Cisco remote VPN client config with IAS

I enabled debug radius. this is what I get when I try to connect...

*Dec 21 04:36:19.231: RADIUS/ENCODE(0000006E):Orig. component type = VPN_IPSEC
*Dec 21 04:36:19.231: RADIUS/ENCODE(0000006E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Dec 21 04:36:19.231: RADIUS(0000006E): Config NAS IP: 0.0.0.0
*Dec 21 04:36:19.231: RADIUS/ENCODE(0000006E): acct_session_id: 105
*Dec 21 04:36:19.231: RADIUS(0000006E): sending
*Dec 21 04:36:19.235: RADIUS/ENCODE: Best Local IP-Address 172.16.5.1 for Radius-Server 172.16.5.4
*Dec 21 04:36:19.235: RADIUS(0000006E): Send Access-Request to 172.16.5.4:1812 id 1645/17, len 75
*Dec 21 04:36:19.235: RADIUS:  authenticator 51 93 2D A0 BE 35 05 42 - 2D 72 CD 83 ED C5 31 57
*Dec 21 04:36:19.235: RADIUS:  User-Name           [1]   15  "administrator"
*Dec 21 04:36:19.235: RADIUS:  User-Password       [2]   18  *
*Dec 21 04:36:19.235: RADIUS:  Calling-Station-Id  [31]  16  "71.106.x.x"
*Dec 21 04:36:19.235: RADIUS:  NAS-IP-Address      [4]   6   172.16.5.1
*Dec 21 04:36:19.239: RADIUS: Received from id 1645/17 172.16.5.4:1812, Access-Accept, len 64
*Dec 21 04:36:19.239: RADIUS:  authenticator C3 0A 18 88 0B 1A F4 10 - A1 1B AD C6 59 51 52 84
*Dec 21 04:36:19.239: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
*Dec 21 04:36:19.239: RADIUS:  Service-Type        [6]   6   Framed                    [2]
*Dec 21 04:36:19.239: RADIUS:  Class               [25]  32
*Dec 21 04:36:19.239: RADIUS:   3F 5F 04 9D 00 00 01 37 00 01 AC 10 05 04 01 CA  [?_?????7????????]
*Dec 21 04:36:19.239: RADIUS:   81 20 ED 10 54 CC 00 00 00 00 00 00 00 15        [? ??T?????????]
*Dec 21 04:36:19.239: RADIUS(0000006E): Received from id 1645/17
*Dec 21 04:36:19.239: RADIUS: Constructed " ppp negotiate"

It looks like you don't have your dynamic crypto map assigned to the crypto map on the interface.  Try adding the following to see if it clears things up for you.

crypto map VPN 10 ipsec-isakmp dynamic dynmap

I s ee what you are sayiing. Reconfigured everything and still having the same issue.... See code below for changes.

Thanks

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2821_RO
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication fail-message ^CCCLogin Failed Unauthorized access and use of this network will be vigorously prosecuted.^C
aaa authentication login con local
aaa authentication login user local
aaa authentication login REMOTE local
aaa authentication login userauthen group radius local
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization exec REMOTE local if-authenticated
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.5.1 172.16.5.100
ip dhcp excluded-address 172.16.5.1
ip dhcp excluded-address 172.16.10.1 172.16.10.100
ip dhcp excluded-address 172.16.10.1
!
ip dhcp pool Internal-Network
   import all
   network 172.16.5.0 255.255.255.0
   default-router 172.16.5.1
   domain-name domain.com
   dns-server 192.168.100.5 172.16.5.1 192.168.100.15
   lease 4
   update arp
!
ip dhcp pool VoIP-Network
   import all
   network 172.16.10.0 255.255.255.0
   default-router 172.16.10.1
   domain-name domain.com
   dns-server 172.16.5.1
   option 156 ascii "ftpservers=172.16.5.20"
   option 42 ip 172.16.5.20
   lease 4
   update arp
!
!
ip domain name domain.com
ip name-server 64.105.132.250
ip name-server 64.105.132.252
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name HTTP http
ip inspect name TELNET telnet
!
!
voice-card 0
 no dspfarm
!
!
username cisc0admin privilege 15 password 7 0507561C20405A590A
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key l0salt0s address 208.57.93.171
!
crypto isakmp client configuration group LosAltosVPN
 key l0salt0s!
 dns 172.16.5.1 192.168.100.5
 domain domain.com
 pool vpnpool
 acl 140
crypto isakmp profile VPNclient
   match identity group LosAltosVPN
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set securevpn esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set securevpn
 set isakmp-profile VPNclient
!
!
crypto map VPN 1 ipsec-isakmp
 set peer 208.57.93.171
 set transform-set securevpn
 match address 110
!
!
crypto map vpn client authentication list userauthen
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Vif1
 no ip address
!
interface GigabitEthernet0/0
 description $FW_INSIDE$
 ip address 172.16.5.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description $FW_INSIDE$
 ip address 172.16.10.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 encapsulation frame-relay IETF
 no ip mroute-cache
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
 no ip mroute-cache
 frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-PPP1
 no ip address
!
interface Virtual-Template1
 description $FW_OUTSIDE$
 ip address 66.167.x.x 255.255.255.248
 ip access-group 103 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect TELNET in
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ppp chap hostname xxxxxxx
 ppp chap password 7 xxxxxx
 crypto map VPN
!
interface Virtual-TokenRing1
 no ip address
 ring-speed 16
!
ip local pool vpnpool 172.16.40.100 172.16.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 66.167.x.x
!
ip dns server
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Virtual-Template1 overload
ip nat inside source static tcp 172.16.5.1 23 66.167.x.x 23 extendable

