Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Authorization issue - Local Auth not working

Status
Not open for further replies.
lowlynetworktech

lowlynetworktech

Technical User
Oct 31, 2006
3
US
I'm testing a new VPN solution and am having problems getting the authorization to be automatic(local).

I've got a PIX 515 at the head-end, and an 1812 at the remote end.

Here's the message I get on the head end:

ISAKMP: peer is a remote access client
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD

Looks like it want's the remote to authenticate before connecting. I want the remote to authenticate locally and automatically connect. I'm at a loss. Below are the badly mutilated configs. Not sure if they'll help any:



HEAD-END

ISDN-Pix# sho run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 sprint security5
nameif ethernet3 intf3 security98
nameif ethernet4 intf4 security97
nameif ethernet5 intf5 security96


clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name

no pager
logging on
logging timestamp
logging console warnings
logging monitor warnings
logging buffered notifications
logging trap warnings
logging history warnings
logging queue 50
logging host inside *************
mtu outside 1500
mtu inside 1500
mtu sprint 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
ip address outside ****************
ip address inside *******************
ip address sprint ******************
no ip address intf3
no ip address intf4
no ip address intf5
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool ***************
ip local pool iso *************
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address sprint
no failover ip address intf3
no failover ip address intf4
no failover ip address intf5

router ospf 101
network ***************
network *******************
router-id ***************
log-adj-changes
redistribute static metric 10000 subnets


timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local

http server enable


floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set ESP-3DES-MD5
crypto map sprint_map 10 ipsec-isakmp dynamic dynmap
crypto map sprint_map 118 ipsec-isakmp
crypto map sprint_map 118 match address sprint_cryptomap_118
crypto map sprint_map 118 set peer **************
crypto map sprint_map 118 set transform-set ESP-3DES-MD5
crypto map sprint_map 996 ipsec-isakmp
crypto map sprint_map 996 match address sprint_cryptomap_996
crypto map sprint_map 996 set peer ********************
crypto map sprint_map 996 set transform-set ESP-3DES-MD5
crypto map sprint_map client authentication LOCAL
crypto map sprint_map interface sprint
isakmp enable sprint
isakmp key ******** address ********** netmask 255.255.255.255 no-xauth
isakmp key ******** address*********** netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption aes-256
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
vpngroup tofsi address-pool iso
vpngroup tofsi dns-server ********
vpngroup tofsi default-domain **********
vpngroup tofsi split-tunnel **************
vpngroup tofsi split-dns **************
vpngroup tofsi idle-time 1800
vpngroup tofsi password ********
telnet timeout 5

ssh timeout 5
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 750


: end

*************************************************

REMOTE END

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password
!
no aaa new-model
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address *******************
!
ip dhcp pool sdm-pool1
network *************
domain-name *********
dns-server **************
default-router************
!
!
ip name-server *************
!
!
!
!
!
!
!
crypto ipsec transform-set toffsi esp-3des esp-md5-hmac
crypto ipsec transform-set TOFSI esp-3des esp-md5-hmac
!
crypto ipsec client ezvpn TOFSI
connect auto
group tofsi key ***
mode network-extension
peer ************
username tofsi password **********
xauth userid mode local
!
!
crypto dynamic-map ******* 1
set transform-set ********
!
!
!
!
interface FastEthernet0
description
ip address*************
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn *****
!
interface FastEthernet1
description
ip address ***************
duplex auto
speed auto
crypto ipsec client ezvpn ***********
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
ip address *****************
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn ********
!
interface Vlan2
no ip address
!
ip route 0.0.0.0 0.0.0.0 ********* permanent
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

Router#

 
Status
Not open for further replies.

Similar threads

jobsp90
  • Locked
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
287
DavetheChef
DavetheChef
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
261
quazimotto
quazimotto
phonedudeSr
  • Locked
  • Question
Cisco Unity Connection Subscriber issue
Replies
2
Views
357
phonedudeSr
phonedudeSr
telemarksman
  • Locked
  • Question
ATA Cisco SPA122 not triggering single line courtesy phone ringer
Replies
0
Views
254
telemarksman
telemarksman
serge9
  • Locked
  • Question
Cisco GUI on cme stop working
Replies
2
Views
374
serge9
serge9

Part and Inventory Search

Sponsor

Back
Top