[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 2811 Easy VPN Server Question

Posted on 2009-02-16
3
Medium Priority
?
2,041 Views
Last Modified: 2012-06-21
Alright all you cisco pros, (of which I am not even close)...  I have a new cisco 2811 setup in our office and we have it working properly, now we have been told to get out VPN Clients up and running.  I have run the Easy VPN server setup through SDM and cannot get the test to work.  For failure reason, it states " ALl the crypto applied interface(s) are down or no crypto applied interface is present", action "Make the connection up and then proceed with VPN troubleshooting
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.4
!
ip dhcp pool Test
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1 
   dns-server 216.136.95.2 64.132.94.250 
!
!
no ip bootp server
ip domain name 
ip name-server 216.136.95.2
ip name-server 64.132.94.250
!
multilink bundle-name authenticated
!
!
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ~!pga2OHCvpn# address ##.###.###.###
crypto isakmp key ~!pga2OHCvpn# address ##.###.###.### no-xauth
crypto isakmp key ~!pad2OHCvpn# address ##.###.###.### no-xauth
crypto isakmp key ~!pad2OHCvpn# address ##.###.###.### no-xauth
crypto isakmp key ~!pad2OHCvpn# address ##.###.###.### no-xauth
crypto isakmp key ~!ola2OHCvpn# address ##.###.###.### no-xauth
crypto isakmp profile sdm-ike-profile-1
   match identity group VPNuser
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA9 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description PGA Main VPN (70.229.244.132)
 set peer 70.229.244.132
 set transform-set ESP-3DES-SHA 
 match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp 
 description PGA East VPN (##.###.###.###)
 set peer ##.###.###.###
 set transform-set ESP-3DES-SHA1 
 set pfs group1
 match address 102
crypto map SDM_CMAP_1 3 ipsec-isakmp 
 description PAD North VPN (##.###.###.###)
 set peer 70.62.180.190
 set transform-set ESP-3DES-SHA2 
 set pfs group1
 match address 103
crypto map SDM_CMAP_1 4 ipsec-isakmp 
 description PAD BC VPN (##.###.###.###)
 set peer ##.###.###.###
 set transform-set ESP-3DES-SHA3 
 set pfs group1
 match address 104
crypto map SDM_CMAP_1 5 ipsec-isakmp 
 description PAD South VPN (##.###.###.###)
 set peer ##.###.###.###
 set transform-set ESP-3DES-SHA4 
 set pfs group1
 match address 105
crypto map SDM_CMAP_1 6 ipsec-isakmp 
 description OLA VPN (##.###.###.###)
 set peer ##.###.###.###
 set transform-set ESP-3DES-SHA5 
 set pfs group1
 match address 106
!
crypto ctcp port 10000 
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 10.1.1.1 255.255.0.0
 ip access-group sdm_fastethernet0/0_in in
 ip access-group sdm_fastethernet0/0_out out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ETH-LAN$$FW_OUTSIDE$
 ip address ##.###.###.### ##.###.###.###secondary
 ip address ##.###.###.### ##.###.###.###
 ip access-group sdm_fastethernet0/1_in in
 ip access-group sdm_fastethernet0/1_out out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex full
 speed 10
 no mop enabled
 crypto map SDM_CMAP_1
!
interface Serial0/0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface Virtual-Template4 type tunnel
 ip unnumbered FastEthernet0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.162.29.193 permanent
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
 
