xxx.x.34
 permit ahp any host xx.xxx.x.34
 permit tcp any host xx.xxx.x.36 eq pop3
 permit tcp any host xx.xxx.x.36 eq 443
 permit tcp any host xx.xxx.x.38 eq 8080
 permit tcp any host xx.xxx.x.38 eq 443
 permit tcp any host xx.xxx.x.38 eq www
 permit tcp any host xx.xxx.x.37 eq 443
 permit tcp any host xx.xxx.x.37 eq www
 permit tcp any host xx.xxx.x.37 eq ftp
 permit tcp any host xx.xxx.x.35 eq smtp
 permit tcp any host xx.xxx.x.35 eq pop3
 permit tcp any host xx.xxx.x.35 eq 443
 permit tcp any host xx.xxx.x.36 eq smtp
 permit tcp any host xx.xxx.x.35 eq 22
 permit tcp host 70.60.37.252 host xx.xxx.x.36 eq 143
 permit tcp host 70.60.37.252 host xx.xxx.x.36 eq 993
 permit tcp any host xx.xxx.x.43 eq 443
 permit tcp any host xx.xxx.x.43 eq www
 permit tcp any host xx.xxx.x.44 eq www
 permit tcp any host xx.xxx.x.44 eq 554
 permit tcp any host xx.xxx.x.44 eq 1755
 permit tcp any host xx.xxx.x.44 eq 5800
 permit tcp any host xx.xxx.x.44 eq 5900
 permit icmp any host xx.xxx.x.44 unreachable
 permit tcp any host xx.xxx.x.45 eq www
 permit tcp any host xx.xxx.x.45 eq 443
 permit tcp any host xx.xxx.x.45 eq 8888
 permit tcp any host xx.xxx.x.45 eq 5800
 permit tcp any host xx.xxx.x.45 eq 5900
 permit icmp any host xx.xxx.x.45 unreachable
 permit tcp any host xx.xxx.x.42 eq 3389
 permit tcp any host xx.xxx.x.41 eq 3389
 permit tcp any host xx.xxx.x.42 eq domain
 permit udp any host xx.xxx.x.42 eq domain
 permit tcp any host xx.xxx.x.46 eq 3389
 deny   ip any any
ip access-list extended INET_OUT_ACL
 permit ip any any
ip access-list extended NAT_LIST
 deny   ip host 172.16.0.10 any
 deny   ip host 172.16.1.26 any
 deny   ip host 172.16.1.5 any
 deny   ip host 172.16.1.12 any
 deny   ip host 172.16.100.100 any
 deny   ip host 172.16.1.2 any
 deny   ip host 172.16.1.13 any
 deny   ip host 172.16.10.50 any
 deny   ip host 172.16.10.51 any
 permit ip 172.16.0.0 0.0.255.255 any
!
!
!
!
!
!
radius-server host 172.16.1.2 auth-port 1645 acct-port 1646 key 7 000D141305550A
!
control-plane
!
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17179935
ntp update-calendar
ntp server 198.72.72.10 source GigabitEthernet0/0 prefer
ntp server 128.194.254.9 source GigabitEthernet0/0
!
end
 

Open in new window

0
Comment
Question by:vainm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 13

Assisted Solution

by:td_miles
td_miles earned 250 total points
ID: 20418273
Firstly you shouldn't post password encrypted with a "7" in your config, these passwords are two-way encryption (meaning I now know what the passwords are after running them through a decryption algorithm).

Hot too sure what the SDM did (it often messes things up). Have a look at a sample config from this list:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

Look at perhaps this one:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db.shtml

And this one:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml
0
 

Author Comment

by:vainm
ID: 20427462
Thanks, but what I was looking for was some expert advice and someone to look at the config there and give me some advice as to what commands I should enter to correct the problem.
0
 

Author Comment

by:vainm
ID: 20427576
Also, the scenario is thus:

1) Clients will connect via VPN client and I would like them to authenticate to Active Directory

2) I would like to distribute a client install with the connection info integrated (including the password) so all they need to remember is their network password.
0
 
LVL 13

Accepted Solution

by:
td_miles earned 250 total points
ID: 20454930
To diagnose the problem, I'd start by removing the external authentication to simplify things.

Change your isakmp authorisation as follows:

crypto isakmp profile sdm-ike-profile-1
 no  client authentication list sdm_vpn_xauth_ml_2
 no  isakmp authorization list sdm_vpn_group_ml_2
 isakmp authorization list sdm_vpn_group_ml_1

This should authenticate using local usernames ONLY.

What happens when you try to connect with the VPN client ? It has a logging section. You need to enable logging and change the logging levels to get some output.

To answer your other question, yes, this is possible. We routine send people just the VPN client profile which includes the user/passwd and get them to import it into the VPN client.

The SDM has done the VPN configuration differently to anything I've done on IOS before. It may be the "new" way of doing things that there isn't much doco on. The above links that I sent are how I've done things in the past.

See how you go and get back with the outcome.
0
 

Author Closing Comment

by:vainm
ID: 31412965
it took way too long to get these answers, I am canceling my subscription.
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Radius Debug Error 16 127
Setting up a VPN 60 226
Where is running-config located at in ASR9K? 3 37
Attaching a router to a Combo Cable Modem/Router - Is the same as an extender 5 44
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question