Thank you for your help.

I am glad it helped you.

Please mark this post as answered

Have a good one.

I just finished to look at the documentation and as I'm not an expert, I meet some problems to implement it.

I think I understand the portion of easy VPN, but I meet some problem with authentification.

How to pass the login and the password.

Could you give me an example or an orientation.

Bruno

Ok, I understand a little better now, but I'm not sure of my result.

I would not abuse you, but could you check my configuration and tell me it's ok or not.

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname Cisco887VA

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

enable secret 5 $1$4a8j$Qtt6Ywk5p.zWwWx41

!

aaa new-model

!

aaa session-id common

!

memory-size iomem 10

clock timezone CET -4 0

crypto pki token default removal timeout 0

!

ip source-route

!

ip dhcp class dyn_range

!

ip cef

ip domain name netgus.corp

ip name-server 208.67.222.222

ip name-server 208.67.220.220

no ipv6 cef

!

!

multilink bundle-name authenticated

vpdn enable

!

license udi pid CISCO887VA-SEC-K9 sn FGL162321BT

!

controller VDSL 0

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

crypto ipsec client ezvpn ASTRILL-VPN

connect auto

group test key way2stars !(it's not confidential, you find it on the Internet)(and Astrill does not use a group, but it's not possible to put nothing. I will try with "test")

mode client

peer 91.121.54.151

username bruno.legay@gmail.com password xxxxxxx

xauth userid mode local

!

interface Ethernet0

no ip address

!

interface Ethernet0.35

encapsulation dot1Q 35

pppoe-client dial-pool-number 1

!

interface ATM0

no ip address

ip flow ingress

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

shutdown

!

interface FastEthernet2

no ip address

shutdown

!

interface FastEthernet3

no ip address

shutdown

!

interface Vlan1

ip address 192.168.111.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly in

ip route-cache policy

ip tcp adjust-mss 1452

auto discovery qos

!

interface Dialer0

description VDSL Bell CA

mtu 1492

ip address negotiated

ip flow ingress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip route-cache policy

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp chap refuse

ppp pap sent-username b1rswr48 password 7 104B5E43411A5806

ppp ipcp dns request accept

ppp ipcp route default

ppp ipcp address accept

ppp multilink

crypto ipsec client ezvpn ASTRILL-VPN

!

!

router eigrp 1

distribute-list 99 in FastEthernet0

network 192.168.111.1 0.0.0.0

redistribute static metric 1 1 1 1 1

!

ip forward-protocol nd

!

ip nat inside source list 101 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

access-list 99 deny   10.10.10.0 0.0.0.31

access-list 101 permit ip 192.168.111.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

line con 0

line aux 0

line vty 0 4

exec-timeout 40 0

privilege level 15

logging synchronous

transport input ssh

escape-character 27

!

ntp master

ntp server 184.107.229.26

ntp server 208.80.96.96

ntp server 209.17.190.116

end

Thank you for all

Bruno

Portu,

Thank you for the time you spend with me.

You can see the result with the debug command (debug crypto ipsec client ezvpn). I think is good, but I prefer the advise of the expert. Normally, I would receive a dynamic ip address of the server (91.xxx.xxx.xxx), but I have not defined the interface that will receive this address and at the end, the connexion down. It's normal?

I think that I shoud use a virtual-interface (Cisco Easy VPN with DVTI ?)

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Current State: READY

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Event: CONNECT_NEXT_PEER

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): ezvpn_close

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): nulling context

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Deleted PSK for address 91.xxx.xxx.xxx

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): No Connect ACL checking status change

Sep 25 08:06:40.721 CET: EzVPN: Local Traffic Feature Deleted

Sep 25 08:06:40.721 CET: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=test  Client_public_addr=70.xxx.xxx.xxx  Server_public_addr=91.xxx.xxx.xxx

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Deleted PSK for address 91.xxx.xxx.xxx

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): New active peer is 91.xxx.xxx.xxx

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Ready to connect to peer 91.xxx.xxx.xxx

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Attempting to connect to peer 91.xxx.xxx.xxx

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): New State: CONNECT_REQUIRED

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Current State: CONNECT_REQUIRED

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Event: CONNECT

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): ezvpn_connect_request

Cisco887VA#

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Found valid peer 91.xxx.xxx.xxx

Sep 25 08:06:40.721 CET: EZVPN(ASTRILL-VPN): Added PSK for address 91.xxx.xxx.xxx

