Remote Access Client VPN Connection
Remote Access VPN connections can be implemented with the IPsec protocol in conjunction with the AAA on the router. This section details the following topics:
Configuration Steps
Figure 6-7 depicts a typical Remote Access VPN connection on the Dhaka router with DNS and WINS Server.
Troubleshooting Steps
Troubleshooting a Remote Access VPN connection involves analyzing the log on both routers and on the VPN clients. Troubleshooting steps discussed for LAN-to-LAN are also applicable for the Remote Access VPN. This section examines a successful debug command output for a Remote Access VPN connection.
Example 6-28 shows a Phase I negotiation for a Remote Access VPN in Aggressive mode:
To analyze the log on the VPN Client software, click on Log from the VPN Client window. Then click on Log Settings and set the logging level to High for all the classes. Then you can bring up Log Window by clicking on Log Window.
Many troubleshooting techniques applied for the LAN-to-LAN tunnel also can be used for the Remote Access VPN connection. If Remote Access VPN connection fails, you need to analyze the debug on the Router, and the log on the Remote Access VPN client.
Following are some of the important points to keep in mind while troubleshooting Remote Access VPN connection:
-
VPN clients only propose Diffie-Hellman Groups 2 and 5. Configure DH group 2 or 5 (not 1) on the router.
-
Configure isakmp identity hostname if rsa-sig is used as an IKE authentication method.
-
AAA authorization must be enabled on the router, so that the router can accept and send mode-configuration attributes.
-
If VPN Clients are behind the NAT/PAT device, configure NAT-T or the IPsec over TCP feature.
-
If NAT-T or IPsec over TCP is configured, be sure the firewall between the VPN Client and the router is allowing UDP/4500 or TCP/10000.