Solved

VPN Client Configuration via CLI

Posted on 2007-12-05
5
1,158 Views
Last Modified: 2012-05-05
Greetings! I tried enabling VPN client access on this router through the SDM and entered what looked like the correct parameters, but upon testing the interface the result is that VPN policy is not turned on.

I prefer the CLI but I really don't know the command set to implement this manually or what order to start in. Any help would be greatly appreciated. Thanks!

Current config:


Current configuration : 10420 bytes

!

! Last configuration change at 16:24:51 EST Wed Dec 5 2007

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ORL-ISR1

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa group server radius sdm-vpn-server-group-1

 server 172.16.1.2 auth-port 1645 acct-port 1646

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 group radius

aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 group sdm-vpn-server-group-1

!

aaa session-id common

!

resource policy

!

clock timezone EST -5

!

!

ip cef

!

!

ip domain name grg.local

ip inspect name INET_INSPECT ddns-v3

ip inspect name INET_INSPECT dns

ip inspect name INET_INSPECT ftp

ip inspect name INET_INSPECT ftps

ip inspect name INET_INSPECT h323

ip inspect name INET_INSPECT h323callsigalt

ip inspect name INET_INSPECT h323gatestat

ip inspect name INET_INSPECT http

ip inspect name INET_INSPECT https

ip inspect name INET_INSPECT ica

ip inspect name INET_INSPECT icabrowser

ip inspect name INET_INSPECT icmp

ip inspect name INET_INSPECT imap

ip inspect name INET_INSPECT imap3

ip inspect name INET_INSPECT imaps

ip inspect name INET_INSPECT l2tp

ip inspect name INET_INSPECT pop3

ip inspect name INET_INSPECT pop3s

ip inspect name INET_INSPECT pptp

ip inspect name INET_INSPECT rtsp

ip inspect name INET_INSPECT sip

ip inspect name INET_INSPECT sip-tls

ip inspect name INET_INSPECT skinny

ip inspect name INET_INSPECT smtp

ip inspect name INET_INSPECT snmp

ip inspect name INET_INSPECT socks

ip inspect name INET_INSPECT sqlnet

ip inspect name INET_INSPECT ssh

ip inspect name INET_INSPECT tcp

ip inspect name INET_INSPECT udp

ip inspect name INET_INSPECT telnet

ip inspect name INET_INSPECT telnets

ip inspect name INET_INSPECT tftp

!

!

!

voice-card 0

 no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto pki trustpoint TP-self-signed-3805255413

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3805255413

 revocation-check none

 rsakeypair TP-self-signed-3805255413

!

!

crypto pki certificate chain TP-self-signed-3805255413

 certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33383035 32353534 3133301E 170D3037 31313237 31373332

  35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38303532

  35353431 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100CD90 DE43D1FF 05FBAA83 07907EBC 255D8080 F8060F47 6BFB9702 DF75EE09

  FCB10C46 951900CE F8068492 A8C7F75F 7372B76B 52230B25 BE5DEFE4 5C8767F6

  760FDAA3 BAC41066 CD852652 A5616A97 85B86FCD 9B3FB3CD 9320DDAF D947C033

  E87BCA89 E8DEB8E9 37985324 327F7C48 E4534D5D 364D290C C335E165 DA349470

  78170203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

  301F0603 551D2304 18301680 14A0C15D 372CEFC6 F8EAE240 DE72C330 E1A74EF4

  FA301D06 03551D0E 04160414 A0C15D37 2CEFC6F8 EAE240DE 72C330E1 A74EF4FA

  300D0609 2A864886 F70D0101 04050003 81810084 6B84A8EA E5102C77 A47456DF

  FF353837 ABF44D63 0DF8D754 21F4A74B 0212E328 68AC314D 551F2BBA 451CFC19

  5CDEB83C 0A913BE0 9B6EC844 0628B766 E1D43133 91D038ED CCC4A3A8 AEC0783E

  F9DB9D7B C0977038 D970B6EA B22E9446 F1B785C5 77BD4B05 19EE634B B821C09B

  7F3E768F BD7A1492 5D413C57 F964D316 5288B4

  quit

username dfox privilege 15 password 7 110C1751141719

username msharkey privilege 15 password 7 110C1751141719

username fjimenez privilege 15 password 7 050E085B22495C

username mvain privilege 15 password 7 0210145518031B345C

!

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group GRG-ORL-IT

 key orl-isr1

 dns 172.16.1.2 172.16.1.27

 wins 172.16.1.2

 domain grg.local

 pool SDM_POOL_1

 max-users 150

 netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

   match identity group grg-orl-it

   client authentication list sdm_vpn_xauth_ml_2

   isakmp authorization list sdm_vpn_group_ml_2

   client configuration address respond

   virtual-template 2

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

 set transform-set ESP-3DES-SHA

 set isakmp-profile sdm-ike-profile-1

!