Sep 25 08:06:40.721 CET: EzVPN(ASTRILL-VPN): sleep jitter delay 1449

Cisco887VA#

Sep 25 08:06:42.173 CET: EZVPN(ASTRILL-VPN): New State: READY

Sep 25 08:06:42.177 CET: EZVPN(ASTRILL-VPN): Current State: READY

Sep 25 08:06:42.177 CET: EZVPN(ASTRILL-VPN): Event: CONN_DOWN

Sep 25 08:06:42.177 CET: EZVPN(ASTRILL-VPN): event CONN_DOWN is not for us, ignoring (32/0:31)

Best regards,

Bruno

I tried the VPN connexion with my iPhone and I would like how to configure the security parameter with Easy VPN like that:

• IKE phase 1—3DES encryption with SHA1 hash method. (no md5 support)
• IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method.
• PPP Authentication—MSCHAPv2 (officially) but PAP, MS-CHAPv1 also worked in testing.
• Pre-shared key (no certificate support).

Here,

Sep 25 09:18:21.225 CET: ISAKMP:(0):purging SA., sa=87D21A14, delme=87D21A14

Sep 25 09:18:22.729 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

Sep 25 09:18:22.729 CET: ISAKMP:(0):peer does not do paranoid keepalives.

Sep 25 09:18:22.729 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 91.121.54.151)

Sep 25 09:18:22.729 CET: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=test  Client_public_addr=70.52.25.89  Server_public_addr=91.121.54.151 

Cisco887VA#

Sep 25 09:18:22.729 CET: ISAKMP:isadb_key_addr_delete: no key for address 91.121.54.151 (NULL root)

Sep 25 09:18:22.729 CET: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 91.121.54.151)

Sep 25 09:18:22.729 CET: ISAKMP: Unlocking peer struct 0x87C73C60 for isadb_mark_sa_deleted(), count 0

Sep 25 09:18:22.729 CET: ISAKMP: Deleting peer node by peer_reap for 91.121.54.151: 87C73C60

Sep 25 09:18:22.729 CET: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Sep 25 09:18:22.729 CET: ISAKMP:(0):Old State = IKE_I_AM1  New State = IKE_DEST_SA

Sep 25 09:18:24.057 CET: del_node src 70.52.25.89:500 dst 91.121.54.151:500 fvrf 0x0, ivrf 0x0

Sep 25 09:18:24.057 CET: ISAKMP:(0):peer does not do paranoid keepalives.

Sep 25 09:18:24.057 CET: ISAKMP:(0): SA request profile is (NULL)

Sep 25 09:18:24.057 CET: ISAKMP: Created a peer struct for 91.121.54.151, peer port 500

Sep 25 09:18:24.057 CET: ISAKMP: New peer created peer = 0x87C73C60 peer_handle = 0x80000067

Sep 25 09:18:24.057 CET: ISAKMP: Locking peer struct 0x87C73C60, refcount 1 for isakmp_initiator

Sep 25 09:18:24.057 CET: ISAKMP:(0):Setting client config settings 87C129B4

Sep 25 09:18:24.057 CET: ISAKMP: local port 500, remote port 500

Sep 25 09:18:24.057 CET: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 87485688

Sep 25 09:18:24.057 CET: ISAKMP:(0): client mode configured.

Sep 25 09:18:24.057 CET: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

Sep 25 09:18:24.057 CET: ISAKMP:(0): constructed NAT-T vendor-07 ID

Sep 25 09:18:24.057 CET: ISAKMP:(0): constructed NAT-T vendor-03 ID

Sep 25 09:18:24.057 CET: ISAKMP:(0): constructed NAT-T vendor-02 ID

Sep 25 09:18:24.057 CET: ISKAMP: growing send buffer from 1024 to 3072

Sep 25 09:18:24.057 CET: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID

Cisco887VA#

Sep 25 09:18:24.057 CET: ISAKMP (0): ID payload

    next-payload : 13

    type         : 11

    group id     : test

    protocol     : 17

    port         : 0

    length       : 12

Sep 25 09:18:24.057 CET: ISAKMP:(0):Total payload length: 12

Sep 25 09:18:24.057 CET: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM

Sep 25 09:18:24.057 CET: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

Sep 25 09:18:24.057 CET: ISAKMP:(0): beginning Aggressive Mode exchange

Sep 25 09:18:24.057 CET: ISAKMP:(0): sending packet to 91.121.54.151 my_port 500 peer_port 500 (I) AG_INIT_EXCH

Sep 25 09:18:24.057 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.

Cisco887VA#

Sep 25 09:18:34.057 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

Sep 25 09:18:34.057 CET: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Sep 25 09:18:34.057 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

Sep 25 09:18:34.057 CET: ISAKMP:(0): sending packet to 91.121.54.151 my_port 500 peer_port 500 (I) AG_INIT_EXCH

Sep 25 09:18:34.057 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.

Cisco887VA#

Sep 25 09:18:44.058 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

Sep 25 09:18:44.058 CET: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Sep 25 09:18:44.058 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

Sep 25 09:18:44.058 CET: ISAKMP:(0): sending packet to 91.121.54.151 my_port 500 peer_port 500 (I) AG_INIT_EXCH

Sep 25 09:18:44.058 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.

Cisco887VA#

Sep 25 09:18:54.058 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

Sep 25 09:18:54.058 CET: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Sep 25 09:18:54.058 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

Sep 25 09:18:54.058 CET: ISAKMP:(0): sending packet to 91.121.54.151 my_port 500 peer_port 500 (I) AG_INIT_EXCH

Sep 25 09:18:54.058 CET: ISAKMP:(0):Sending an IKE IPv4 Packet.

Cisco887VA#debug crypto ipsec

Crypto IPSEC debugging is on

Cisco887VA#

Sep 25 09:20:25.568 CET: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=test  Client_public_addr=70.52.25.89  Server_public_addr=91.121.54.151 

Cisco887VA#

Sep 25 09:20:25.568 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Cisco887VA#

Sep 25 09:20:27.176 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Cisco887VA#

Sep 25 09:21:27.178 CET: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=test  Client_public_addr=70.52.25.89  Server_public_addr=91.121.54.151 

Cisco887VA#

Sep 25 09:21:27.178 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Cisco887VA#

Sep 25 09:21:28.562 CET: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Cisco887VA#

Dear Bruno,

What you mean by connecting from an iPhone?

On the other hand, from the logs:

"Sep 25 09:18:44.058 CET: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH..."

It looks like the remote end is either misconfigured or not reachable.

What type of unit is at the server side?

Thanks.

Hello Portu,

I bought the VPN solution at astrill.com and they do not support cisco router. Only a cisco vpn ipsec connexion with the iPhone. That's for that I gave you the configuration of the iPhone VPN and It's impossible for me to tell what type of server, but one thing is sure, they are full compatible Cisco.

• IKE phase 1—3DES encryption with SHA1 hash method. (no md5 support)
• IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method.
• PPP Authentication—MSCHAPv2 (officially) but PAP, MS-CHAPv1 also worked in testing.
• Pre-shared key (no certificate support).

I modify my configuration setting profiles to configure the router as a VPN connection from the iPhone like that, but It's hard for my because I don't know the type of configuration.

crypto keyring ASTRILL-KEY 

  description This is a key for ASTRILL VPN Connexion

  pre-shared-key address 91.121.54.151 key way2stars

crypto isakmp profile ASTRILL-ISAKMP-Profile

   keyring ASTRILL-KEY

   match identity address 91.121.54.151 255.255.255.255

   initiate mode aggressive

crypto ipsec profile ASTRILL-IPSEC-Profile

set isakmp-profile ASTRILL-ISAKMP-Profile

Cisco887VA(config)#crypto ipsec transform-set MySet ?

  ah-md5-hmac      AH-HMAC-MD5 transform

  ah-sha-hmac      AH-HMAC-SHA transform

  ah-sha256-hmac   AH-HMAC-SHA256 transform

  ah-sha384-hmac   AH-HMAC-SHA384 transform

  ah-sha512-hmac   AH-HMAC-SHA512 transform

  comp-lzs         IP Compression using the LZS compression algorithm

  esp-3des         ESP transform using 3DES(EDE) cipher (168 bits)

  esp-aes          ESP transform using AES cipher

  esp-des          ESP transform using DES cipher (56 bits)

  esp-gcm          ESP transform using GCM cipher

  esp-gmac         ESP transform using GMAC cipher

  esp-md5-hmac     ESP transform using HMAC-MD5 auth

  esp-null         ESP transform w/o cipher

  esp-seal         ESP transform using SEAL cipher (160 bits)

  esp-sha-hmac     ESP transform using HMAC-SHA auth

  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth

  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth

  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth

I'm not sure that is the good way, but I saw on the Internet to find some exemple for guide me.

To answer you:

It looks like the remote end is either misconfigured or not reachable.

I think that the default configuration send the not good parameters.

I await your comments with regards to what I just wrote.

Best regards,

bruno