I have a site with 5 locations. The Site-2-site is running fine, but the the client cant connect with the remote clinet.
I have configured the IAS server like this:
IAS -> remote acces policy -> Connections to other access servers ->
Authentication: Only checkmark in pap, spap
Encryption: checkmark i all boxes
Multilink: server settings determine multi.....
IP: server settings determine IP....
When i try to connect i get: Secure VPN Connection terminated locally by the client, Reason 412: Remote Peer is no longer responding
my config:
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname SEVPN1
domain-name xxxxse
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 60 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 70 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inet-incoming permit tcp any host 212.112.164.202 eq www
access-list inet-incoming permit tcp any host 212.112.164.202 eq ftp-data
access-list inet-incoming permit tcp any host 212.112.164.202 eq ftp
access-list inet-incoming permit tcp any host 212.112.164.202 eq https
access-list inet-incoming permit tcp any host 212.112.164.202 eq 3389
access-list inet-incoming permit tcp any host 212.112.164.202 eq pop3
access-list inet-incoming permit tcp any host 212.112.164.202 eq smtp
access-list inet-incoming permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 212.112.164.202 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.1.100-192.168.1.150
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp 212.112.164.202 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 ftp-data 192.168.1.1 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 ftp 192.168.1.1 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 https 192.168.1.1 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 3389 192.168.1.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 pop3 192.168.1.1 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 smtp 192.168.1.1 smtp netmask 255.255.255.255 0 0
access-group inet-incoming in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 212.112.164.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server mobileauth protocol radius
aaa-server mobileauth max-failed-attempts 3
aaa-server mobileauth deadtime 10
aaa-server mobileauth (inside) host 192.168.1.1 cisco123 timeout 5
http server enable
http 192.168.1.1 255.255.255.255 inside
snmp-server location Sweden
snmp-server contact IT-grp teknik@it-grp.dk
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map dynmap 50 set transform-set strong
crypto map boewe 10 ipsec-isakmp
crypto map boewe 10 match address 60
crypto map boewe 10 set peer 62.66.251.18
crypto map boewe 10 set transform-set strong
crypto map boewe 20 ipsec-isakmp
crypto map boewe 20 match address 70
crypto map boewe 20 set peer 80.203.179.106
crypto map boewe 20 set transform-set strong
crypto map boewe 30 ipsec-isakmp
crypto map boewe 30 match address 80
crypto map boewe 30 set peer 195.94.97.60
crypto map boewe 30 set transform-set strong
crypto map boewe 40 ipsec-isakmp
crypto map boewe 40 match address 90
crypto map boewe 40 set peer 217.157.148.86
crypto map boewe 40 set transform-set strong
crypto map boewe 50 ipsec-isakmp dynamic dynmap
crypto map boewe client authentication mobileauth
crypto map boewe interface outside
isakmp enable outside
isakmp key ******** address 62.66.251.18 netmask 255.255.255.255
isakmp key ******** address 80.203.179.106 netmask 255.255.255.255
isakmp key ******** address 195.94.97.60 netmask 255.255.255.255
isakmp key ******** address 217.157.148.86 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
vpngroup boewe-vpn address-pool ippool
vpngroup boewe-vpn dns-server 192.168.1.1
vpngroup boewe-vpn wins-server 192.168.1.1
vpngroup boewe-vpn default-domain boewe.se
vpngroup boewe-vpn idle-time 1800
vpngroup boewe-vpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh 83.91.238.162 255.255.255.255 outside
ssh 62.66.251.18 255.255.255.255 outside
ssh 80.197.160.22 255.255.255.255 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 30
management-access outside
console timeout 0
terminal width 80
Cryptochecksum:7fbdecccc02987ec93d9bccb4c9bec26
: end
I have configured the IAS server like this:
IAS -> remote acces policy -> Connections to other access servers ->
Authentication: Only checkmark in pap, spap
Encryption: checkmark i all boxes
Multilink: server settings determine multi.....
IP: server settings determine IP....
When i try to connect i get: Secure VPN Connection terminated locally by the client, Reason 412: Remote Peer is no longer responding
my config:
PIX Version 6.3(4)
interface ethernet0 10baset
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname SEVPN1
domain-name xxxxse
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 60 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 70 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list 80 permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 90 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list inet-incoming permit tcp any host 212.112.164.202 eq www
access-list inet-incoming permit tcp any host 212.112.164.202 eq ftp-data
access-list inet-incoming permit tcp any host 212.112.164.202 eq ftp
access-list inet-incoming permit tcp any host 212.112.164.202 eq https
access-list inet-incoming permit tcp any host 212.112.164.202 eq 3389
access-list inet-incoming permit tcp any host 212.112.164.202 eq pop3
access-list inet-incoming permit tcp any host 212.112.164.202 eq smtp
access-list inet-incoming permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 212.112.164.202 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 192.168.1.100-192.168.1.150
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
static (inside,outside) tcp 212.112.164.202 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 ftp-data 192.168.1.1 ftp-data netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 ftp 192.168.1.1 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 https 192.168.1.1 https netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 3389 192.168.1.2 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 pop3 192.168.1.1 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.112.164.202 smtp 192.168.1.1 smtp netmask 255.255.255.255 0 0
access-group inet-incoming in interface outside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 212.112.164.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa-server mobileauth protocol radius
aaa-server mobileauth max-failed-attempts 3
aaa-server mobileauth deadtime 10
aaa-server mobileauth (inside) host 192.168.1.1 cisco123 timeout 5
http server enable
http 192.168.1.1 255.255.255.255 inside
snmp-server location Sweden
snmp-server contact IT-grp teknik@it-grp.dk
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto dynamic-map dynmap 50 set transform-set strong
crypto map boewe 10 ipsec-isakmp
crypto map boewe 10 match address 60
crypto map boewe 10 set peer 62.66.251.18
crypto map boewe 10 set transform-set strong
crypto map boewe 20 ipsec-isakmp
crypto map boewe 20 match address 70
crypto map boewe 20 set peer 80.203.179.106
crypto map boewe 20 set transform-set strong
crypto map boewe 30 ipsec-isakmp
crypto map boewe 30 match address 80
crypto map boewe 30 set peer 195.94.97.60
crypto map boewe 30 set transform-set strong
crypto map boewe 40 ipsec-isakmp
crypto map boewe 40 match address 90
crypto map boewe 40 set peer 217.157.148.86
crypto map boewe 40 set transform-set strong
crypto map boewe 50 ipsec-isakmp dynamic dynmap
crypto map boewe client authentication mobileauth
crypto map boewe interface outside
isakmp enable outside
isakmp key ******** address 62.66.251.18 netmask 255.255.255.255
isakmp key ******** address 80.203.179.106 netmask 255.255.255.255
isakmp key ******** address 195.94.97.60 netmask 255.255.255.255
isakmp key ******** address 217.157.148.86 netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
vpngroup boewe-vpn address-pool ippool
vpngroup boewe-vpn dns-server 192.168.1.1
vpngroup boewe-vpn wins-server 192.168.1.1
vpngroup boewe-vpn default-domain boewe.se
vpngroup boewe-vpn idle-time 1800
vpngroup boewe-vpn password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh 83.91.238.162 255.255.255.255 outside
ssh 62.66.251.18 255.255.255.255 outside
ssh 80.197.160.22 255.255.255.255 outside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 30
management-access outside
console timeout 0
terminal width 80
Cryptochecksum:7fbdecccc02987ec93d9bccb4c9bec26
: end