!

!

!

!

!

interface GigabitEthernet0/0

 description - LINK TO PAETEC INTERNET

 ip address xx.xxx.x.34 255.255.255.240

 ip access-group INET_IN_ACL in

 ip access-group INET_OUT_ACL out

 ip nat outside

 ip inspect INET_INSPECT out

 ip virtual-reassembly

 duplex full

 speed 100

!

interface GigabitEthernet0/1

 description - LINK TO INSIDE NETWORK

 ip address 172.16.0.2 255.255.0.0

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

!

interface FastEthernet0/0/0

 description - LINK TO xxxxx WAN

 duplex full

 speed 100

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

!

interface FastEthernet0/0/3

!

interface Virtual-Template2 type tunnel

 ip unnumbered GigabitEthernet0/0

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

 ip address 10.10.16.2 255.255.255.252

!

ip local pool SDM_POOL_1 192.168.75.1 192.168.75.62

ip route 0.0.0.0 0.0.0.0 xx.xxx.x.33 permanent

ip route 10.10.17.0 255.255.255.252 10.10.16.1 permanent

ip route 10.10.18.0 255.255.255.252 10.10.16.1 permanent

ip route 10.10.19.0 255.255.255.252 10.10.16.1 permanent

ip route 10.10.20.0 255.255.255.252 10.10.16.1 permanent

ip route 10.10.21.0 255.255.255.252 10.10.16.1 permanent

ip route 10.10.22.0 255.255.255.252 10.10.16.1 permanent

ip route 10.10.23.0 255.255.255.252 10.10.16.1 permanent

ip route 10.10.24.0 255.255.255.252 10.10.16.1 permanent

ip route 10.10.25.0 255.255.255.252 10.10.16.1 permanent

ip route 10.10.26.0 255.255.255.252 10.10.16.1 permanent

ip route 172.17.0.0 255.255.0.0 10.10.16.1 permanent

ip route 172.18.0.0 255.255.0.0 10.10.16.1 permanent

ip route 172.19.0.0 255.255.0.0 10.10.16.1 permanent

ip route 172.20.0.0 255.255.0.0 10.10.16.1 permanent

ip route 172.21.0.0 255.255.0.0 10.10.16.1 permanent

ip route 172.22.0.0 255.255.0.0 10.10.16.1 permanent

ip route 172.23.0.0 255.255.0.0 10.10.16.1 permanent

ip route 172.24.0.0 255.255.0.0 10.10.16.1 permanent

ip route 172.25.0.0 255.255.0.0 10.10.16.1 permanent

ip route 172.26.0.0 255.255.0.0 10.10.16.1 permanent

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list NAT_LIST interface GigabitEthernet0/0 overload

ip nat inside source static 172.16.0.10 xx.xxx.x.35 extendable

ip nat inside source static 172.16.1.26 xx.xxx.x.36 extendable

ip nat inside source static 172.16.1.5 xx.xxx.x.37 extendable

ip nat inside source static 172.16.1.12 xx.xxx.x.38 extendable

ip nat inside source static 172.16.100.100 xx.xxx.x.41 extendable

ip nat inside source static 172.16.1.2 xx.xxx.x.42 extendable

ip nat inside source static 172.16.1.13 xx.xxx.x.43 extendable

ip nat inside source static 172.16.10.50 xx.xxx.x.44 extendable

ip nat inside source static 172.16.10.51 xx.xxx.x.45

ip nat inside source static 172.19.1.12 xx.xxx.x.46 extendable

!

