1. Home
  2. Cisco Systems
  3. Easy Vpn server on Cisco 837

Easy Vpn server on Cisco 837

Hi, just tried to implement vpn on our c837 using sdm 2.41. Adsl with fixed ip, trying to connect with Cisco Vpn Client 5.0 or 4.x. This is the configuration added by Sdm: what's wrong ? I cannot connect ! No phase I.

Configuration commands for the router: 192.168.10.101 saved on 15-gen-2008 19.17.03

---------------------------------------------------------------------------- aaa authorization network sdm_vpn_group_ml_1 local aaa authentication login sdm_vpn_xauth_ml_1 local access-list 102 remark SDM_ACL Category=2 access-list 102 deny ip any host 172.16.0.10 access-list 102 deny ip any host 172.16.0.11 access-list 102 deny ip any host 172.16.0.12 access-list 102 deny ip any host 172.16.0.13 access-list 102 deny ip any host 172.16.0.14 access-list 102 deny ip any host 172.16.0.15 access-list 102 deny ip any host 172.16.0.16 access-list 102 deny ip any host 172.16.0.17 access-list 102 deny ip any host 172.16.0.18 access-list 102 deny ip any host 172.16.0.19 access-list 102 deny ip any host 172.16.0.20 access-list 102 permit ip 192.168.10.0 0.0.0.255 any no access-list 101 access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit ip host 172.16.0.10 any access-list 101 permit ip host 172.16.0.11 any access-list 101 permit ip host 172.16.0.12 any access-list 101 permit ip host 172.16.0.13 any access-list 101 permit ip host 172.16.0.14 any access-list 101 permit ip host 172.16.0.15 any access-list 101 permit ip host 172.16.0.16 any access-list 101 permit ip host 172.16.0.17 any access-list 101 permit ip host 172.16.0.18 any access-list 101 permit ip host 172.16.0.19 any access-list 101 permit ip host 172.16.0.20 any access-list 101 permit udp any host 217.133.x.xxx eq non500-isakmp access-list 101 permit udp any host 217.133.x.xxx eq isakmp access-list 101 permit esp any host 217.133.x.xxx access-list 101 permit ahp any host 217.133.x.xxx access-list 101 permit udp host 151.99.125.2 eq domain host 217.133.x.xxx access-list 101 permit udp host 192.168.10.1 eq domain host 217.133.x.xxx access-list 101 deny ip 192.168.10.0 0.0.0.255 any access-list 101 permit icmp any host 217.133.x.xxx echo-reply access-list 101 permit icmp any host 217.133.x.xxx time-exceeded access-list 101 permit icmp any host 217.133.x.xxx unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any ip local pool SDM_POOL_1 172.16.0.10 172.16.0.20 crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des mode tunnel exit crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route set security-association idle-time 900 exit crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 interface Dialer0 no crypto map crypto map SDM_CMAP_1 exit route-map SDM_RMAP_1 permit 1 match ip address 102 exit interface Ethernet0 no ip nat inside exit interface Dialer0 no ip nat outside exit do clear ip nat translation forced no ip nat inside source list 1 interface Dialer0 overload ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload interface Ethernet0 ip nat inside exit interface Dialer0 ip nat outside exit crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto isakmp client configuration group Collaboratori key 0 ******** pool SDM_POOL_1 exit crypto isakmp policy 2 authentication pre-share encr 3des hash md5 group 2 lifetime 86400 exit crypto isakmp policy 1 authentication pre-share encr 3des hash sha group 2 lifetime 86400 exit crypto isakmp xauth timeout 15

No answer from Client at Phase I.

13 23:02:12.375 01/14/08 Sev=Warning/2 IKE/0xE3000099 Invalid SPI size (PayloadNotify:116)

14 23:02:12.375 01/14/08 Sev=Info/4 IKE/0xE30000A4 Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

on router side, only log incoming Ip and AG_NO_STATE.

Can someone help me ?

Tanja

Reply to
Tanja
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.