I am trying to get a client/server VPN going with my 2611 router (with a VPN AIM). I just upgraded to IOS 12.2(15)T12.
I already have three LAN to LAN VPNs going through this router with cisco routers at the other end also (and the ystill work right now). I'm using this document as a guide :
Here is my config. I changed IP addresses and passwords and users in the list. When I try to connect with the Cisco VPN client from home, it doesnt even make a conenction. I'm using "3000client" for my group authentication with the key for the password (in the config below, that is ddddddd)
Any help would be appreciated. Thanks,
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname rtr2611
!
boot system flash c2600-ik9o3s3-mz.122-15.T12.bin
logging queue-limit 100
enable secret 5 $1$r2fS$ru30jirrl8ciltLPVI4P3/
!
username **** password 7 011A06204D5216
username **** privilege 15 password 7 03145C1B044D703E1D
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip name-server 4.2.2.2
!
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key aaaaaa address 65.1.1.1
crypto isakmp key bbbbbbb address 66.1.1.1
crypto isakmp key cccccc address 64.1.1.1
!
crypto isakmp client configuration group 3000client
key dddddddd
dns 192.168.1.2
wins 192.168.1.2
domain my-organization.com
pool ippool
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set set1
!
!
crypto map mhmrvpn local-address Ethernet0/0
crypto map mhmrvpn 1 ipsec-isakmp
set peer 65.1.1.1
set transform-set mhmr1
match address 165
crypto map mhmrvpn 2 ipsec-isakmp
set peer 66.1.1.1
set transform-set mhmr1
match address 166
crypto map mhmrvpn 3 ipsec-isakmp
set peer 64.1.1.1
set transform-set mhmr1
match address 164
crypto map myvpn 10 ipsec-isakmp dynamic dynmap
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
description DSL Network
ip address <My IP> 255.255.255.248
no ip proxy-arp
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
crypto map mhmrvpn
!
interface Ethernet0/1
description Internal LAN
ip address <internal IP> 255.255.255.0
ip nat inside
ip policy route-map breaknat
half-duplex
!
router rip
version 2
passive-interface Ethernet0/0
network 192.168.1.0
no auto-summary
!
ip local pool ippool 192.168.1.130 192.168.1.140
ip nat pool ver-1 <My IP> <My IP> prefix-length 29
ip nat inside source list 110 interface Ethernet0/0 overload
ip nat inside source route-map nonat interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 4.3.80.1
!
!
access-list 1 deny 192.168.64.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.64.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.65.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.66.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 deny ip 192.168.64.0 0.0.0.255 any
access-list 110 deny ip 192.168.65.0 0.0.0.255 any
access-list 110 deny ip 192.168.66.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.64.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.65.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.66.0 0.0.0.255
access-list 120 deny ip 192.168.1.0 0.0.0.255 any
access-list 164 permit ip 192.168.1.0 0.0.0.255 192.168.64.0 0.0.0.255
access-list 165 permit ip 192.168.1.0 0.0.0.255 192.168.65.0 0.0.0.255
access-list 166 permit ip 192.168.1.0 0.0.0.255 192.168.66.0 0.0.0.255
arp 192.168.1.19 03bf.c0a8.0113 ARPA
!
route-map breaknat permit 10
match ip address 120
set ip next-hop 1.1.1.2
!
route-map nonat permit 10
match ip address 110
!
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
banner motd ^C******************************************
**** Unauthorized Entry is Prohibited ****
******************************************^C
!
line con 0
password 7 011A17374F1717
line aux 0
line vty 5 15
!
!
end
I already have three LAN to LAN VPNs going through this router with cisco routers at the other end also (and the ystill work right now). I'm using this document as a guide :
Here is my config. I changed IP addresses and passwords and users in the list. When I try to connect with the Cisco VPN client from home, it doesnt even make a conenction. I'm using "3000client" for my group authentication with the key for the password (in the config below, that is ddddddd)
Any help would be appreciated. Thanks,
version 12.2
no parser cache
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname rtr2611
!
boot system flash c2600-ik9o3s3-mz.122-15.T12.bin
logging queue-limit 100
enable secret 5 $1$r2fS$ru30jirrl8ciltLPVI4P3/
!
username **** password 7 011A06204D5216
username **** privilege 15 password 7 03145C1B044D703E1D
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip name-server 4.2.2.2
!
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key aaaaaa address 65.1.1.1
crypto isakmp key bbbbbbb address 66.1.1.1
crypto isakmp key cccccc address 64.1.1.1
!
crypto isakmp client configuration group 3000client
key dddddddd
dns 192.168.1.2
wins 192.168.1.2
domain my-organization.com
pool ippool
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set set1
!
!
crypto map mhmrvpn local-address Ethernet0/0
crypto map mhmrvpn 1 ipsec-isakmp
set peer 65.1.1.1
set transform-set mhmr1
match address 165
crypto map mhmrvpn 2 ipsec-isakmp
set peer 66.1.1.1
set transform-set mhmr1
match address 166
crypto map mhmrvpn 3 ipsec-isakmp
set peer 64.1.1.1
set transform-set mhmr1
match address 164
crypto map myvpn 10 ipsec-isakmp dynamic dynmap
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0/0
description DSL Network
ip address <My IP> 255.255.255.248
no ip proxy-arp
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
crypto map mhmrvpn
!
interface Ethernet0/1
description Internal LAN
ip address <internal IP> 255.255.255.0
ip nat inside
ip policy route-map breaknat
half-duplex
!
router rip
version 2
passive-interface Ethernet0/0
network 192.168.1.0
no auto-summary
!
ip local pool ippool 192.168.1.130 192.168.1.140
ip nat pool ver-1 <My IP> <My IP> prefix-length 29
ip nat inside source list 110 interface Ethernet0/0 overload
ip nat inside source route-map nonat interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 4.3.80.1
!
!
access-list 1 deny 192.168.64.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.64.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.65.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.66.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 deny ip 192.168.64.0 0.0.0.255 any
access-list 110 deny ip 192.168.65.0 0.0.0.255 any
access-list 110 deny ip 192.168.66.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.64.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.65.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.66.0 0.0.0.255
access-list 120 deny ip 192.168.1.0 0.0.0.255 any
access-list 164 permit ip 192.168.1.0 0.0.0.255 192.168.64.0 0.0.0.255
access-list 165 permit ip 192.168.1.0 0.0.0.255 192.168.65.0 0.0.0.255
access-list 166 permit ip 192.168.1.0 0.0.0.255 192.168.66.0 0.0.0.255
arp 192.168.1.19 03bf.c0a8.0113 ARPA
!
route-map breaknat permit 10
match ip address 120
set ip next-hop 1.1.1.2
!
route-map nonat permit 10
match ip address 110
!
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
banner motd ^C******************************************
**** Unauthorized Entry is Prohibited ****
******************************************^C
!
line con 0
password 7 011A17374F1717
line aux 0
line vty 5 15
!
!
end
