07-15-2017 11:03 AM
Hi guys.
I'm configuring easyvpn between two cisco routers where:
cisco c891f - hub
cisco c877w - spoke
connection schema looks like:
lan1 <> int e0 - c877w - int Dot11Radio0 <> non cisco wireless access point (35fg4AP) <> WAN <> int g7 - cisco c891f - int g0 LAN2
configs:
===============
c877w (spoke)
===============
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 30 20
crypto ipsec client ezvpn ENEZVPN
connect auto
ctcp port 8443
group ENEZVPN key Welcome1!
mode network-extension
peer vpn.xxxxx.org
virtual-interface 1
xauth userid mode interactive
interface Loopback0
description -= EIGRP-ID =-
ip address 10.0.1.1 255.255.255.255
crypto ipsec client ezvpn ENEZVPN inside
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
interface Dot11Radio0
description -= outside WBR 2 management AP =-
ip address dhcp
ip nat outside
encryption mode ciphers aes-ccm
ssid 35fg4AP
station-role non-root
crypto ipsec client ezvpn ENEZVPN
interface Vlan10
ip address 192.168.174.1 255.255.255.240
crypto ipsec client ezvpn ENEZVPN inside
interface Vlan60
ip address 192.168.174.33 255.255.255.240
crypto ipsec client ezvpn ENEZVPN inside
router eigrp 172
network 10.0.1.1 0.0.0.0
network 192.168.174.0 0.0.0.15
network 192.168.174.32 0.0.0.7
===============
c891f (HUB)
===============
crypto isakmp policy 30
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ENEZVPN
key Welcome1!
crypto isakmp profile ENEZVPN-ISAKMP-PROFILE
match identity group ENEZVPN
isakmp authorization list default
client configuration address respond
virtual-template 1
crypto ipsec transform-set ENEZVPN-TS ah-md5-hmac esp-3des
mode tunnel
crypto ipsec profile ENEZVPN-IPSEC-PROFILE
set transform-set ENEZVPN-TS
set isakmp-profile ENEZVPN-ISAKMP-PROFILE
crypto ctcp keepalive 60
crypto ctcp port 8443
interface Loopback0
description -= EIGRP-ID =-
ip address 10.0.0.1 255.255.255.255
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel protection ipsec profile ENEZVPN-IPSEC-PROFILE
interface Vlan10
ip address 192.168.172.1 255.255.255.240
ip nat inside
interface Vlan60
ip address 192.168.172.33 255.255.255.240
ip nat inside
interface GigabitEthernet8
description -= outside interface =-
ip address dhcp
ip nat outside
ip nat inside source list acl4nat interface GigabitEthernet8 overload
ip access-list extended acl4nat
deny ip 192.168.172.0 0.0.0.63 192.168.174.0 0.0.0.63
permit ip 192.168.172.0 0.0.0.63 any
deny ip any any
router eigrp 172
network 10.0.0.1 0.0.0.0
network 192.168.172.0 0.0.0.15
network 192.168.172.16 0.0.0.15
finally from client c877w i see following:
gate-cottage(config)#do pin vpn.xxxxx.org
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.xx.xxx.59, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/33/36 ms
c877w(config)#
c877w(config)#do sh cry ips cli e
Easy VPN Remote Phase: 8
Tunnel name : ENEZVPN
Inside interface list: Loopback0, Vlan10, Vlan60
Outside interface: Virtual-Access1 (bound to Dot11Radio0)
Current State: IDLE
Last Event: TUNNEL_NO_PUBLIC_IP_ADD
Save Password: Disallowed
Curre4nt EzVPN Peer: vpn.xxxxx.org (cTCP encapsulated)
c877w(config)#
from c891f side i don't see any attempt to establish ezvpn tunnel from c877w side.
Any idea what's going on?
Thank you.
07-18-2017 12:11 PM
Hi Andriy Sidko,
Have you created the username password at HUB side ?
Try the to change the "xauth userid mode interactive" to "xauth userid mode local" under the spoke configuration.
and define the username pasword under the vpn client config. Following is the sample config.
crypto ipsec client ezvpn ENEZVPN
xauth userid mode local
username xxxxxpassword xxxxxx (Username/password you created at HUB side for this VPN.)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide