Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2183
Views
0
Helpful
7
Replies

Easy VPN

Go to solution
jack samuel
Level 1
Level 1

‎05-04-2012 02:07 PM - edited ‎03-11-2019 04:02 PM

Dears,

Diagram,

Branch LAN

| |

R1----------------------R2---------------------R3

I am trying to establish a VPN connection from Branch LAN (R1) to R2 acting as a Easy VPN server, R1 is doing PAT for the branch users to go on the internet and for accessing the HO resources they should access through a VPN.R1 is acting in a client mode.

The tunnels are not coming up, Attached are the configs, and the debugs,please help.

Labels:
127452-R2 Debug.txt.zip
127455-R1 Debug.txt.zip
127454-R1.cfg.zip
127453-R2.cfg.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to jack samuel

‎05-05-2012 03:31 PM

Jack,

Well, got tired and rack it up.... my mistake I didnt see it earlier. You have all the isamkp authorization, authentication and address respond on a crypto map that is not applied. (my dynmap) The dynamic crypto map is only used for setting up RRI and also setting up the Transform set, all other isakmp parameters are configured on the interface crypto map, that being said, please apply the folllowing changes:

R2(config)#no crypto map mydynmap client authentication list vpnauthen

R2(config)#no crypto map mydynmap client authentication list vpnauthen

R2(config)#no crypto map mydynmap isakmp authorization list vpnauthor

R2(config)#no crypto map mydynmap client configuration address respond

R2(config)#crypto map cisco client authentication list vpnauthen

R2(config)#crypto map cisco isakmp authorization list vpnauthor

R2(config)#crypto map cisco client configuration address respond

Afer that, your Router one will go completely  crazy with the following errors:

*Mar  1 00:16:01.615: EZVPN(myvpn) Server does not allow save password option,

enter your username and password manually

*Mar  1 00:16:01.615: EZVPN(myvpn): *** Logic Error ***

*Mar  1 00:16:01.619: EZVPN(myvpn): Current State: READY

*Mar  1 00:16:01.619: EZVPN(myvpn): Event: MODE_CONFIG_REPLY

*Mar  1 00:16:01.619: EZVPN(myvpn): Resetting the EZVPN state machine to recover

That is because, you are not allowing save password on the group configuration, so add the following:

crypto isakmp client configuration group easyvpn

save-password.

That will do it, let me know how it goes.

Mike

Mike

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee

‎05-04-2012 03:36 PM

mmm,

Preshared authentication offered but does not match policy.

Can you Change the preshared key to something else that is not cisco?

Mike

Mike
0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to Maykol Rojas

‎05-05-2012 12:39 AM

Hello Mike,

Still the same, no progress

As u have seen the below  in the previous log and u asked me to change the key.

*Mar  1 00:21:11.367: ISAKMP:(0):Checking ISAKMP transform 18 against priority 10 policy

*Mar  1 00:21:11.367: ISAKMP:      encryption 3DES-CBC

*Mar  1 00:21:11.367: ISAKMP:      hash MD5

*Mar  1 00:21:11.367: ISAKMP:      default group 2

*Mar  1 00:21:11.367: ISAKMP:      auth pre-share

*Mar  1 00:21:11.367: ISAKMP:      life type in seconds

*Mar  1 00:21:11.367: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Mar  1 00:21:11.367: ISAKMP:(0):Preshared authentication offered but does not match policy!

ALSO i have seen the below in the previous logs:

*Mar  1 00:21:11.383: ISAKMP:(0):Checking ISAKMP transform 18 against priority 65535 policy

*Mar  1 00:21:11.383: ISAKMP:      encryption 3DES-CBC

*Mar  1 00:21:11.383: ISAKMP:      hash MD5

*Mar  1 00:21:11.383: ISAKMP:      default group 2

*Mar  1 00:21:11.383: ISAKMP:      auth pre-share

*Mar  1 00:21:11.383: ISAKMP:      life type in seconds

*Mar  1 00:21:11.387: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B

*Mar  1 00:21:11.387: ISAKMP:(0):Encryption algorithm offered does not match policy!

*Mar  1 00:21:11.387: ISAKMP:(0):atts are not acceptable. Next payload is 3

I have attached the new logs as per ur request to change the key.

127467-R1-1 Debug.txt.zip
0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to jack samuel

‎05-05-2012 03:31 PM

Jack,

Well, got tired and rack it up.... my mistake I didnt see it earlier. You have all the isamkp authorization, authentication and address respond on a crypto map that is not applied. (my dynmap) The dynamic crypto map is only used for setting up RRI and also setting up the Transform set, all other isakmp parameters are configured on the interface crypto map, that being said, please apply the folllowing changes:

R2(config)#no crypto map mydynmap client authentication list vpnauthen

R2(config)#no crypto map mydynmap client authentication list vpnauthen

R2(config)#no crypto map mydynmap isakmp authorization list vpnauthor

R2(config)#no crypto map mydynmap client configuration address respond

R2(config)#crypto map cisco client authentication list vpnauthen

R2(config)#crypto map cisco isakmp authorization list vpnauthor

R2(config)#crypto map cisco client configuration address respond

Afer that, your Router one will go completely  crazy with the following errors:

*Mar  1 00:16:01.615: EZVPN(myvpn) Server does not allow save password option,

enter your username and password manually

*Mar  1 00:16:01.615: EZVPN(myvpn): *** Logic Error ***

*Mar  1 00:16:01.619: EZVPN(myvpn): Current State: READY

*Mar  1 00:16:01.619: EZVPN(myvpn): Event: MODE_CONFIG_REPLY

*Mar  1 00:16:01.619: EZVPN(myvpn): Resetting the EZVPN state machine to recover

That is because, you are not allowing save password on the group configuration, so add the following:

crypto isakmp client configuration group easyvpn

save-password.

That will do it, let me know how it goes.

Mike

Mike
0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to Maykol Rojas

‎05-07-2012 02:04 PM

Thanks Mike.

The VPN is UP .

  • But can u explain me the where did you find the issue in the logs.

  • I have configured the easy vpn through refering this book Network.Security.Technologies.and.Solutions.

  • The author showed here how to configure the Easy vpn and he applied the dynamic map to the above commands what u ask me to changed.

This means the book is mis leading us.

Tx

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to jack samuel

‎05-07-2012 04:29 PM

That one goes by Yusuff Right? I used that for my written CCIE and I have been using it for the practical exam that I have. Which Page did you see that?

Basically the issue is found when the presented group doesnt match any of the profiles.

Mike

Mike
0 Helpful

Go to solution
jack samuel
Level 1
Level 1
In response to Maykol Rojas

‎05-07-2012 10:45 PM

Hello,

  • I saw in Chapter 15 IPSec VPN in section Implementing IPSec VPN and in sub topic Cisco Easy VPN.

  • Basically the issue is found when the presented group doesnt match any of the profiles

          So the solution u provided me from ur expierience and not seen anything from the logs????

Please reply,

Tx

0 Helpful

Go to solution
Maykol Rojas
Cisco Employee
Cisco Employee
In response to jack samuel

‎05-07-2012 11:14 PM

I just opened my book and yet you are right. Weird, maybe is an old version of IOS or something. Not quite sure, here is the example most used:

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

And regarding to your question, not really. You see in Agressive mode (that is mainly used on EasyVPN techologies) The client sends all the information on the first message. Then the router checks for the information send by the client and replies with its own information once it is found based on the first packet sent by the client, that mainly contains the identity, and group.

You see that  none of the proposals were accepted, and that is because the Router did not found the group in order to match the pre-shared key send by the Initiator.

You can read more about it here

https://supportforums.cisco.com/docs/DOC-8125#comment-11760

Mike

Mike
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card