ip access-list extended EMERG_OPEN_IN

 permit ip any any

ip access-list extended EMERG_OPEN_OUT

 permit ip any any

ip access-list extended INET_IN_ACL

 remark SDM_ACL Category=17

 remark Auto generated by SDM for NTP (123) 198.72.72.10

 permit udp host 198.72.72.10 eq ntp host xx.xxx.x.34 eq ntp

 remark Auto generated by SDM for NTP (123) 128.194.254.9

 permit udp host 128.194.254.9 eq ntp host xx.xxx.x.34 eq ntp

 permit udp any host xx.xxx.x.34 eq non500-isakmp

 permit udp any host xx.xxx.x.34 eq isakmp

 permit esp any host xx.xxx.x.34

 permit ahp any host xx.xxx.x.34

 permit tcp any host xx.xxx.x.36 eq pop3

 permit tcp any host xx.xxx.x.36 eq 443

 permit tcp any host xx.xxx.x.38 eq 8080

 permit tcp any host xx.xxx.x.38 eq 443

 permit tcp any host xx.xxx.x.38 eq www

 permit tcp any host xx.xxx.x.37 eq 443

 permit tcp any host xx.xxx.x.37 eq www

 permit tcp any host xx.xxx.x.37 eq ftp

 permit tcp any host xx.xxx.x.35 eq smtp

 permit tcp any host xx.xxx.x.35 eq pop3

 permit tcp any host xx.xxx.x.35 eq 443

 permit tcp any host xx.xxx.x.36 eq smtp

 permit tcp any host xx.xxx.x.35 eq 22

 permit tcp host 70.60.37.252 host xx.xxx.x.36 eq 143

 permit tcp host 70.60.37.252 host xx.xxx.x.36 eq 993

 permit tcp any host xx.xxx.x.43 eq 443

 permit tcp any host xx.xxx.x.43 eq www

 permit tcp any host xx.xxx.x.44 eq www

 permit tcp any host xx.xxx.x.44 eq 554

 permit tcp any host xx.xxx.x.44 eq 1755

 permit tcp any host xx.xxx.x.44 eq 5800

 permit tcp any host xx.xxx.x.44 eq 5900

 permit icmp any host xx.xxx.x.44 unreachable

 permit tcp any host xx.xxx.x.45 eq www

 permit tcp any host xx.xxx.x.45 eq 443

 permit tcp any host xx.xxx.x.45 eq 8888

 permit tcp any host xx.xxx.x.45 eq 5800

 permit tcp any host xx.xxx.x.45 eq 5900

 permit icmp any host xx.xxx.x.45 unreachable

 permit tcp any host xx.xxx.x.42 eq 3389

 permit tcp any host xx.xxx.x.41 eq 3389

 permit tcp any host xx.xxx.x.42 eq domain

 permit udp any host xx.xxx.x.42 eq domain

 permit tcp any host xx.xxx.x.46 eq 3389

 deny   ip any any

ip access-list extended INET_OUT_ACL

 permit ip any any

ip access-list extended NAT_LIST

 deny   ip host 172.16.0.10 any

 deny   ip host 172.16.1.26 any

 deny   ip host 172.16.1.5 any

 deny   ip host 172.16.1.12 any

 deny   ip host 172.16.100.100 any

 deny   ip host 172.16.1.2 any

 deny   ip host 172.16.1.13 any

 deny   ip host 172.16.10.50 any

 deny   ip host 172.16.10.51 any

 permit ip 172.16.0.0 0.0.255.255 any

!

!

!

!

!

!

radius-server host 172.16.1.2 auth-port 1645 acct-port 1646 key 7 000D141305550A

!

control-plane

!

!

!

!

!

!

!

!

!

!

!

line con 0

 exec-timeout 0 0

 logging synchronous

line aux 0

line vty 0 4

 exec-timeout 0 0

 logging synchronous

 transport input telnet ssh

line vty 5 15

 transport input telnet ssh

!

scheduler allocate 20000 1000

ntp clock-period 17179935

ntp update-calendar

ntp server 198.72.72.10 source GigabitEthernet0/0 prefer

ntp server 128.194.254.9 source GigabitEthernet0/0

!

end

 

Open in new window

0
Comment
Question by:vainm
  • 3
  • 2
5 Comments
 
LVL 13

Assisted Solution

by:td_miles
td_miles earned 250 total points
Comment Utility
Firstly you shouldn't post password encrypted with a "7" in your config, these passwords are two-way encryption (meaning I now know what the passwords are after running them through a decryption algorithm).

Hot too sure what the SDM did (it often messes things up). Have a look at a sample config from this list:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

Look at perhaps this one:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db.shtml

And this one:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml
0
 

Author Comment

by:vainm
Comment Utility
Thanks, but what I was looking for was some expert advice and someone to look at the config there and give me some advice as to what commands I should enter to correct the problem.
0
 

Author Comment

by:vainm
Comment Utility
Also, the scenario is thus:

1) Clients will connect via VPN client and I would like them to authenticate to Active Directory

2) I would like to distribute a client install with the connection info integrated (including the password) so all they need to remember is their network password.
0
 
LVL 13

Accepted Solution

by:
td_miles earned 250 total points
Comment Utility
To diagnose the problem, I'd start by removing the external authentication to simplify things.

Change your isakmp authorisation as follows:

crypto isakmp profile sdm-ike-profile-1
 no  client authentication list sdm_vpn_xauth_ml_2
 no  isakmp authorization list sdm_vpn_group_ml_2
 isakmp authorization list sdm_vpn_group_ml_1

This should authenticate using local usernames ONLY.

What happens when you try to connect with the VPN client ? It has a logging section. You need to enable logging and change the logging levels to get some output.

To answer your other question, yes, this is possible. We routine send people just the VPN client profile which includes the user/passwd and get them to import it into the VPN client.

The SDM has done the VPN configuration differently to anything I've done on IOS before. It may be the "new" way of doing things that there isn't much doco on. The above links that I sent are how I've done things in the past.

See how you go and get back with the outcome.
0
 

Author Closing Comment

by:vainm
Comment Utility
it took way too long to get these answers, I am canceling my subscription.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now