andersenks
asked on
Cisco remote VPN client config with IAS
Trying to configure a 2821 router to allow remote clients to connect. Looks like IAS is cnfigured correctly. The IAS show authentication successful. The client prompts for a username and password, I login and it shows "Securing communication channel" then disconnects. The Cisco client log shows:
101 12:56:56.820 12/20/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=8AB230FC3EBC5C3F R_Cookie=024FC51C58CD05AF) reason = DEL_REASON_IKE_NEG_FAILED
102 12:56:56.820 12/20/09 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED ". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
Can someone look at my config below and see what I have missed?
Thank you.
101 12:56:56.820 12/20/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=8AB230FC3EBC5C3F
102 12:56:56.820 12/20/09 Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED
Can someone look at my config below and see what I have missed?
Thank you.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hostname
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication fail-message ^CCCLogin Failed Unauthorized access and use of this network will be vigorously prosecuted.^C
aaa authentication login default local
aaa authentication login con local
aaa authentication login user local
aaa authentication login clientauth local
aaa authentication login UserAuth group radius
aaa authentication login REMOTE local
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization exec REMOTE local if-authenticated
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.5.1 172.16.5.100
ip dhcp excluded-address 172.16.5.1
ip dhcp excluded-address 172.16.10.1 172.16.10.100
ip dhcp excluded-address 172.16.10.1
!
ip dhcp pool Internal-Network
import all
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
domain-name domain.com
dns-server 192.168.100.5 172.16.5.1 192.168.100.15
lease 4
update arp
!
ip dhcp pool VoIP-Network
import all
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
domain-name domain.com
dns-server 172.16.5.1
option 156 ascii "ftpservers=172.16.5.20"
option 42 ip 172.16.5.20
lease 4
update arp
!
!
ip domain name domain.com
ip name-server 64.105.132.250
ip name-server 64.105.132.252
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name HTTP http
ip inspect name TELNET telnet
!
!
voice-card 0
no dspfarm
!
!
!
crypto pki trustpoint TP-self-signed-3438045733
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3438045733
revocation-check none
rsakeypair TP-self-signed-3438045733
!
!
crypto pki certificate chain TP-self-signed-3438045733
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
username cisc0admin privilege 15 password 7 xxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address 208.57.x.x
!
crypto isakmp client configuration group VPN
key xxxxxx!
dns 172.16.5.1 192.168.100.5
domain domain.com
pool vpnpool
acl 140
crypto isakmp profile VPNclient
match identity group VPN
client authentication list UserAuth
isakmp authorization list groupauthor
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set securevpn esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 5
set transform-set securevpn
set isakmp-profile VPNclient
!
!
crypto map VPN 1 ipsec-isakmp
set peer 208.57.x.x
set transform-set securevpn
match address 110
!
!
!
!
interface Vif1
no ip address
!
interface GigabitEthernet0/0
description $FW_INSIDE$
ip address 172.16.5.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 172.16.10.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
encapsulation frame-relay IETF
no ip mroute-cache
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
no ip mroute-cache
frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-PPP1
no ip address
!
interface Virtual-Template1
description $FW_OUTSIDE$
ip address 66.167.x.x 255.255.255.248
ip access-group 103 in
ip verify unicast reverse-path
ip nat outside
ip inspect TELNET in
ip inspect SDM_LOW out
ip virtual-reassembly
ppp chap hostname xxxxx
ppp chap password 7 xxxx
crypto map VPN
!
interface Virtual-TokenRing1
no ip address
ring-speed 16
!
ip local pool vpnpool 172.16.40.100 172.16.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 66.167.x.x
!
ip dns server
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Virtual-Template1 overload
ip nat inside source static tcp 172.16.5.1 23 66.167.x.x 23 extendable
ip nat inside source static tcp 172.16.5.80 80 66.167.x.x 80 extendable
ip nat inside source static tcp 172.16.5.80 9090 66.167.x.x 9090 extendable
!
