09-24-2012 01:34 PM - edited 02-21-2020 06:21 PM
Hello,
I would like if it's possible to make VPN IPsec connexion as client.
ISP Router (VDSL connexion)
<---> Cisco 887 <----> more pc with conditional forwarding
VPN Router (like strongVPN)
Thank you for your helping.
best regards
Solved! Go to Solution.
09-24-2012 01:44 PM
Hi Bruno,
Yes the IOS Router can be a VPN client, this is called Easy VPN:
How to configure Cisco IOS Easy VPN (server and client mode)
* The Server must be a Cisco device like another Router or an ASA.
Keep me posted.
Thanks.
Portu.
Please rate any helpful posts.
09-24-2012 02:53 PM
Hi,
How to pass the login and the password?
It depends on the server side, you could use interactive, so once the Easy VPN client tries to come up, the server will ask you for the username and password.
On the other hand, you could also use LOCAL, where you entered the credentials as part of the Easy VPN configuration on the client side.
For instance:
LOCAL:
crypto ipsec client ezvpn TEST
username cisco password test
xauth userid mode local
!
note: local ----> Use locally saved username and password
*******
crypto ipsec client ezvpn TEST_A
xauth userid mode interactive
note: interactive ---> Prompt the user on the console
Let me know if you have further questions.
Thanks.
09-24-2012 09:18 PM
Bruno,
I am at home now
Two tips:
1- Never include full public IP addresses.
2- Dont use possible e-mail adresses like"bruno.legay@gmail.com"
On the other hand, the configuration looks fine:
crypto ipsec client ezvpn ASTRILL-VPN
connect auto
group test key way2stars
mode client
peer 91.xxxx.xxxx.xxxx.xxxx
usernamebruno.legay@gmail.com password xxxxxxx
xauth userid mode local
Assuming that on the server:
1- Exists a group named test with a password way2stars/
2- Client mode is configured (which is the default option).
3- The username and password is configured on the remote end.
Additional commands to add on the client:
interface Vlan1
crypto ipsec client ezvpn ASTRILL-VPN inside
!
interface Dialer0
crypto ipsec client ezvpn ASTRILL-VPN
Let me know if you have any further questions.
Portu
09-25-2012 05:54 AM
Dear Bruno,
This output is not very helpful.
Could you please the VPN-related configuration from server?
Also the following debugs will help you:
debug crypto isakmp
debug crypto ipsec
Thanks.
Portu.
Please rate any helpful posts.
09-24-2012 01:44 PM
Hi Bruno,
Yes the IOS Router can be a VPN client, this is called Easy VPN:
How to configure Cisco IOS Easy VPN (server and client mode)
* The Server must be a Cisco device like another Router or an ASA.
Keep me posted.
Thanks.
Portu.
Please rate any helpful posts.
09-24-2012 01:51 PM
Thank you for your help.
09-24-2012 02:01 PM
I am glad it helped you.
Please mark this post as answered
Have a good one.
09-24-2012 02:43 PM
I just finished to look at the documentation and as I'm not an expert, I meet some problems to implement it.
I think I understand the portion of easy VPN, but I meet some problem with authentification.
How to pass the login and the password.
Could you give me an example or an orientation.
Bruno
09-24-2012 02:53 PM
Hi,
How to pass the login and the password?
It depends on the server side, you could use interactive, so once the Easy VPN client tries to come up, the server will ask you for the username and password.
On the other hand, you could also use LOCAL, where you entered the credentials as part of the Easy VPN configuration on the client side.
For instance:
LOCAL:
crypto ipsec client ezvpn TEST
username cisco password test
xauth userid mode local
!
note: local ----> Use locally saved username and password
*******
crypto ipsec client ezvpn TEST_A
xauth userid mode interactive
note: interactive ---> Prompt the user on the console
Let me know if you have further questions.
Thanks.
09-24-2012 03:43 PM
Ok, I understand a little better now, but I'm not sure of my result.
I would not abuse you, but could you check my configuration and tell me it's ok or not.
