What kind of Cisco gateway are you using? If it's a PIX, this is a known
issue that will be fixed as soon as possible.
Kent
On 11/05/08 06:04, Anton Floor wrote:
Hi,
With old firmaware GUI4.0_127553-03_2008.05.14.13.48 VPN connection worked but
now with new GUI4.1_50_2008.09.25.12.37 it doesn´t
seems to me that DTU´s vpn client doesn´t send group name correctly or vpn
server doesn´t get it for some reason???
From Cisco syslog I found this line after every connection trials with the new
firmware
----
(Server) Authentication PASSED User=nbiuser Group=
Client_public_add=xxx.xxx.xx.xx Server_public_addr=xxx.xxx.xxx.xxx
Group: does not exist
----
DTU shows "PH1 Connection expired 28G
and after downgrading to GUI4.0_127553-03_2008.05.14.13.48
----
(Server) Authentication PASSED User=nbiuser Group=nbigroup
Client_public_add=xxx.xxx.xx.xx Server_public_addr=xxx.xxx.xxx.xxx
-----
DTU connects to Sun Ray server through VPN
This is our current configuration of the cisco 1800 box
Current configuration : 2850 bytes
!
! Last configuration change at 14:48:10 Riga Wed Nov 5 2008 by admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxx-vpn001
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network test local
!
aaa session-id common
!
resource policy
!
clock timezone Riga 2
clock summer-time Riga date Mar 30 2003 3:00 Oct 26 2003 4:00
!
!
ip cef
!
!
!
!
!
username nbiuser secret 5 xxxxxxxxxxxxxxxxxxx.
!
!
crypto logging ezvpn
!
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp client configuration address-pool local SDM_POOL_1
!
crypto isakmp client configuration group nbigroup
key srss135NOW
pool SDM_POOL_1
save-password
max-users 50
max-logins 10
crypto isakmp profile sdm-ike-profile-1
match identity group nbigroup
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set test esp-aes esp-sha-hmac
crypto ipsec transform-set ESP_MD5_3DES esp-3des esp-md5-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface FastEthernet0
description $ETH-LAN$
ip address xx.xx.xx.xx 255.255.240.0
speed auto
full-duplex
!
interface FastEthernet1
description $ETH-LAN$
ip address xx.xx.xx.xxx 255.255.255.224
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
ip local pool SDM_POOL_1 192.168.150.1 192.168.150.254
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
!
!
ip http server
ip http authentication local
no ip http secure-server
!
logging trap debugging
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Cheers,
Anton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anton Floor
Sent: 5. marraskuuta 2008 10:29
To: 'SunRay-Users mailing list'
Subject: [SunRay-Users] Sun Ray VPN with Cisco
Hi,
We have an odd problem with our Sun Ray VPN setup
We managed to get it work ones, but somehow after changing the password of the
VPN group
it stopped working and now DTU says PH1 connection expired 28G ?
From cisco log we found line " group not found" ? but it is in there!!!
So does anyone have cisco ios vpn config working? We use Cisco 1800 box
we use local groups and local users of the cisco box..
Cheers,
Anton
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
