[SunRay-Users] BUG in new 4.1 firmware VPN client ?!

Kent Peacock Kent.Peacock at Sun.COM
Wed Nov 5 08:02:53 EET 2008 

What kind of Cisco gateway are you using? If it's a PIX, this is a known 
issue that will be fixed as soon as possible.

Kent



On 11/05/08 06:04, Anton Floor wrote:
> Hi,
> 
> 
> With old firmaware GUI4.0_127553-03_2008.05.14.13.48 VPN connection worked but now with new GUI4.1_50_2008.09.25.12.37 it doesn´t
> seems to me that DTU´s vpn client doesn´t send group name correctly or vpn server doesn´t get it for some reason???
> 
>>From Cisco syslog I found this line after every connection trials with the new firmware
> ----
> (Server) Authentication PASSED User=nbiuser Group= Client_public_add=xxx.xxx.xx.xx Server_public_addr=xxx.xxx.xxx.xxx
> Group: does not exist
> ----
> DTU shows "PH1 Connection expired 28G
> 
> and after downgrading to GUI4.0_127553-03_2008.05.14.13.48
> ----
> (Server) Authentication PASSED User=nbiuser Group=nbigroup Client_public_add=xxx.xxx.xx.xx Server_public_addr=xxx.xxx.xxx.xxx
> -----
> DTU connects to Sun Ray server through VPN
> 
> This is our current configuration of the cisco 1800 box
> 
> Current configuration : 2850 bytes
> !
> ! Last configuration change at 14:48:10 Riga Wed Nov 5 2008 by admin
> !
> version 12.4
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname xxx-vpn001
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 4096 debugging
> !
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication login sdm_vpn_xauth_ml_1 local
> aaa authorization exec default local
> aaa authorization network default if-authenticated
> aaa authorization network sdm_vpn_group_ml_1 local
> aaa authorization network test local
> !
> aaa session-id common
> !
> resource policy
> !
> clock timezone Riga 2
> clock summer-time Riga date Mar 30 2003 3:00 Oct 26 2003 4:00
> !
> !
> ip cef
> !
> !
> !
> !
> !
> username nbiuser secret 5 xxxxxxxxxxxxxxxxxxx.
> !
> !
> crypto logging ezvpn
> !
> crypto isakmp policy 1
>  encr aes
>  hash md5
>  authentication pre-share
>  group 2
>  lifetime 28800
> crypto isakmp client configuration address-pool local SDM_POOL_1
> !
> crypto isakmp client configuration group nbigroup
>  key srss135NOW
>  pool SDM_POOL_1
>  save-password
>  max-users 50
>  max-logins 10
> crypto isakmp profile sdm-ike-profile-1
>    match identity group nbigroup
>    client authentication list sdm_vpn_xauth_ml_1
>    isakmp authorization list sdm_vpn_group_ml_1
>    client configuration address respond
>    virtual-template 1
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec transform-set test esp-aes esp-sha-hmac
> crypto ipsec transform-set ESP_MD5_3DES esp-3des esp-md5-hmac
> !
> crypto ipsec profile SDM_Profile1
>  set transform-set ESP-3DES-SHA
>  set isakmp-profile sdm-ike-profile-1
> !
> !
> !
> !
> !
> interface FastEthernet0
>  description $ETH-LAN$
>  ip address xx.xx.xx.xx 255.255.240.0
>  speed auto
>  full-duplex
> !
> interface FastEthernet1
>  description $ETH-LAN$
>  ip address xx.xx.xx.xxx 255.255.255.224
>  duplex auto
>  speed auto
> !
> interface FastEthernet2
> !
> interface FastEthernet3
> !
> interface FastEthernet4
> !
> interface FastEthernet5
> !
> interface FastEthernet6
> !
> interface FastEthernet7
> !
> interface FastEthernet8
> !
> interface FastEthernet9
> !
> interface Virtual-Template1 type tunnel
>  ip unnumbered FastEthernet1
>  tunnel mode ipsec ipv4
>  tunnel protection ipsec profile SDM_Profile1
> !
> interface Vlan1
>  no ip address
> !
> interface Async1
>  no ip address
>  encapsulation slip
> !
> ip local pool SDM_POOL_1 192.168.150.1 192.168.150.254
> ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
> !
> !
> ip http server
> ip http authentication local
> no ip http secure-server
> !
> logging trap debugging
> !
> !
> !
> !
> !
> !
> control-plane
> !
> !
> line con 0
> line 1
>  modem InOut
>  stopbits 1
>  speed 115200
>  flowcontrol hardware
> line aux 0
> line vty 0 4
>  transport input telnet ssh
> line vty 5 15
>  transport input telnet ssh
> !
> !
> webvpn context Default_context
>  ssl authenticate verify all
>  !
>  no inservice
> !
> end
> 
> 
> Cheers,
> Anton
> 
> -----Original Message-----
> From: sunray-users-bounces at filibeto.org [mailto:sunray-users-bounces at filibeto.org] On Behalf Of Anton Floor
> Sent: 5. marraskuuta 2008 10:29
> To: 'SunRay-Users mailing list'
> Subject: [SunRay-Users] Sun Ray VPN with Cisco
> 
> Hi,
> 
> We have an odd problem with our Sun Ray VPN setup
> 
> We managed to get it work ones, but somehow after changing the password of the VPN group
> it stopped working and now DTU says PH1 connection expired 28G ?
>>From cisco log we found line " group not found" ? but it is in there!!!
> So does anyone have cisco ios vpn config working? We use Cisco 1800 box
> 
> we use local groups and local users of the cisco box..
> 
> 
> Cheers,
> Anton
> 
> _______________________________________________
> SunRay-Users mailing list
> SunRay-Users at filibeto.org
> http://www.filibeto.org/mailman/listinfo/sunray-users
> 
> _______________________________________________
> SunRay-Users mailing list
> SunRay-Users at filibeto.org
> http://www.filibeto.org/mailman/listinfo/sunray-users

More information about the SunRay-Users mailing list