CISCO831 as EzVPN client to 3030 Concentrator

jgodfr · ‎07-09-2004

I have configured a CISCO831 router to act as VPN client that should connect to a 3030 concentrator. To make the configuration I have used the following documents:

http://www.cisco.com/en/US/customer/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a0080189133.shtml

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_configuration_example09186a008019d6df.shtml

http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml

But there is no tunnel and I constantly get the console message:

A pre-shared key for address mask aaa.bbb.ccc.ddd 255.255.255.255 already exists

Has anyone encountered this issue and how could it be solved?

Thanx.

Greetinx

Johan.

ehirsel · ‎07-09-2004

I assume that the message is appering on the console of the 831 device. Run the show cry isakmp key command and let me know what you get.

jgodfr · ‎07-09-2004

You are right. The message popped up on the console of the 831 device.

The output of the show crypto isakmp key command is as follows:

PSiebeV1#show cry isakmp key

Keyring Hostname/Address Preshared Key

default aaa.bbb.ccc.ddd ********

The Address is the same as the one in the message that I got on the console.

jgodfr · ‎07-12-2004

In addition, I did some debugging as well. Attached is the output of the following debug commands:

* debug crypto ipsec client ezvpn

* debug crypto ipsec

* debug crypto isakmp

For security reasons, I have replaced the IP address with XXX.XXX.XXX.XXX (this is the same address as the aaa.bbb.ccc.ddd mentioned in the previous posts)

I also replace the group id with XXXXXX

Greetinx

Johan.

ehirsel · ‎07-12-2004

If you have statements simialr to those below on the 831 router, and I assume that you do since you referred to the EZVPN setup docs, then remove the isakmp key by doing running this command:

no crypto isakmp key aaa.bbb.ccc.ddd keyname

I think the pre-share key and the password defined on the group statement are conflicting. For EZVPN the group should be the source of the key, not the isakmp statement. Try doing that and let me know what you find.

crypto ipsec client ezvpn SJVPN

!--- Tunnel control; automatic is the default.

connect auto

group turaro key tululo

mode network-extension

peer 172.16.172.41

!

interface Loopback0

ip address 192.168.254.1 255.255.255.0

jgodfr · ‎07-13-2004

I never defined a preshared key using the crypt isakmp command.

I have tried the no crypto isakmp ... command but the key pops back again automatically. (it shows up when I do the "show crypto isakmp key" command after I remove it using the no crypto isakmp .... command)

This seams really weird since I got the same problem with a 1721 router now. I have also check the configuration of the concentrator but to no avail.

jason.scott · ‎08-12-2004

Did you managed to resolve this, as this is the exact same problem I am experiencing and have just posted about. Your debugs posted are the same too.

jgodfr · ‎08-12-2004

Alas, I am sorry to say that the problem is not solved. We will probably drop this test and won't put in any more time.

I have subscribed to your thread. Maybe someone replies on that one.

itsupport · ‎11-24-2004

I've not got a fix but am getting the same thing. One consideration is that the message I get is

*Mar 1 00:01:02.307: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode

failed with peer at 216.94.28.34 A pre-shared key for address mask 216.x.x.x.255.255.255 already exists!:

I do have a different LAN-to-LAN tunnel which uses the same IP address as it's peer. I'm not trying to setup an additional remote VPN connection to the same peer using ezvpn on a cisco 831 router. Can't get past this repeating error though. Grrr....