Hi, We use Cisco 1811 easy vpn server Cheers, Anton
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kent Peacock Sent: 6. marraskuuta 2008 0:40 To: SunRay-Users mailing list Subject: Re: [SunRay-Users] BUG in new 4.1 firmware VPN client ?! On 11/05/08 09:31, Anton Floor wrote: > I just noticed that if i configure vpn setting to the 4.0 firmware and then > upgrade to 4.1 and viola it works. > So if I have fresh 4.1 firmware and no old vpn config it doesn't send group > info to the vpn server Please tell me if you're using a PIX gateway. To give you more information: in order to support Jupiter/Netscreen gateways in 4.1, the ID type for the client's initial IKE negotiation was changed from KEYID to USER_FQDN. In my testing with 3000 and ASA gateways, that change was fine. However, one of our customers has discovered that the PIX gateways don't accept USER_FQDN as an ID type. I've tried to avoid having to configure the peer gateway type in the VPN configuration, but the solution to this problem will involved doing that, so that the proper IKE ID type can be used. Kent > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anton Floor > Sent: 5. marraskuuta 2008 16:04 > To: 'SunRay-Users mailing list' > Subject: [SunRay-Users] BUG in new 4.1 firmware VPN client ?! > > Hi, > > > With old firmaware GUI4.0_127553-03_2008.05.14.13.48 VPN connection worked > but now with new GUI4.1_50_2008.09.25.12.37 it doesn´t > seems to me that DTU´s vpn client doesn´t send group name correctly or vpn > server doesn´t get it for some reason??? > >>From Cisco syslog I found this line after every connection trials with the >>new firmware > ---- > (Server) Authentication PASSED User=nbiuser Group= > Client_public_add=xxx.xxx.xx.xx Server_public_addr=xxx.xxx.xxx.xxx > Group: does not exist > ---- > DTU shows "PH1 Connection expired 28G > > and after downgrading to GUI4.0_127553-03_2008.05.14.13.48 > ---- > (Server) Authentication PASSED User=nbiuser Group=nbigroup > Client_public_add=xxx.xxx.xx.xx Server_public_addr=xxx.xxx.xxx.xxx > ----- > DTU connects to Sun Ray server through VPN > > This is our current configuration of the cisco 1800 box > > Current configuration : 2850 bytes > ! > ! Last configuration change at 14:48:10 Riga Wed Nov 5 2008 by admin > ! > version 12.4 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname xxx-vpn001 > ! > boot-start-marker > boot-end-marker > ! > logging buffered 4096 debugging > ! > aaa new-model > ! > ! > aaa authentication login default local > aaa authentication login sdm_vpn_xauth_ml_1 local > aaa authorization exec default local > aaa authorization network default if-authenticated > aaa authorization network sdm_vpn_group_ml_1 local > aaa authorization network test local > ! > aaa session-id common > ! > resource policy > ! > clock timezone Riga 2 > clock summer-time Riga date Mar 30 2003 3:00 Oct 26 2003 4:00 > ! > ! > ip cef > ! > ! > ! > ! > ! > username nbiuser secret 5 xxxxxxxxxxxxxxxxxxx. > ! > ! > crypto logging ezvpn > ! > crypto isakmp policy 1 > encr aes > hash md5 > authentication pre-share > group 2 > lifetime 28800 > crypto isakmp client configuration address-pool local SDM_POOL_1 > ! > crypto isakmp client configuration group nbigroup > key srss135NOW > pool SDM_POOL_1 > save-password > max-users 50 > max-logins 10 > crypto isakmp profile sdm-ike-profile-1 > match identity group nbigroup > client authentication list sdm_vpn_xauth_ml_1 > isakmp authorization list sdm_vpn_group_ml_1 > client configuration address respond > virtual-template 1 > ! > ! > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac > crypto ipsec transform-set test esp-aes esp-sha-hmac > crypto ipsec transform-set ESP_MD5_3DES esp-3des esp-md5-hmac > ! > crypto ipsec profile SDM_Profile1 > set transform-set ESP-3DES-SHA > set isakmp-profile sdm-ike-profile-1 > ! > ! > ! > ! > ! > interface FastEthernet0 > description $ETH-LAN$ > ip address xx.xx.xx.xx 255.255.240.0 > speed auto > full-duplex > ! > interface FastEthernet1 > description $ETH-LAN$ > ip address xx.xx.xx.xxx 255.255.255.224 > duplex auto > speed auto > ! > interface FastEthernet2 > ! > interface FastEthernet3 > ! > interface FastEthernet4 > ! > interface FastEthernet5 > ! > interface FastEthernet6 > ! > interface FastEthernet7 > ! > interface FastEthernet8 > ! > interface FastEthernet9 > ! > interface Virtual-Template1 type tunnel > ip unnumbered FastEthernet1 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile SDM_Profile1 > ! > interface Vlan1 > no ip address > ! > interface Async1 > no ip address > encapsulation slip > ! > ip local pool SDM_POOL_1 192.168.150.1 192.168.150.254 > ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent > ! > ! > ip http server > ip http authentication local > no ip http secure-server > ! > logging trap debugging > ! > ! > ! > ! > ! > ! > control-plane > ! > ! > line con 0 > line 1 > modem InOut > stopbits 1 > speed 115200 > flowcontrol hardware > line aux 0 > line vty 0 4 > transport input telnet ssh > line vty 5 15 > transport input telnet ssh > ! > ! > webvpn context Default_context > ssl authenticate verify all > ! > no inservice > ! > end > > > Cheers, > Anton > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anton Floor > Sent: 5. marraskuuta 2008 10:29 > To: 'SunRay-Users mailing list' > Subject: [SunRay-Users] Sun Ray VPN with Cisco > > Hi, > > We have an odd problem with our Sun Ray VPN setup > > We managed to get it work ones, but somehow after changing the password of > the VPN group > it stopped working and now DTU says PH1 connection expired 28G ? >>From cisco log we found line " group not found" ? but it is in there!!! > So does anyone have cisco ios vpn config working? We use Cisco 1800 box > > we use local groups and local users of the cisco box.. > > > Cheers, > Anton > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users > > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