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 101 remark ACL for ShoreTel VoIP
access-list 101 deny ip 172.16.10.0 0.0.0.255 any
access-list 101 deny ip 66.167.224.24 0.0.0.7 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark ACL for network traffic
access-list 102 deny ip 66.167.224.24 0.0.0.7 any
access-list 102 deny ip 172.16.5.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Traffic allowed over Virtual Template1 T1
access-list 103 permit ahp host 208.57.x.x host 66.167.x.x
access-list 103 permit esp host 208.57.x.x host 66.167.x.x
access-list 103 permit udp host 208.57.x.x host 66.167.x.x eq isakmp
access-list 103 permit udp host 208.57.x.x host 66.167.x.x eq non500-isakmp
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 103 deny ip 172.16.10.0 0.0.0.255 any
access-list 103 deny ip 172.16.5.0 0.0.0.255 any
access-list 103 deny ip 172.16.40.0 0.0.0.255 any
access-list 103 permit icmp any host 66.167.x.x echo-reply
access-list 103 permit icmp any host 66.167.x.x time-exceeded
access-list 103 permit icmp any host 66.167.x.x unreachable
access-list 103 permit tcp any any eq 1645
access-list 103 permit tcp any any eq 1646
access-list 103 permit tcp any any eq 1812
access-list 103 permit tcp any any eq 1813
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 5800
access-list 103 permit tcp any any eq 5900
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 9192
access-list 103 permit tcp any any eq telnet
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 110 remark Tunnel
access-list 110 permit ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 199 deny ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 permit ip any any
!
route-map nonat permit 10
match ip address 199
!
!
!
radius-server host 172.16.5.4 auth-port 1812 acct-port 1813
radius-server host 172.16.5.4 auth-port 1645 acct-port 1646
radius-server key 7 020A54480A0A1B715F0F
!
control-plane
It looks like you don't have your dynamic crypto map assigned to the crypto map on the interface. Try adding the following to see if it clears things up for you.
crypto map VPN 10 ipsec-isakmp dynamic dynmap
crypto map VPN 10 ipsec-isakmp dynamic dynmap
ASKER
I s ee what you are sayiing. Reconfigured everything and still having the same issue.... See code below for changes.
Thanks
Thanks
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2821_RO
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication fail-message ^CCCLogin Failed Unauthorized access and use of this network will be vigorously prosecuted.^C
aaa authentication login con local
aaa authentication login user local
aaa authentication login REMOTE local
aaa authentication login userauthen group radius local
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization exec REMOTE local if-authenticated
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.5.1 172.16.5.100
ip dhcp excluded-address 172.16.5.1
ip dhcp excluded-address 172.16.10.1 172.16.10.100
ip dhcp excluded-address 172.16.10.1
!
ip dhcp pool Internal-Network
import all
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
domain-name domain.com
dns-server 192.168.100.5 172.16.5.1 192.168.100.15
lease 4
update arp
!
ip dhcp pool VoIP-Network
import all
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
domain-name domain.com
dns-server 172.16.5.1
option 156 ascii "ftpservers=172.16.5.20"
option 42 ip 172.16.5.20
lease 4
update arp
!
!
ip domain name domain.com
ip name-server 64.105.132.250
ip name-server 64.105.132.252
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name HTTP http
ip inspect name TELNET telnet
!
!
voice-card 0
no dspfarm
!
!
username cisc0admin privilege 15 password 7 0507561C20405A590A
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key l0salt0s address 208.57.93.171
!
crypto isakmp client configuration group LosAltosVPN
key l0salt0s!
dns 172.16.5.1 192.168.100.5
domain domain.com
pool vpnpool
acl 140
crypto isakmp profile VPNclient
match identity group LosAltosVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set securevpn esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set securevpn
set isakmp-profile VPNclient
!
!
crypto map VPN 1 ipsec-isakmp
set peer 208.57.93.171
set transform-set securevpn
match address 110
!
