Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Phase 1 issues.. Can't see with my Eyes.. 1

Status
Not open for further replies.
fdurham

fdurham

MIS
Sep 14, 2005
103
US
I have been staring at this config now for the better part of the night an into this morning. I have ran all the basic debugs and my config is failing on phase 1. I have included the config on the router for the VPN clients. Can some one tell me what I am missing.

Thanks
Frank

aaa new-model
!
!
aaa authentication login vpnlist local
!
username ******* privilege 15 secret 5 $1$ySi2$vss6W4hieQaGgvxe9QyNy1
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 11
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 12
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 16
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ********* address *********** no-xauth
crypto isakmp client configuration address-pool local 365-1
!
crypto isakmp client configuration group 365vpn
key **********
dns 192.168.0.201 192.168.0.202
wins 192.168.0.201 192.168.0.202
domain 365incorporated.local
pool 365-1
acl 102
include-local-lan
max-users 14
!
!
crypto ipsec transform-set vpn0 esp-aes 256 esp-md5-hmac
crypto ipsec transform-set vpn1 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set vpn2 esp-3des esp-md5-hmac
crypto ipsec transform-set vpn3 esp-3des esp-sha-hmac
!
!
crypto dynamic-map dynmap 10
set transform-set vpn0 vpn1 vpn2 vpn3
!
!
crypto map vpn client authentication list vpnlist
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp
set peer ************
set transform-set vpn0
match address 105
crypto map vpn 50 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
description Internal 365Inc LAN
ip address xxx.xxx.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description ISP WAN Interface
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip access-group 103 in
ip nat outside
no ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map vpn
!
ip local pool 365-1 192.168.6.1 192.168.6.14
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
ip nat pool outside xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.224
ip nat inside source route-map ins_2_int interface FastEthernet0/1 overload
!

access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.1.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 172.17.0.0 0.0.15.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.14.0 0.0.1.255
access-list 106 deny ip 192.168.0.0 0.0.0.255 172.17.0.0 0.0.15.255
access-list 106 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.1.255
access-list 106 deny ip 192.168.0.0 0.0.0.255 192.168.14.0 0.0.1.255
access-list 106 deny ip 192.168.0.0 0.0.0.255 192.168.6.0 0.0.0.15
access-list 106 permit ip any any
route-map ins_2_int permit 1
match ip address 106

 
Sort by date Sort by votes
crypto map vpn client authentication list vpnlist
where is vpnlist? There is usually a problem with xauth or client auth when phase 1 cannot complete...you have the client authenticating to vpnlist, but where is it? I would just do xauth...I'll post my config to help you troubleshoot...give me a few minutes...

Burt
 
Upvote 0 Downvote
TO_ADTRAN#sh run
Building configuration...

Current configuration : 3297 bytes
Last configuration change at 08:24:51 CST Thu Jun 26 2008 by NVRAM
config last updated at 14:56:26 CST Sat Jun 21 2008 by
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname TO_ADTRAN
boot-start-marker
boot-end-marker
security authentication failure rate 2 log
enable secret xxxxxxxxxxxxxx
enable password xxxxxxxxxxxxx
aaa new-model
aaa authentication login sms_vpn_xauth local
aaa authorization network sms_vpn_group local
aaa session-id common
resource policy
clock timezone cst -6
clock summer-time CST recurring
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
no ip ips deny-action ips-interface
ip domain name sms.stl.com
ip host lan 192.168.2.2
ip name-server xxxxxxxxxxxxx
ip name-server xxxxxxxxxxxxx
no ftp-server write-enable
username xxxxxxxxxx privilege 15 password 0 xxxxxxxxxxx
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
no crypto isakmp ccm
crypto isakmp client configuration group xxxxxxxxxxxxx
key xxxxxxxxxx
pool vpn_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
crypto map vpn_cmap_1 client authentication list sms_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list sms_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
interface FastEthernet0/0
description TO_ADTRAN
ip address xxxxxxxxxxxxxxxxxxx
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn_cmap_1
interface Serial0/0
description TO_LAN
ip address 192.168.2.1 255.255.255.252
ip nat inside
ip virtual-reassembly
encapsulation ppp
no dce-terminal-timing-enable
interface Serial0/1
no ip address
shutdown
no dce-terminal-timing-enable
ip local pool vpn_pool_1 192.168.3.1 192.168.3.2
ip classless
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxx
ip route 192.168.1.0 255.255.255.0 192.168.2.2
no ip http server
no ip http secure-server
ip nat inside source route-map vpn_routemap_1 interface FastEthernet0/0 overload
access-list 101 deny ip any host 192.168.3.1
access-list 101 deny ip any host 192.168.3.2
access-list 101 permit ip 192.168.2.0 0.0.0.3 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
route-map vpn_routemap_1 permit 1
match ip address 101
control-plane

Burt
 
Upvote 0 Downvote
Burt-

Thanks for your replay. my vpnlist is on the first line above...

aaa authentication login vpnlist local

This is my list which shold query the local user database.

Frank
 
Upvote 0 Downvote
Yeah, I'm the blind one...try and config yours like mine...

Burt
 
Upvote 0 Downvote
Burt-

Appreciate you config. I must admit, i am th eone that is blind. I did not issue these two commands..

aaa authorization network groupauthor local
crypto map vpn isakmp authorization list groupauthor

Once I put this in my config, phase 1 and phase 2 complete and establisd a VPN session. Thanks for your help.

Frank
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
136
Zero6
Zero6
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
402
BIS
BIS
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
191
bdk76
bdk76
inlsp05
  • Locked
  • Question
2811 ios start with cf
Replies
0
Views
91
inlsp05
inlsp05
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
133
Geraldine Souza
Geraldine Souza

Part and Inventory Search

Sponsor

Back
Top