Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
1
Replies

IOS EZVPN and VPN 3k using external groups

diptanshusingh
Level 1
Level 1

‎07-13-2007 04:00 AM - edited ‎03-10-2019 03:16 PM

Hi folks , i was trying to configure IOS easyvpn with vpn

concentrator. i am using an external group which is configured on acs

server.the configuration for ios eazyvpn is

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto ipsec client ezvpn ezvpn_cfg

connect manual

group ezvpn key ezvpn

mode network-extension

peer x.x.x.x

interface FastEthernet0/0

ip address x.x.x.x x.x.x.x

crypto ipsec client ezvpn ezvpn_cfg inside

interface Serial0/0

no ip address

encapsulation frame-relay

interface Serial0/0.1 point-to-point

ip address x.x.x.x x.x.x.x

frame-relay interface-dlci 100

crypto ipsec client ezvpn ezvpn_cfg

I had configured the vpn concentrator with an external group eazyvpn.

i had configured the acs server with a user eazyvpn password

eazyvpn.the radius attributes configured for this user are

[3076\012] CVPN3000-IPSec-Sec-Association

ESP-3DES-MD5

[3076\013] CVPN3000-IPSec-Authentication

RADIUS

[3076\016] CVPN3000-IPSec-Allow-Passwd-Store

Allow

[3076\027] CVPN3000-IPSec-Split-Tunnel-List

split_tunnel_list

[3076\030] CVPN3000-IPSec-Tunnel-Type

Remote-Access

[3076\031] CVPN3000-IPSec-Mode-Config

On

[3076\034] CVPN3000-IPSec-Over-UDP

On

[3076\055] CVPN3000-IPSec-Split-Tunneling-Policy

Only tunnel networks in the list

[3076\064] CVPN3000-Allow-Network-Extension-Mode

Yes

now whenever i try to connect it says phase 2 failed.my quick mode is

unsuccesfull.

the error which comes on the router is below

12:19:43: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer

at 172.31.9.2

ezvpn-router#show crypto ipsec client ezvpn

Easy VPN Remote Phase: 2

Tunnel name : ezvpn_cfg

Inside interface list: FastEthernet0/0,

Outside interface: Serial0/0.1

Current State: SS_OPEN

Last Event: SOCKET_READY

Split Tunnel List: 1

Address : 10.1.1.0

Mask : 255.255.255.0

Protocol : 0x0

Source Port: 0

Dest Port : 0

Logs for the vpn conc. is as

Group [ezvpn] User [cisco]

PHASE 1 COMPLETED

324 07/11/2007 22:36:23.980 SEV=5 IKE/35 RPT=6 x.x.x.x

Group [ezvpn] User [cisco]

Received remote IP Proxy Subnet data in ID Payload:

Address x.x.x.x, Mask x.x.x.x Protocol 0, Port 0

327 07/11/2007 22:36:23.980 SEV=5 IKE/34 RPT=10 x.x.x.x

Group [ezvpn] User [cisco]

Received local IP Proxy Subnet data in ID Payload:

Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0

330 07/11/2007 22:36:23.980 SEV=5 IKE/66 RPT=10 172.31.235.93

Group [ezvpn] User [cisco]

IKE Remote Peer configured for SA: ESP-3DES-MD5

331 07/11/2007 22:36:23.990 SEV=5 IKE/75 RPT=10 x.x.x.x

Group [ezvpn] User [cisco]

Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds

333 07/11/2007 22:36:41.650 SEV=4 IKEDBG/97 RPT=4 x.x.x.x

Group [ezvpn] User [cisco]

QM FSM error (P2 struct &0x35e5aa4, mess id 0x91292e44)!

NOTE: the configuration works fine when i use CLIENT mode. IT fails

when i change to NEM

Labels:
0 Helpful
1 Reply 1

irisrios
Level 6
Level 6

‎07-19-2007 07:22 AM

Refer to the document "Configuring the Cisco VPN 3000 Concentrator to a Cisco Router"

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009482e.shtml

0 Helpful
Customers Also Viewed These Support Documents