Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1500
Views
0
Helpful
2
Replies

Problem with no-xauth

andrew.burns
Level 1
Level 1

‎07-21-2003 06:27 AM - edited ‎03-09-2019 04:07 AM

Hi folks,

We have a number of VPN clients connecting in with no problems but in addition we have a site-to-site vpn connection that needs xauth turned off. The PIX config is as follows (no real IP's or key's included!) -

crypto ipsec transform-set test esp-des esp-md5-hmac

crypto dynamic-map testmap 10 set transform-set test

crypto map ourmap 10 ipsec-isakmp dynamic testmap

crypto map ourmap client authentication authinbound

crypto map ourmap interface outside

isakmp enable outside

isakmp key secretkey address xxx.1.1.1 netmask xxx.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp client configuration address-pool local ip_pool outside

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup testgroup address-pool ip_pool

vpngroup testgroup dns-server 2.2.2.2 2.2.2.3

vpngroup testgroup wins-server 3.3.3.3 3.3.3.4

vpngroup testgroup idle-time 1800

vpngroup testgroup password secretkey

and on the remote router (an 837)

crypto ipsec client ezvpn test

connect auto

group testgroup key 0 secretkey

mode network-extension

peer 5.5.5.5

The problem is that the console on the 837 still prompts for a userid/password even with the no-xauth statement on the PIX. (If I enter a valid userid/password then everything works perfectly).

If I look at the connection after putting in the userid/password with "sh cry eng con act" the IP address definitely matches the one entered in the PIX for no-xauth.

Have I got the syntax wrong somewhere?

many thanks,

Andrew Burns

Labels:
0 Helpful
2 Replies 2

umedryk
Level 5
Level 5

‎07-25-2003 07:25 AM

Hi Andrew,

Pls try issuing the following two commands:

crypto isakmp key test address 0.0.0.0 0.0.0.0 no-xauth

no crypto isakmp key test address 0.0.0.0 0.0.0.0 no-xauth

0 Helpful

andrew.burns
Level 1
Level 1
In response to umedryk

‎07-25-2003 08:15 AM

Hi Ursula,

I finally got a reply from Cisco about this issue, summarised as follows:

"It's not possible to use ezvpn without xauth if xauth is enabled for vpnclients - To do this you need to manually create the vpn, making sure the crypto map sequence number is less than the one assigned to the dynamic crypto map"

I did this and it now works fine.

thanks,

Andrew.

0 Helpful
Customers Also Viewed These Support Documents