cannot bring up easyvpn nem betwen cisco routers

Andriy Sidko · ‎07-15-2017

Hi guys.

I'm configuring easyvpn between two cisco routers where:

cisco c891f - hub

cisco c877w - spoke

connection schema looks like:

lan1 <> int e0 - c877w - int Dot11Radio0 <> non cisco wireless access point (35fg4AP) <> WAN <> int g7 - cisco c891f - int g0 LAN2

configs:
===============
c877w (spoke)
===============

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 30 20

crypto ipsec client ezvpn ENEZVPN
connect auto
ctcp port 8443
group ENEZVPN key Welcome1!
mode network-extension
peer vpn.xxxxx.org
virtual-interface 1
xauth userid mode interactive

interface Loopback0
description -= EIGRP-ID =-
ip address 10.0.1.1 255.255.255.255
crypto ipsec client ezvpn ENEZVPN inside

interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4

interface Dot11Radio0

description -= outside WBR 2 management AP =-
ip address dhcp
ip nat outside
encryption mode ciphers aes-ccm
ssid 35fg4AP
station-role non-root
crypto ipsec client ezvpn ENEZVPN

interface Vlan10
ip address 192.168.174.1 255.255.255.240
crypto ipsec client ezvpn ENEZVPN inside

interface Vlan60
ip address 192.168.174.33 255.255.255.240
crypto ipsec client ezvpn ENEZVPN inside

router eigrp 172
network 10.0.1.1 0.0.0.0
network 192.168.174.0 0.0.0.15
network 192.168.174.32 0.0.0.7

===============
c891f (HUB)
===============

crypto isakmp policy 30
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group ENEZVPN
key Welcome1!

crypto isakmp profile ENEZVPN-ISAKMP-PROFILE
   match identity group ENEZVPN
   isakmp authorization list default
   client configuration address respond
   virtual-template 1

crypto ipsec transform-set ENEZVPN-TS ah-md5-hmac esp-3des
mode tunnel

crypto ipsec profile ENEZVPN-IPSEC-PROFILE
set transform-set ENEZVPN-TS
set isakmp-profile ENEZVPN-ISAKMP-PROFILE

crypto ctcp keepalive 60
crypto ctcp port 8443

interface Loopback0
description -= EIGRP-ID =-
ip address 10.0.0.1 255.255.255.255

interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel protection ipsec profile ENEZVPN-IPSEC-PROFILE

interface Vlan10
ip address 192.168.172.1 255.255.255.240
ip nat inside

interface Vlan60
ip address 192.168.172.33 255.255.255.240
ip nat inside

interface GigabitEthernet8
description -= outside interface =-
ip address dhcp
ip nat outside

ip nat inside source list acl4nat interface GigabitEthernet8 overload
ip access-list extended acl4nat
deny ip 192.168.172.0 0.0.0.63 192.168.174.0 0.0.0.63
permit ip 192.168.172.0 0.0.0.63 any
deny ip any any

router eigrp 172
network 10.0.0.1 0.0.0.0
network 192.168.172.0 0.0.0.15
network 192.168.172.16 0.0.0.15

finally from client c877w i see following:

gate-cottage(config)#do pin vpn.xxxxx.org
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.xx.xxx.59, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/33/36 ms
c877w(config)#
c877w(config)#do sh cry ips cli e
Easy VPN Remote Phase: 8

Tunnel name : ENEZVPN
Inside interface list: Loopback0, Vlan10, Vlan60
Outside interface: Virtual-Access1 (bound to Dot11Radio0)
Current State: IDLE
Last Event: TUNNEL_NO_PUBLIC_IP_ADD
Save Password: Disallowed
Curre4nt EzVPN Peer: vpn.xxxxx.org (cTCP encapsulated)

c877w(config)#

from c891f side i don't see any attempt to establish ezvpn tunnel from c877w side.
Any idea what's going on?

Thank you.

Spooster IT Services · ‎07-18-2017

Hi Andriy Sidko,

Have you created the username password at HUB side ?

Try the to change the "xauth userid mode interactive" to "xauth userid mode local" under the spoke configuration.

and define the username pasword under the vpn client config. Following is the sample config.

crypto ipsec client ezvpn ENEZVPN

xauth userid mode local

username xxxxxpassword xxxxxx (Username/password you created at HUB side for this VPN.)

Spooster IT Services Team