I have set up a VPN tunnel for users to connect using the Cisco VPN Client v5.0
-Phase 1 authentication via certificates
-Phase 2 authentication with LDAP protocol (using Microsoft active directory).
Till there setup is successful. The problem is that now users will have FULL access to the internal network and I don't want this.
What I have tried to do is to create an access-list for the vpn users and applied it to the dynamic crypto map. Once I issued this command the VPN failed to connect. phase 1 and phase 2 complete successfully but immediately after the SA is destroyed and the connection drops. I get the attached error.
crypto dynamic-map outside_dyn_map 50 match address vpn_client_access
where vpn_client_access is the name of the access-list
Is there another method to implement this?
1635 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from 18.104.22.168
1636 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 22.214.171.124
1637 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=C75EF835
1638 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=0A974FDFEE219F0E R_Cookie=81EFBD25A20F09F7) reason = DEL_REASON_IKE_NEG_FAILED
1639 14:56:07.248 09/25/08 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 126.96.36.199
1640 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=0A974FDFEE219F0E R_Cookie=81EFBD25A20F09F7
1641 14:56:07.248 09/25/08 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 188.8.131.52
1642 14:56:07.436 09/25/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
1643 14:56:10.436 09/25/08 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=0A974FDFEE219F0E R_Cookie=81EFBD25A20F09F7) reason = DEL_REASON_IKE_NEG_FAILED
1644 14:56:10.436 09/25/08 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system