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Cisco887VA
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
enable secret 5 $1$4a8j$Qtt6Ywk5p.zWwWx41
!
aaa new-model
!
aaa session-id common
!
memory-size iomem 10
clock timezone CET -4 0
crypto pki token default removal timeout 0
!
ip source-route
!
ip dhcp class dyn_range
!
ip cef
ip domain name netgus.corp
ip name-server 208.67.222.222
ip name-server 208.67.220.220
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
license udi pid CISCO887VA-SEC-K9 sn FGL162321BT
!
controller VDSL 0
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
crypto ipsec client ezvpn ASTRILL-VPN
connect auto
group test key way2stars !(it's not confidential, you find it on the Internet)(and Astrill does not use a group, but it's not possible to put nothing. I will try with "test")
mode client
peer 91.121.54.151
username bruno.legay@gmail.com password xxxxxxx
xauth userid mode local
!
interface Ethernet0
no ip address
!
interface Ethernet0.35
encapsulation dot1Q 35
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
ip flow ingress
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface Vlan1
ip address 192.168.111.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip route-cache policy
ip tcp adjust-mss 1452
auto discovery qos
!
interface Dialer0
description VDSL Bell CA
mtu 1492
ip address negotiated
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip route-cache policy
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username b1rswr48 password 7 104B5E43411A5806
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
ppp multilink
crypto ipsec client ezvpn ASTRILL-VPN
!
!
router eigrp 1
distribute-list 99 in FastEthernet0
network 192.168.111.1 0.0.0.0
redistribute static metric 1 1 1 1 1
!
ip forward-protocol nd
!
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 99 deny 10.10.10.0 0.0.0.31
access-list 101 permit ip 192.168.111.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 40 0
privilege level 15
logging synchronous
transport input ssh
escape-character 27
!
ntp master
ntp server 184.107.229.26
ntp server 208.80.96.96
ntp server 209.17.190.116
end
Thank you for all
Bruno
09-24-2012 09:18 PM
Bruno,
I am at home now
Two tips:
1- Never include full public IP addresses.
2- Dont use possible e-mail adresses like"bruno.legay@gmail.com"
On the other hand, the configuration looks fine:
crypto ipsec client ezvpn ASTRILL-VPN
connect auto
group test key way2stars
mode client
peer 91.xxxx.xxxx.xxxx.xxxx
usernamebruno.legay@gmail.com password xxxxxxx
xauth userid mode local
Assuming that on the server:
1- Exists a group named test with a password way2stars/
2- Client mode is configured (which is the default option).
3- The username and password is configured on the remote end.
Additional commands to add on the client:
interface Vlan1
crypto ipsec client ezvpn ASTRILL-VPN inside
!
interface Dialer0
crypto ipsec client ezvpn ASTRILL-VPN
Let me know if you have any further questions.
Portu
09-25-2012 05:45 AM
Portu,
Thank you for the time you spend with me.
You can see the result with the debug command (debug crypto ipsec client ezvpn). I think is good, but I prefer the advise of the expert. Normally, I would receive a dynamic ip address of the server (91.xxx.xxx.xxx), but I have not defined the interface that will receive this address and at the end, the connexion down. It's normal?
I think that I shoud use a virtual-interface (Cisco Easy VPN with DVTI ?)
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Current State: READY
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Event: CONNECT_NEXT_PEER
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): ezvpn_close
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): nulling context
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Deleted PSK for address 91.xxx.xxx.xxx
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): No Connect ACL checking status change
Sep 25 08:06:40.721 CET: EzVPN: Local Traffic Feature Deleted
Sep 25 08:06:40.721 CET: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=test Client_public_addr=70.xxx.xxx.xxx Server_public_addr=91.xxx.xxx.xxx
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Deleted PSK for address 91.xxx.xxx.xxx
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): New active peer is 91.xxx.xxx.xxx
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Ready to connect to peer 91.xxx.xxx.xxx
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Attempting to connect to peer 91.xxx.xxx.xxx
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): New State: CONNECT_REQUIRED
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Current State: CONNECT_REQUIRED
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Event: CONNECT
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): ezvpn_connect_request
Cisco887VA#
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Found valid peer 91.xxx.xxx.xxx
Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Added PSK for address 91.xxx.xxx.xxx
Sep 25 08:06:40.721 CET: EzVPN(ASTRILL-VPN): sleep jitter delay 1449
Cisco887VA#
Sep 25 08:06:42.173 CET: EZVPN(ASTRILL-VPN): New State: READY
Sep 25 08:06:42.177 CET: EZVPN(ASTRILL-VPN): Current State: READY
Sep 25 08:06:42.177 CET: EZVPN(ASTRILL-VPN): Event: CONN_DOWN
Sep 25 08:06:42.177 CET: EZVPN(ASTRILL-VPN): event CONN_DOWN is not for us, ignoring (32/0:31)
Best regards,
Bruno
09-25-2012 05:54 AM
Dear Bruno,
This output is not very helpful.
Could you please the VPN-related configuration from server?
Also the following debugs will help you:
debug crypto isakmp
debug crypto ipsec
Thanks.
Portu.
Please rate any helpful posts.
09-25-2012 06:23 AM
I tried the VPN connexion with my iPhone and I would like how to configure the security parameter with Easy VPN like that:
Here,
Sep 25 09:18:21.225 CET: ISAKMP:(0):purging SA., sa=87D21A14, delme=87D21A14
Sep 25 09:18:22.729 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
Sep 25 09:18:22.729 CET: ISAKMP:(0):peer does not do paranoid keepalives.
Sep 25 09:18:22.729 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 91.121.54.151)
Sep 25 09:18:22.729 CET: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=test Client_public_addr=70.52.25.89 Server_public_addr=91.121.54.151
Cisco887VA#
Sep 25 09:18:22.729 CET: ISAKMP:isadb_key_addr_delete: no key for address 91.121.54.151 (NULL root)
Sep 25 09:18:22.729 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 91.121.54.151)
Sep 25 09:18:22.729 CET: ISAKMP: Unlocking peer struct 0x87C73C60 for isadb_mark_sa_deleted(), count 0
Sep 25 09:18:22.729 CET: ISAKMP: Deleting peer node by peer_reap for 91.121.54.151: 87C73C60
Sep 25 09:18:22.729 CET: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Sep 25 09:18:22.729 CET: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_DEST_SA
Sep 25 09:18:24.057 CET: del_node src 70.52.25.89:500 dst 91.121.54.151:500 fvrf 0x0, ivrf 0x0
Sep 25 09:18:24.057 CET: ISAKMP:(0):peer does not do paranoid keepalives.
Sep 25 09:18:24.057 CET: ISAKMP:(0): SA request profile is (NULL)
Sep 25 09:18:24.057 CET: ISAKMP: Created a peer struct for 91.121.54.151, peer port 500
Sep 25 09:18:24.057 CET: ISAKMP: New peer created peer = 0x87C73C60 peer_handle = 0x80000067
Sep 25 09:18:24.057 CET: ISAKMP: Locking peer struct 0x87C73C60, refcount 1 for isakmp_initiator
Sep 25 09:18:24.057 CET: ISAKMP:(0):Setting client config settings 87C129B4
Sep 25 09:18:24.057 CET: ISAKMP: local port 500, remote port 500
Sep 25 09:18:24.057 CET: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 87485688
Sep 25 09:18:24.057 CET: ISAKMP:(0): client mode configured.
Sep 25 09:18:24.057 CET: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Sep 25 09:18:24.057 CET: ISAKMP:(0): constructed NAT-T vendor-07 ID
Sep 25 09:18:24.057 CET: ISAKMP:(0): constructed NAT-T vendor-03 ID
Sep 25 09:18:24.057 CET: ISAKMP:(0): constructed NAT-T vendor-02 ID
Sep 25 09:18:24.057 CET: ISKAMP: growing send buffer from 1024 to 3072
Sep 25 09:18:24.057 CET: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
Cisco887VA#
Sep 25 09:18:24.057 CET: ISAKMP (0): ID payload
next-payload : 13
type : 11
group id : test
protocol : 17
port : 0
length : 12
Sep 25 09:18:24.057 CET: ISAKMP:(0):Total payload length: 12
Sep 25 09:18:24.057 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
Sep 25 09:18:24.057 CET: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1
Sep 25 09:18:24.057 CET: ISAKMP:(0): beginning Aggressive Mode exchange
Sep 25 09:18:24.057 CET: ISAKMP:(0): sending packet to 91.121.54.151 my_port 500 peer_port 500 (I) AG_INIT_EXCH
Sep 25 09:18:24.057 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco887VA#
Sep 25 09:18:34.057 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
Sep 25 09:18:34.057 CET: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Sep 25 09:18:34.057 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
Sep 25 09:18:34.057 CET: ISAKMP:(0): sending packet to 91.121.54.151 my_port 500 peer_port 500 (I) AG_INIT_EXCH
Sep 25 09:18:34.057 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco887VA#
Sep 25 09:18:44.058 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
Sep 25 09:18:44.058 CET: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Sep 25 09:18:44.058 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
Sep 25 09:18:44.058 CET: ISAKMP:(0): sending packet to 91.121.54.151 my_port 500 peer_port 500 (I) AG_INIT_EXCH
Sep 25 09:18:44.058 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco887VA#
Sep 25 09:18:54.058 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
Sep 25 09:18:54.058 CET: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Sep 25 09:18:54.058 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
Sep 25 09:18:54.058 CET: ISAKMP:(0): sending packet to 91.121.54.151 my_port 500 peer_port 500 (I) AG_INIT_EXCH
Sep 25 09:18:54.058 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco887VA#debug crypto ipsec
Crypto IPSEC debugging is on
Cisco887VA#
Sep 25 09:20:25.568 CET: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=test Client_public_addr=70.52.25.89 Server_public_addr=91.121.54.151
Cisco887VA#
Sep 25 09:20:25.568 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Cisco887VA#
Sep 25 09:20:27.176 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Cisco887VA#
Sep 25 09:21:27.178 CET: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=test Client_public_addr=70.52.25.89 Server_public_addr=91.121.54.151
Cisco887VA#
Sep 25 09:21:27.178 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Cisco887VA#
Sep 25 09:21:28.562 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Cisco887VA#
09-25-2012 11:08 AM
Dear Bruno,
What you mean by connecting from an iPhone?
On the other hand, from the logs:
"Sep 25 09:18:44.058 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH..."
It looks like the remote end is either misconfigured or not reachable.
What type of unit is at the server side?
Thanks.
09-25-2012 01:19 PM
Hello Portu,
I bought the VPN solution at astrill.com and they do not support cisco router. Only a cisco vpn ipsec connexion with the iPhone. That's for that I gave you the configuration of the iPhone VPN and It's impossible for me to tell what type of server, but one thing is sure, they are full compatible Cisco.
I modify my configuration setting profiles to configure the router as a VPN connection from the iPhone like that, but It's hard for my because I don't know the type of configuration.
crypto keyring ASTRILL-KEY
description This is a key for ASTRILL VPN Connexion
pre-shared-key address 91.121.54.151 key way2stars
crypto isakmp profile ASTRILL-ISAKMP-Profile
keyring ASTRILL-KEY
match identity address 91.121.54.151 255.255.255.255
initiate mode aggressive
crypto ipsec profile ASTRILL-IPSEC-Profile
set isakmp-profile ASTRILL-ISAKMP-Profile
Cisco887VA(config)#crypto ipsec transform-set MySet ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-gcm ESP transform using GCM cipher
esp-gmac ESP transform using GMAC cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
I'm not sure that is the good way, but I saw on the Internet to find some exemple for guide me.
To answer you:
It looks like the remote end is either misconfigured or not reachable.
I think that the default configuration send the not good parameters.
I await your comments with regards to what I just wrote.
Best regards,
bruno
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: