topic Easy VPN in Network Security

Easy VPN

jack samuel — Mon, 11 Mar 2019 23:02:31 GMT

Dears,

Diagram,

Branch LAN

| |

R1----------------------R2---------------------R3

I am trying to establish a VPN connection from Branch LAN (R1) to R2 acting as a Easy VPN server, R1 is doing PAT for the branch users to go on the internet and for accessing the HO resources they should access through a VPN.R1 is acting in a client mode.

The tunnels are not coming up, Attached are the configs, and the debugs,please help.

Easy VPN

Maykol Rojas — Fri, 04 May 2012 22:36:43 GMT

mmm,

Preshared authentication offered but does not match policy.

Can you Change the preshared key to something else that is not cisco?

Mike

Re: Easy VPN

jack samuel — Sat, 05 May 2012 07:39:43 GMT

Hello Mike,

Still the same, no progress

As u have seen the below in the previous log and u asked me to change the key.

*Mar 1 00:21:11.367: ISAKMP:(0):Checking ISAKMP transform 18 against priority 10 policy

*Mar 1 00:21:11.367: ISAKMP: encryption 3DES-CBC

*Mar 1 00:21:11.367: ISAKMP: hash MD5

*Mar 1 00:21:11.367: ISAKMP: default group 2

*Mar 1 00:21:11.367: ISAKMP: auth pre-share

*Mar 1 00:21:11.367: ISAKMP: life type in seconds

*Mar 1 00:21:11.367: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 00:21:11.367: ISAKMP:(0):Preshared authentication offered but does not match policy!

ALSO i have seen the below in the previous logs:

*Mar 1 00:21:11.383: ISAKMP:(0):Checking ISAKMP transform 18 against priority 65535 policy

*Mar 1 00:21:11.383: ISAKMP: encryption 3DES-CBC

*Mar 1 00:21:11.383: ISAKMP: hash MD5

*Mar 1 00:21:11.383: ISAKMP: default group 2

*Mar 1 00:21:11.383: ISAKMP: auth pre-share

*Mar 1 00:21:11.383: ISAKMP: life type in seconds

*Mar 1 00:21:11.387: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Mar 1 00:21:11.387: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Mar 1 00:21:11.387: ISAKMP:(0):atts are not acceptable. Next payload is 3

I have attached the new logs as per ur request to change the key.

Easy VPN

Maykol Rojas — Sat, 05 May 2012 22:31:17 GMT

Jack,

Well, got tired and rack it up.... my mistake I didnt see it earlier. You have all the isamkp authorization, authentication and address respond on a crypto map that is not applied. (my dynmap) The dynamic crypto map is only used for setting up RRI and also setting up the Transform set, all other isakmp parameters are configured on the interface crypto map, that being said, please apply the folllowing changes:

R2(config)#no crypto map mydynmap client authentication list vpnauthen

R2(config)#no crypto map mydynmap isakmp authorization list vpnauthor

R2(config)#no crypto map mydynmap client configuration address respond

R2(config)#crypto map cisco client authentication list vpnauthen

R2(config)#crypto map cisco isakmp authorization list vpnauthor

R2(config)#crypto map cisco client configuration address respond

Afer that, your Router one will go completely crazy with the following errors:

*Mar 1 00:16:01.615: EZVPN(myvpn) Server does not allow save password option,

enter your username and password manually

*Mar 1 00:16:01.615: EZVPN(myvpn): *** Logic Error ***

*Mar 1 00:16:01.619: EZVPN(myvpn): Current State: READY

*Mar 1 00:16:01.619: EZVPN(myvpn): Event: MODE_CONFIG_REPLY

*Mar 1 00:16:01.619: EZVPN(myvpn): Resetting the EZVPN state machine to recover

That is because, you are not allowing save password on the group configuration, so add the following:

crypto isakmp client configuration group easyvpn

save-password.

That will do it, let me know how it goes.

Mike

Re: Easy VPN

jack samuel — Mon, 07 May 2012 21:04:58 GMT

Thanks Mike.

The VPN is UP .

But can u explain me the where did you find the issue in the logs.

I have configured the easy vpn through refering this book Network.Security.Technologies.and.Solutions.

The author showed here how to configure the Easy vpn and he applied the dynamic map to the above commands what u ask me to changed.

This means the book is mis leading us.

Easy VPN

Maykol Rojas — Mon, 07 May 2012 23:29:22 GMT

That one goes by Yusuff Right? I used that for my written CCIE and I have been using it for the practical exam that I have. Which Page did you see that?

Basically the issue is found when the presented group doesnt match any of the profiles.

Mike

Re: Easy VPN

jack samuel — Tue, 08 May 2012 05:45:07 GMT

Hello,

I saw in Chapter 15 IPSec VPN in section Implementing IPSec VPN and in sub topic Cisco Easy VPN.

Basically the issue is found when the presented group doesnt match any of the profiles

So the solution u provided me from ur expierience and not seen anything from the logs????

Please reply,

Easy VPN

Maykol Rojas — Tue, 08 May 2012 06:14:46 GMT

I just opened my book and yet you are right. Weird, maybe is an old version of IOS or something. Not quite sure, here is the example most used:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

And regarding to your question, not really. You see in Agressive mode (that is mainly used on EasyVPN techologies) The client sends all the information on the first message. Then the router checks for the information send by the client and replies with its own information once it is found based on the first packet sent by the client, that mainly contains the identity, and group.

You see that none of the proposals were accepted, and that is because the Router did not found the group in order to match the pre-shared key send by the Initiator.

You can read more about it here

https://supportforums.cisco.com/docs/DOC-8125#comment-11760

Mike