!
ip access-list extended sdm_fastethernet0/0_in
 remark SDM_ACL Category=1
 permit udp host 10.1.1.2 eq 1812 host 10.1.1.1
 permit udp host 10.1.1.2 eq 1813 host 10.1.1.1
 permit ip any any
ip access-list extended sdm_fastethernet0/0_out
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended sdm_fastethernet0/1_in
 remark SDM_ACL Category=1
 remark IPSec Rule
 permit ip 192.168.100.0 0.0.0.255 10.1.0.0 0.0.255.255
 permit udp host ##.###.###.###host##.###.###.###eq non500-isakmp
 permit udp host ##.###.###.###host ##.###.###.###eq isakmp
 permit esp host ##.###.###.### host ##.###.###.###
 permit ahp host ##.###.###.###host ##.###.###.###
 remark IPSec Rule
 permit ip 192.168.68.128 0.0.0.127 10.1.0.0 0.0.255.255
 permit udp host ##.###.###.###host ##.###.###.###eq non500-isakmp
 permit udp host ##.###.###.### host ##.###.###.###eq isakmp
 permit esp host ##.###.###.###host ##.###.###.###
 permit ahp host ##.###.###.###host ##.###.###.###
 remark IPSec Rule
 permit ip 192.168.69.0 0.0.0.127 10.1.0.0 0.0.255.255
 permit udp host ##.###.###.###host##.###.###.### eq non500-isakmp
 permit udp host ##.###.###.### host##.###.###.###eq isakmp
 permit esp host ##.###.###.###host ##.###.###.###
 permit ahp host ##.###.###.###host ##.###.###.###
 remark IPSec Rule
 permit ip 192.168.68.0 0.0.0.127 10.1.0.0 0.0.255.255
 permit udp host ##.###.###.###host ##.###.###.###eq non500-isakmp
 permit udp host ##.###.###.###host ##.###.###.###eq isakmp
 permit esp host ##.###.###.###host##.###.###.###
 permit ahp host ##.###.###.###host ##.###.###.###
 remark IPSec Rule
 permit ip 192.168.64.0 0.0.0.127 10.1.0.0 0.0.255.255
 permit udp host ##.###.###.### host##.###.###.###eq non500-isakmp
 permit udp host ##.###.###.### host ##.###.###.###eq isakmp
 permit esp host ##.###.###.### host ##.###.###.###
 permit ahp host ##.###.###.### host ##.###.###.###
 remark IPSec Rule
 permit ip ##.###.###.### 0.0.0.127 10.1.0.0 0.0.255.255
 permit udp host ##.###.###.### host ##.###.###.###eq non500-isakmp
 permit udp host ##.###.###.### host ##.###.###.### eq isakmp
 permit esp host ##.###.###.###host ##.###.###.###
 permit ahp host ##.###.###.### host ##.###.###.###
 permit tcp any host ##.###.###.###eq 3389
 permit udp host ##.###.###.###eq domain host ##.###.###.###
 permit udp host ##.###.###.### eq domain host ##.###.###.###
 permit ip any any
ip access-list extended sdm_fastethernet0/1_out
 remark SDM_ACL Category=1
 permit ip any any
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.1.0.0 0.0.255.255 192.168.63.128 0.0.0.127
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.1.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.1.0.0 0.0.255.255 192.168.68.128 0.0.0.127
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.1.0.0 0.0.255.255 192.168.69.0 0.0.0.127
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.1.0.0 0.0.255.255 192.168.68.0 0.0.0.127
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.1.0.0 0.0.255.255 192.168.64.0 0.0.0.127
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.1.0.0 0.0.255.255 192.168.63.128 0.0.0.127
access-list 101 permit ip 10.1.0.0 0.0.255.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.1.0.0 0.0.255.255 192.168.64.0 0.0.0.127
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.1.0.0 0.0.255.255 192.168.68.0 0.0.0.127
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.1.0.0 0.0.255.255 192.168.69.0 0.0.0.127
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.1.0.0 0.0.255.255 192.168.68.128 0.0.0.127
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.1.0.0 0.0.255.255 192.168.100.0 0.0.0.255
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
radius-server host 10.1.1.31 auth-port 1645 acct-port 1646
!
control-plane
!
banner exec ^CCCCC
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^CCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet
line vty 5 15
 transport input telnet
!
scheduler allocate 20000 1000
!
end

Open in new window

0
Comment
Question by:jriggy
3 Comments
 

Accepted Solution

by:
jriggy earned 0 total points
ID: 23691665
Ended up solving on my own!
0
 

Expert Comment

by:Avalerion
ID: 24602167
How?
0
 

Expert Comment

by:MultiLink
ID: 25154847
Yes how???  Please let us know, having the same error here.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question