Hi All, Please help me on following issue:-
Remote access vpn using tacacs authentication and authorization is not working. howvever local username/password is working with same vpn configuration. i have add ike ipsec attributes to username on acs server. username is assigned to new group (rack04). the same group name is used in crypto configuration. the following are the attributed add to ike ipsec user-vpn-group=rack04 tunnel-password=cisco123 addr-pool=VPN on acs server failed attempts the username is showing the groupname (rack04), when i am tring to connect the using vpn client software i am not getting usernname/password prompt and the following messge is appearing on the router *Mar 4 12:44:39.127: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 4.4.155.10 was not encrypted and it should've been. *Mar 4 12:44:39.135: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 4.4.155.10 was not encrypted and it should've been. the following is parital router configuration aaa new-model aaa authentication login default group tacacs+ aaa authentication login acs group tacacs+ local aaa authentication login noacs line none aaa authorization exec default group tacacs+ aaa authorization network acs group tacacs+ local crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp client configuration group RACK04 key cisco123 pool VPN acl vpn-traffic crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynamic 10 set transform-set myset reverse-route crypto map remotevpn client authentication list acs crypto map remotevpn isakmp authorization list acs crypto map remotevpn client configuration address respond crypto map remotevpn 10 ipsec-isakmp dynamic dynamic int fa1/0 crypto map remotevpn ip local pool VPN 192.168.0.1 192.168.0.10 ip tacacs source-interface Ethernet1/0 tacacs-server host 150.0.4.241 key cisco ip access-list extended vpn-traffic permit ip 4.4.5.0 0.0.0.255 192.168.0.0 0.0.0.255
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
