Re: NAT Interface Overload - Page 3

clark white · ‎08-24-2013

Dear Experts,

I have a strange issue ,, my configs were working perfect on 12.4 when i changed the router 887 VA with an IOS 15.1 the NAT doenst works for internet traffic.

I have confgured the EZVPN client on my new 887VA router connecting to HO,the vpn is established perfect but the traffic for internet stops, when i remove the crypto command from my outside interface it starts translating and the natting for internet traffic works fine.

clark white · ‎08-29-2013

Please find the attached,

Dear Peter,

Going through ur previous email you mean to say that the client is only authentication by Group and not the Xauth, becuase once we include the KK group in the crypto isakmp profile client the authentication fails, if any of the client in production if it connection breaks it requires a authentication to connect back again if we keep the KK group in crypto isakmp profile client. so for this reason we exclude the authentication and authorization commnads from crypto isakmp profile command
Please correct me if the above understanding is wrong.

crypto isakmp profile client

match identity group cana

client authentication list user

isakmp authorization list group

client configuration address respond

Below are the commands i implemented without changing the existing commands mentioned above. If i keep both will it effect the routers in production.as if now it is midnight so nobody is screeming may be tomorrow somebody face problem.

crypto isakmp profile KK

match identity group KK

client configuration address respond

The router is not connecting to HO . i tried creating a int lo0 on client router and tried to ping 4.2.2.2 it is pinging perfect but not connecting to HO

Aug 29 21:59:45.427: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=KK Server_public_addr=

85.85.85.86

Aug 29 21:59:47.055: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at

85.85.85.86

Has the client's configuration been changed in any significant way?

No i did'nt changed anything

clark white · ‎09-02-2013

Experts

help please.

Peter Paluch · ‎09-02-2013

Clark,

In Dynagen, I have entered the configuration of your HQ as posted in your last reply, and the suggested configuration of the client, and I did not have issues connecting the client to the HQ - it required entering the username and pasword on the command line after issuing the crypto ipsec client ezvpn xauth command

Are you absolutely sure you have posted the correct HQ configuration and used the client configuration as suggested above?

Best regards,

Peter

crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group cana
key vpn
dns 10.1.1.2 4.2.2.2.
domain wr
pool ippool
acl 102
!
crypto isakmp client configuration group KK
key 123
acl 161
crypto isakmp profile l2l
   match identity address 0.0.0.0
crypto isakmp profile client
   match identity group KK
   client authentication list user
   isakmp authorization list group
   client configuration address respond
!
crypto ipsec security-association lifetime kilobytes 536870912
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association idle-time 300
!
crypto ipsec transform-set t-set esp-3des esp-sha-hmac

clark white · ‎09-06-2013

Dear Peter,

Sorry for the delay reply,

I have posted correct config for you only changes are public IP.

it required entering the username and pasword on the command line,

I have to create username and password on the HQ router for authenticating all the branch routers????, and on HQ this username and password should be created in global mode??? and also in Branch routers where i have to apply the username and password.

Thanks

Peter Paluch · ‎09-08-2013

Clark,

I  have to create username and password on the HQ router for  authenticating all the branch routers????

Yes - if you want to keep your requirement stated in an earlier post that the EzVPN shall also authenticate by username/password (the Xauth) and not just by the group name and shared password.

on HQ this username and  password should be created in global mode???

Yes - you will use the username user_name privilege 0 secret user_password global level configuration command to create these accounts.

in Branch routers where i have to apply the username and password

If you want these Branch routers to authenticate automatically then this password should be stored in the crypto ipsec client ezvpn configuration section using the username user_name password user_password command. However, the HQ in this case must be configured with the save-password command in its corresponding crypto isakmp client configuration group section. Otherwise, the username and password will need to be input in the Branch router's CLI again and again after restart or connectivity loss using the crypto ipsec client ezvpn xauth privileged EXEC command.

Please note - the primary purpose of the Xauth authentication is to authenticate users, not routers. That is the reason that the username/password needs to be input repeatedly, as it is expected the user comes and goes. Routers are authenticated sufficiently using the EzVPN group shared key, or - if higher security is needed - using X.509 certificates.

Best regards,

Peter

clark white · ‎09-09-2013

Dear Peter,

This means the HQ router config will change all the 60 No's Branch routers have to manually visit and change the username and password. OOhhhhhhhhhh.. It is a very risky job production down and it should be done in midnight.

I dont want to do Xauth only router authentication then what i have to do. I have to remove the command crypto ipsec client ezvpn xauth from the client configuration