05-04-2012 02:07 PM - edited 03-11-2019 04:02 PM
Dears,
Diagram,
Branch LAN
| |
R1----------------------R2---------------------R3
I am trying to establish a VPN connection from Branch LAN (R1) to R2 acting as a Easy VPN server, R1 is doing PAT for the branch users to go on the internet and for accessing the HO resources they should access through a VPN.R1 is acting in a client mode.
The tunnels are not coming up, Attached are the configs, and the debugs,please help.
Solved! Go to Solution.
05-05-2012 03:31 PM
Jack,
Well, got tired and rack it up.... my mistake I didnt see it earlier. You have all the isamkp authorization, authentication and address respond on a crypto map that is not applied. (my dynmap) The dynamic crypto map is only used for setting up RRI and also setting up the Transform set, all other isakmp parameters are configured on the interface crypto map, that being said, please apply the folllowing changes:
R2(config)#no crypto map mydynmap client authentication list vpnauthen
R2(config)#no crypto map mydynmap client authentication list vpnauthen
R2(config)#no crypto map mydynmap isakmp authorization list vpnauthor
R2(config)#no crypto map mydynmap client configuration address respond
R2(config)#crypto map cisco client authentication list vpnauthen
R2(config)#crypto map cisco isakmp authorization list vpnauthor
R2(config)#crypto map cisco client configuration address respond
Afer that, your Router one will go completely crazy with the following errors:
*Mar 1 00:16:01.615: EZVPN(myvpn) Server does not allow save password option,
enter your username and password manually
*Mar 1 00:16:01.615: EZVPN(myvpn): *** Logic Error ***
*Mar 1 00:16:01.619: EZVPN(myvpn): Current State: READY
*Mar 1 00:16:01.619: EZVPN(myvpn): Event: MODE_CONFIG_REPLY
*Mar 1 00:16:01.619: EZVPN(myvpn): Resetting the EZVPN state machine to recover
That is because, you are not allowing save password on the group configuration, so add the following:
crypto isakmp client configuration group easyvpn
save-password.
That will do it, let me know how it goes.
Mike
05-04-2012 03:36 PM
mmm,
Preshared authentication offered but does not match policy.
Can you Change the preshared key to something else that is not cisco?
Mike
05-05-2012 12:39 AM
Hello Mike,
Still the same, no progress
As u have seen the below in the previous log and u asked me to change the key.
*Mar 1 00:21:11.367: ISAKMP:(0):Checking ISAKMP transform 18 against priority 10 policy
*Mar 1 00:21:11.367: ISAKMP: encryption 3DES-CBC
*Mar 1 00:21:11.367: ISAKMP: hash MD5
*Mar 1 00:21:11.367: ISAKMP: default group 2
*Mar 1 00:21:11.367: ISAKMP: auth pre-share
*Mar 1 00:21:11.367: ISAKMP: life type in seconds
*Mar 1 00:21:11.367: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 00:21:11.367: ISAKMP:(0):Preshared authentication offered but does not match policy!
ALSO i have seen the below in the previous logs:
*Mar 1 00:21:11.383: ISAKMP:(0):Checking ISAKMP transform 18 against priority 65535 policy
*Mar 1 00:21:11.383: ISAKMP: encryption 3DES-CBC
*Mar 1 00:21:11.383: ISAKMP: hash MD5
*Mar 1 00:21:11.383: ISAKMP: default group 2
*Mar 1 00:21:11.383: ISAKMP: auth pre-share
*Mar 1 00:21:11.383: ISAKMP: life type in seconds
*Mar 1 00:21:11.387: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Mar 1 00:21:11.387: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Mar 1 00:21:11.387: ISAKMP:(0):atts are not acceptable. Next payload is 3
I have attached the new logs as per ur request to change the key.
05-05-2012 03:31 PM
Jack,
Well, got tired and rack it up.... my mistake I didnt see it earlier. You have all the isamkp authorization, authentication and address respond on a crypto map that is not applied. (my dynmap) The dynamic crypto map is only used for setting up RRI and also setting up the Transform set, all other isakmp parameters are configured on the interface crypto map, that being said, please apply the folllowing changes:
R2(config)#no crypto map mydynmap client authentication list vpnauthen
R2(config)#no crypto map mydynmap client authentication list vpnauthen
R2(config)#no crypto map mydynmap isakmp authorization list vpnauthor
R2(config)#no crypto map mydynmap client configuration address respond
R2(config)#crypto map cisco client authentication list vpnauthen
R2(config)#crypto map cisco isakmp authorization list vpnauthor
R2(config)#crypto map cisco client configuration address respond
Afer that, your Router one will go completely crazy with the following errors:
*Mar 1 00:16:01.615: EZVPN(myvpn) Server does not allow save password option,
enter your username and password manually
*Mar 1 00:16:01.615: EZVPN(myvpn): *** Logic Error ***
*Mar 1 00:16:01.619: EZVPN(myvpn): Current State: READY
*Mar 1 00:16:01.619: EZVPN(myvpn): Event: MODE_CONFIG_REPLY
*Mar 1 00:16:01.619: EZVPN(myvpn): Resetting the EZVPN state machine to recover
That is because, you are not allowing save password on the group configuration, so add the following:
crypto isakmp client configuration group easyvpn
save-password.
That will do it, let me know how it goes.
Mike
05-07-2012 02:04 PM
Thanks Mike.
The VPN is UP .
This means the book is mis leading us.
Tx
05-07-2012 04:29 PM
That one goes by Yusuff Right? I used that for my written CCIE and I have been using it for the practical exam that I have. Which Page did you see that?
Basically the issue is found when the presented group doesnt match any of the profiles.
Mike
05-07-2012 10:45 PM
Hello,
So the solution u provided me from ur expierience and not seen anything from the logs????
Please reply,
Tx
05-07-2012 11:14 PM
I just opened my book and yet you are right. Weird, maybe is an old version of IOS or something. Not quite sure, here is the example most used:
And regarding to your question, not really. You see in Agressive mode (that is mainly used on EasyVPN techologies) The client sends all the information on the first message. Then the router checks for the information send by the client and replies with its own information once it is found based on the first packet sent by the client, that mainly contains the identity, and group.
You see that none of the proposals were accepted, and that is because the Router did not found the group in order to match the pre-shared key send by the Initiator.
You can read more about it here
https://supportforums.cisco.com/docs/DOC-8125#comment-11760
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide