12-29-2012 11:47 AM
Hi,
I need to terminate easyVPN on vrf interface, because Internet is on vrf only.
On Windows client looks like password error.
I didn't try to terminate EasyVPN in vrf before.
Can You help me?
With Best Regards,
Ugis
---------------------
*Dec 29 11:35:45.518: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Dec 29 11:35:45.518: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Dec 29 11:35:45.519: ISAKMP:(35007):deleting node -1674984011 error FALSE reason "Done with xauth request/reply exchange"
*Dec 29 11:35:45.519: ISAKMP:(35007):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Dec 29 11:35:45.519: ISAKMP:(35007):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
*Dec 29 11:35:45.519: ISAKMP: set new node -1291909677 to CONF_XAUTH
*Dec 29 11:35:45.519: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Dec 29 11:35:45.519: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
------------------------
*Dec 29 11:35:45.519: ISAKMP:(35007): initiating peer config to 4.3.2.1. ID = 3003057619
*Dec 29 11:35:45.519: ISAKMP:(35007): sending packet to 4.3.2.1 my_port 4500 peer_port 56966 (R) CONF_XAUTH
*Dec 29 11:35:45.519: ISAKMP:(35007):Sending an IKE IPv4 Packet.
*Dec 29 11:35:45.520: ISAKMP:(35007):Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN
*Dec 29 11:35:45.520: ISAKMP:(35007):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT
*Dec 29 11:35:52.528: ISAKMP (35007): received packet from 4.3.2.1 dport 4500 sport 56966 inet (R) CONF_XAUTH
*Dec 29 11:35:52.529: ISAKMP:(35007):processing transaction payload from 4.3.2.1. message ID = -1291909677
*Dec 29 11:35:52.529: ISAKMP: Config payload REPLY
*Dec 29 11:35:52.529: ISAKMP/xauth: reply attribute XAUTH_STATUS_V2 unexpected.
*Dec 29 11:35:52.529: ISAKMP:(35007):peer does not do paranoid keepalives.
*Dec 29 11:35:52.529: ISAKMP:(35007):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Dec 29 11:35:52.530: ISAKMP:(35007):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_REQ_SENT
*Dec 29 11:35:52.530: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Dec 29 11:35:52.530: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Dec 29 11:35:52.530: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 4.3.2.1
*Dec 29 11:35:52.532: ISAKMP (35007): received packet from 4.3.2.1 dport 4500 sport 56966 inet (R) CONF_XAUTH
*Dec 29 11:35:52.532: ISAKMP: set new node 1500321808 to CONF_XAUTH
*Dec 29 11:35:52.533: ISAKMP:(35007): processing HASH payload. message ID = 1500321808
*Dec 29 11:35:52.533: ISAKMP:received payload type 18
*Dec 29 11:35:52.533: ISAKMP:(35007):Processing delete with reason payload
*Dec 29 11:35:52.533: ISAKMP:(35007):delete doi = 0
*Dec 29 11:35:52.534: ISAKMP:(35007):delete protocol id = 1
*Dec 29 11:35:52.534: ISAKMP:(35007):delete spi_size = 16
*Dec 29 11:35:52.534: ISAKMP:(35007):delete num spis = 1
*Dec 29 11:35:52.534: ISAKMP:(35007):delete_reason = 2
*Dec 29 11:35:52.534: ISAKMP:(35007): processing DELETE_WITH_REASON payload, message ID = 1500321808, reason: DELETE_BY_USER_COMMAND
*Dec 29 11:35:52.534: ISAKMP:(35007):peer does not do paranoid keepalives.
*Dec 29 11:35:52.534: ISAKMP:(35007):peer does not do paranoid keepalives.
*Dec 29 11:35:52.534: ISAKMP:(35007):deleting SA reason "BY user command" state (R) CONF_XAUTH (peer 4.3.2.1)
*Dec 29 11:35:52.534: ISAKMP:(35007):deleting node 1500321808 error FALSE reason "Informational (in) state 1"
*Dec 29 11:35:52.534: IPSEC(key_engine): got a queue event with 1 KMI message(s)
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group ezvpngroup
key xxxremote
pool ezvpn
netmask 255.255.255.192
crypto isakmp profile ezvpn
vrf inet (tried with and without this line)
match identity group ezvpngroup
client authentication list ez
isakmp authorization list ez
client configuration address respond
virtual-template 3
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set AES256_SHA esp-aes 256 esp-sha-hmac
mode tunnel
!
!
12-29-2012 11:48 AM
!
crypto ipsec profile ezvpn
set transform-set AES256_SHA
set isakmp-profile ezvpn
!
interface GigabitEthernet0/0/1
ip vrf forwarding inet
ip address 1.2.3.4 255.255.255.240
negotiation auto
interface GigabitEthernet0/0/3
ip address 192.168.34.1 255.255.255.0
interface Virtual-Template3 type tunnel
ip unnumbered GigabitEthernet0/0/3
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel vrf inet
tunnel protection ipsec profile ezvpn
ip local pool ezvpn 192.168.33.194 192.168.33.254
12-29-2012 11:53 AM
Here is log from client:
Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
506 21:50:03.799 12/29/12 Sev=Info/4 CM/0x63100002
Begin connection process
507 21:50:03.799 12/29/12 Sev=Info/4 CM/0x63100004
Establish secure connection
508 21:50:03.799 12/29/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "1.2.3.4"
509 21:50:03.835 12/29/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 1.2.3.4.
510 21:50:03.835 12/29/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
511 21:50:03.835 12/29/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 1.2.3.4
512 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
513 21:50:03.884 12/29/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 1.2.3.4
514 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
515 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x63000001
Peer supports DPD
516 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
517 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
518 21:50:03.884 12/29/12 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
519 21:50:03.900 12/29/12 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
520 21:50:03.900 12/29/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 1.2.3.4
521 21:50:03.900 12/29/12 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
522 21:50:03.900 12/29/12 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xD7B9, Remote Port = 0x1194
523 21:50:03.900 12/29/12 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
524 21:50:03.900 12/29/12 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
525 21:50:03.933 12/29/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
526 21:50:03.933 12/29/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 1.2.3.4
527 21:50:03.933 12/29/12 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
528 21:50:03.933 12/29/12 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now
529 21:50:03.936 12/29/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
530 21:50:03.936 12/29/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.3.4
531 21:50:03.936 12/29/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
532 21:50:04.032 12/29/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
533 21:50:04.032 12/29/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
534 21:50:08.598 12/29/12 Sev=Info/4 CM/0x63100017
xAuth application returned
535 21:50:08.598 12/29/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.3.4
536 21:50:08.635 12/29/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.4
537 21:50:08.635 12/29/12 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.3.4
538 21:50:08.635 12/29/12 Sev=Info/4 CM/0x63100015
Launch xAuth application
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide