Mario,
I'm not sure if I understand your setup, and I've never worked with the VPN
client (with mode config), so I may be completetly wrong...
... but just some thoughts here...
> Cisco Secure VPN Client. The router has a valid IP address and the client
in your config there's only a negotiated address on your dialer interface,
so
1.) possibly this address is dynamic => the whole thing will never work (how
does the client connect to a router whose address is dynamic...)
2.) that's why I assume that you get a fixed IP by your DSL isp [for the
router, not the client...]
Then there seems to be a problem with your ipsec filter list (access-list
105)...
> connects to the internet by modem via an ISP with a dynamic IP address.
I've
You have to reflect this in your config. Traffic originating from the client
(with dynamic IP address) shall be handled by ipsec:
access-list 105 permit ip any host aa.bb.cc.dd [where 'aa.bb.cc.dd' is your
fixed dsl ip address, see above]
This means, that all traffic arriving from any host with destination ip of
the router will be encrypted.
Probably this is not what you want (maybe you want to use the router for
other purposes [than being an ipsec gateway] also) so you have to modify
this according to your needs...
[see
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secu
r_c/scprt4/scdipsec.htm, section crypto access lists for more info]
but even if this was ok... if you used only this statement and thus _all_
traffic will be encrypted... how can a key exchange (first phase of ipec)
ever take place?
[that's where I'm possibly wrong, maybe somebody who has already worked with
VPN client can comment this)
... for enabling the key exchange you have to exclude this very traffic from
the crypto access-list by
access-list 105 deny udp any any eq isakmp
=> the whole access-list looks like:
access-list 105 deny udp any any eq isakmp
access-list 105 permit ip any host aa.bb.cc.dd
-------
If you included the output from a "debug crypto isakmp" on the router, I
could certainly help you more. I had the opportunity to play a litte with
cisco ipsec lately.
If you feel this output is too off-topic for the list, send it to me
directly.
HTH,
Enno Rey
[EMAIL PROTECTED] --- www.security-academy.de
PGP 74C0 C7E1 3875 E4EB 9B75 8B9D 5E2D 3178 685B F222
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