!
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 100 remark Tunnel to Nelson
access-list 101 remark ACL for ShoreTel VoIP
access-list 101 deny   ip 172.16.10.0 0.0.0.255 any
access-list 101 deny   ip 66.167.224.24 0.0.0.7 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark ACL for network traffic
access-list 102 deny   ip 66.167.224.24 0.0.0.7 any
access-list 102 deny   ip 172.16.5.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Traffic allowed over Virtual Template1 T1
access-list 103 permit ahp host 208.57.93.171 host 66.167.x.x
access-list 103 permit esp host 208.57.93.171 host 66.167.x.x
access-list 103 permit udp host 208.57.93.171 host 66.167.x.x eq isakmp
access-list 103 permit udp host 208.57.93.171 host 66.167.x.x eq non500-isakmp
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 103 deny   ip 172.16.10.0 0.0.0.255 any
access-list 103 deny   ip 172.16.5.0 0.0.0.255 any
access-list 103 deny   ip 172.16.40.0 0.0.0.255 any
access-list 103 permit icmp any host 66.167.x.x echo-reply
access-list 103 permit icmp any host 66.167.x.x time-exceeded
access-list 103 permit icmp any host 66.167.x.x unreachable
access-list 103 permit tcp any any eq 1645
access-list 103 permit tcp any any eq 1646
access-list 103 permit tcp any any eq 1812
access-list 103 permit tcp any any eq 1813
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 5800
access-list 103 permit tcp any any eq 5900
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 9192
access-list 103 permit tcp any any eq telnet
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 110 remark Tunnel to Nelson
access-list 110 permit ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 199 deny   ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 permit ip any any
!
route-map nonat permit 10
 match ip address 199
!
!
!
radius-server host 172.16.5.4 auth-port 1812 acct-port 1813
radius-server host 172.16.5.4 auth-port 1645 acct-port 1646
radius-server key 7 xxxxxxx
!
control-plane
!
!
!
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 password 7 xxxxxxxx
 authorization exec REMOTE
 login authentication REMOTE
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Select allOpen in new window

Ahhh geez.... that was it!  Thank you!

Can you take a look at my access lists? Can't ping from remote PC (172.16.40.x) to the 172.16.x.x network but can ping the 192.168.100.x network accross the tunnel.

If its too invlved I'll open another question.

Thanks again

Sure.

Your access list 140 only permits IP traffic to/from 192.168.100.0/24 to the VPN pool.

access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255

Add the following to get access to the LAN:

access-list 140 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255

If you want the VPN to access the ShoreTel network, at the following:

access-list 140 permit ip 172.16.5.0 0.0.0.255 172.16.40.0 0.0.0.255

Just keep going with the same pattern until you have all of the networks that need to go across the VPN added.

Tried that with no success, here is the current ACL

access-list 10 permit 172.16.0.0 0.0.255.255
access-list 101 remark ACL for ShoreTel VoIP
access-list 101 deny   ip 66.167.x.x 0.0.0.7 any
access-list 101 deny   ip 172.16.10.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark ACL for network traffic
access-list 102 deny   ip 66.167.x.x 0.0.0.7 any
access-list 102 deny   ip 172.16.5.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Traffic allowed over Virtual Template1 T1
access-list 103 permit ahp host 208.57.x.x host 66.167.x.x
access-list 103 permit esp host 208.57.x.x host 66.167.x.x
access-list 103 permit udp host 208.57.x.x host 66.167.x.x eq isakmp
access-list 103 permit udp host 208.57.x.x host 66.167.x.x eq non500-isakmp
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 103 deny   ip 172.16.5.0 0.0.0.255 any
access-list 103 deny   ip 172.16.10.0 0.0.0.255 any
access-list 103 deny   ip 172.16.40.0 0.0.0.255 any
access-list 103 permit icmp any host 66.167.x.x echo-reply
access-list 103 permit icmp any host 66.167.x.x time-exceeded
access-list 103 permit icmp any host 66.167.x.x unreachable
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 5800
access-list 103 permit tcp any any eq 5900
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 9192
access-list 103 permit tcp any any eq telnet
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.0.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 110 remark Tunnel
access-list 110 permit ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.5.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 199 deny   ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 permit ip any any

Select allOpen in new window

When you apply the changes to access list 140 and reconnect, what routes show up in your VPN client?

I think I got it... had to add a line in the 199 ACL

access-list 199 deny   ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 deny   ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.255
access-list 199 permit ip any any

Whoops... forgot the NAT.  Yes, that'll do it.

Thanks Jodylemoine