!
crypto map vpn client authentication list userauthen
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Vif1
no ip address
!
interface GigabitEthernet0/0
description $FW_INSIDE$
ip address 172.16.5.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 172.16.10.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
encapsulation frame-relay IETF
no ip mroute-cache
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
no ip mroute-cache
frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-PPP1
no ip address
!
interface Virtual-Template1
description $FW_OUTSIDE$
ip address 66.167.x.x 255.255.255.248
ip access-group 103 in
ip verify unicast reverse-path
ip nat outside
ip inspect TELNET in
ip inspect SDM_LOW out
ip virtual-reassembly
ppp chap hostname xxxxxxx
ppp chap password 7 xxxxxx
crypto map VPN
!
interface Virtual-TokenRing1
no ip address
ring-speed 16
!
ip local pool vpnpool 172.16.40.100 172.16.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 66.167.x.x
!
ip dns server
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Virtual-Template1 overload
ip nat inside source static tcp 172.16.5.1 23 66.167.x.x 23 extendable
!
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 100 remark Tunnel to Nelson
access-list 101 remark ACL for ShoreTel VoIP
access-list 101 deny ip 172.16.10.0 0.0.0.255 any
access-list 101 deny ip 66.167.224.24 0.0.0.7 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark ACL for network traffic
access-list 102 deny ip 66.167.224.24 0.0.0.7 any
access-list 102 deny ip 172.16.5.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Traffic allowed over Virtual Template1 T1
access-list 103 permit ahp host 208.57.93.171 host 66.167.x.x
access-list 103 permit esp host 208.57.93.171 host 66.167.x.x
access-list 103 permit udp host 208.57.93.171 host 66.167.x.x eq isakmp
access-list 103 permit udp host 208.57.93.171 host 66.167.x.x eq non500-isakmp
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 103 deny ip 172.16.10.0 0.0.0.255 any
access-list 103 deny ip 172.16.5.0 0.0.0.255 any
access-list 103 deny ip 172.16.40.0 0.0.0.255 any
access-list 103 permit icmp any host 66.167.x.x echo-reply
access-list 103 permit icmp any host 66.167.x.x time-exceeded
access-list 103 permit icmp any host 66.167.x.x unreachable
access-list 103 permit tcp any any eq 1645
access-list 103 permit tcp any any eq 1646
access-list 103 permit tcp any any eq 1812
access-list 103 permit tcp any any eq 1813
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 5800
access-list 103 permit tcp any any eq 5900
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 9192
access-list 103 permit tcp any any eq telnet
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 110 remark Tunnel to Nelson
access-list 110 permit ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 199 deny ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 permit ip any any
!
route-map nonat permit 10
match ip address 199
!
!
!
radius-server host 172.16.5.4 auth-port 1812 acct-port 1813
radius-server host 172.16.5.4 auth-port 1645 acct-port 1646
radius-server key 7 xxxxxxx
!
control-plane
!
!
!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
password 7 xxxxxxxx
authorization exec REMOTE
login authentication REMOTE
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ahhh geez.... that was it! Thank you!
Can you take a look at my access lists? Can't ping from remote PC (172.16.40.x) to the 172.16.x.x network but can ping the 192.168.100.x network accross the tunnel.
If its too invlved I'll open another question.
Thanks again
Can you take a look at my access lists? Can't ping from remote PC (172.16.40.x) to the 172.16.x.x network but can ping the 192.168.100.x network accross the tunnel.
If its too invlved I'll open another question.
Thanks again
Sure.
Your access list 140 only permits IP traffic to/from 192.168.100.0/24 to the VPN pool.
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
Add the following to get access to the LAN:
access-list 140 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255
If you want the VPN to access the ShoreTel network, at the following:
access-list 140 permit ip 172.16.5.0 0.0.0.255 172.16.40.0 0.0.0.255
Just keep going with the same pattern until you have all of the networks that need to go across the VPN added.
Your access list 140 only permits IP traffic to/from 192.168.100.0/24 to the VPN pool.
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
Add the following to get access to the LAN:
access-list 140 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255
If you want the VPN to access the ShoreTel network, at the following:
access-list 140 permit ip 172.16.5.0 0.0.0.255 172.16.40.0 0.0.0.255
Just keep going with the same pattern until you have all of the networks that need to go across the VPN added.
ASKER
Tried that with no success, here is the current ACL
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 101 remark ACL for ShoreTel VoIP
access-list 101 deny ip 66.167.x.x 0.0.0.7 any
access-list 101 deny ip 172.16.10.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark ACL for network traffic
access-list 102 deny ip 66.167.x.x 0.0.0.7 any
access-list 102 deny ip 172.16.5.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Traffic allowed over Virtual Template1 T1
access-list 103 permit ahp host 208.57.x.x host 66.167.x.x
access-list 103 permit esp host 208.57.x.x host 66.167.x.x
access-list 103 permit udp host 208.57.x.x host 66.167.x.x eq isakmp
access-list 103 permit udp host 208.57.x.x host 66.167.x.x eq non500-isakmp
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 103 deny ip 172.16.5.0 0.0.0.255 any
access-list 103 deny ip 172.16.10.0 0.0.0.255 any
access-list 103 deny ip 172.16.40.0 0.0.0.255 any
access-list 103 permit icmp any host 66.167.x.x echo-reply
access-list 103 permit icmp any host 66.167.x.x time-exceeded
access-list 103 permit icmp any host 66.167.x.x unreachable
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 5800
access-list 103 permit tcp any any eq 5900
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 9192
access-list 103 permit tcp any any eq telnet
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.0.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 110 remark Tunnel
access-list 110 permit ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.5.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 199 deny ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 permit ip any any
When you apply the changes to access list 140 and reconnect, what routes show up in your VPN client?
ASKER
I think I got it... had to add a line in the 199 ACL
access-list 199 deny ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 deny ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.255
access-list 199 permit ip any any
access-list 199 deny ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 deny ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.255
access-list 199 permit ip any any
Whoops... forgot the NAT. Yes, that'll do it.
ASKER
Thanks Jodylemoine
ASKER
*Dec 21 04:36:19.231: RADIUS/ENCODE(0000006E):Or
*Dec 21 04:36:19.231: RADIUS/ENCODE(0000006E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Dec 21 04:36:19.231: RADIUS(0000006E): Config NAS IP: 0.0.0.0
*Dec 21 04:36:19.231: RADIUS/ENCODE(0000006E): acct_session_id: 105
*Dec 21 04:36:19.231: RADIUS(0000006E): sending
*Dec 21 04:36:19.235: RADIUS/ENCODE: Best Local IP-Address 172.16.5.1 for Radius-Server 172.16.5.4
*Dec 21 04:36:19.235: RADIUS(0000006E): Send Access-Request to 172.16.5.4:1812 id 1645/17, len 75
*Dec 21 04:36:19.235: RADIUS: authenticator 51 93 2D A0 BE 35 05 42 - 2D 72 CD 83 ED C5 31 57
*Dec 21 04:36:19.235: RADIUS: User-Name [1] 15 "administrator"
*Dec 21 04:36:19.235: RADIUS: User-Password [2] 18 *
*Dec 21 04:36:19.235: RADIUS: Calling-Station-Id [31] 16 "71.106.x.x"
*Dec 21 04:36:19.235: RADIUS: NAS-IP-Address [4] 6 172.16.5.1
*Dec 21 04:36:19.239: RADIUS: Received from id 1645/17 172.16.5.4:1812, Access-Accept, len 64
*Dec 21 04:36:19.239: RADIUS: authenticator C3 0A 18 88 0B 1A F4 10 - A1 1B AD C6 59 51 52 84
*Dec 21 04:36:19.239: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Dec 21 04:36:19.239: RADIUS: Service-Type [6] 6 Framed [2]
*Dec 21 04:36:19.239: RADIUS: Class [25] 32
*Dec 21 04:36:19.239: RADIUS: 3F 5F 04 9D 00 00 01 37 00 01 AC 10 05 04 01 CA [?_?????7????????]
*Dec 21 04:36:19.239: RADIUS: 81 20 ED 10 54 CC 00 00 00 00 00 00 00 15 [? ??T?????????]
*Dec 21 04:36:19.239: RADIUS(0000006E): Received from id 1645/17
*Dec 21 04:36:19.239: RADIUS: Constructed " ppp negotiate"