Re: VPN: Network Extension mode not working.

KGrev · ‎09-02-2021

(Config Attached)

(I also posted this in "Security/vpn" forums but no replies for a few days)

Hi,

I'm doing some testing with a CISCO IR809G connected over a vpn with ezvpn configurations.

If I source the loopback I can ping gateways several hops into my network.

If I source from an interface with an IP on it, i can't see that it is even attempting. I'm monitoring from the firewall, which is also where the vpn terminates. I see traffic from the loopback but none from the G0 or 10.2.244.1 network when the ezvpn is in network extension mode.

(config attached)

I'm needing this device to be able to host a laptop in a remote location.

Any advice is greatly appreciated.

Georg Pauwen · ‎09-02-2021

Hello,

how do you source the tunnel traffic when you use the loopback. do you have the line below in bold in your config ?

crypto ipsec client ezvpn RMCSPROBE
--> local-address loopback0
connect auto
group RMCS_BitProbe key 6 []MXReecNAVEYP[^QNgUIfTENBGAAB
mode network-extension
peer 10.2.0.114
virtual-interface 2
username rmcsprobe-sec password 6 NKTgOO[ffJhXeHXX`IUNMdCZWacKOe^LhbNETDBURRAAB
xauth userid mode local

KGrev · ‎09-02-2021

George,

I do not have that line added to that section? Can you tell me what exactly it does?

When I mentioned "sourcing" earlier I meant "ping *gateway* source loopback 0" style of sourcing a ping.

Thank you for your help.

Georg Pauwen · ‎09-02-2021

Hello,

the command mentioned sources the tunnel traffic from the specified interface, Loopback0 in your case.

Try to add that line and ping again sourcing from Loopback0...

KGrev · ‎09-02-2021

Ok Georg, ill add that in and get back to you shortly.

KGrev · ‎09-02-2021

Georg,

When I add that line my vpn is disconnected.

the log on the device reads " user connect request ignored, tunnel rmcsprobe endpoint not ready for request"

Ive attached a picture also.

Georg Pauwen · ‎09-02-2021

Hello,

what if you configure:

interface Virtual-Template2 type tunnel
--> ip unnumbered Loopback0
ip access-group ACL-INFRASTRUCTURE-IN in
ip access-group ACL-INFRASTRUCTURE-OUT out
tunnel mode ipsec ipv4

KGrev · ‎09-02-2021

Georg,

Working through it.

When I try to edit the Virtual-template 2, it tells me that "virtual-template config is locked, active vaccess present"

Also, i was doing some googling and came accross a reddit user with a similar problem.

https://www.reddit.com/r/Cisco/comments/40j1v8/ezvpn_tunnel_issue_endpoint_not_ready/

I have not yet done proper debugging to see if our debug messages match up. But I did go into the group policy on the asa and verified that it is checked for ikev1 and 2.

Again, thanks for your assistance.

KGrev · ‎09-02-2021

Gerog,

Here is a picture of some of the degub information.

KGrev · ‎09-07-2021

(Sorry, accidentally marked your reply as a solution for a moment there)

Georg,

So im finally able to have a virtual template with ip unnumbered loopback 0.

Since I couldnt edit Virtual-template 2, i ended up having to create crypto ipsec transform sets, crypto ipsec profile, virtual template 4, and a crypto ikev2 keyring.

By some miracle i think i did it right since i swapped the EZVPN over to virtual template 4, it renegotiated for a moment and its back online.

However if I do a ping and source my g0 interface which has a different network on it, it doesnt make it to the firewall through the vpn.

"ping 10.2.6.254 source 10.2.244.1" the loopback is able to ping 10.2.6.254.

Again Georg, thanks for helping me.