Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1065
Views
0
Helpful
2
Replies

ASR1002 EasyVPN termination on vrf (fvrf)

ugisducmanis
Level 1
Level 1

‎12-29-2012 11:47 AM

Hi,

I need to terminate easyVPN on vrf interface, because Internet is on vrf only.

On Windows client looks like password error.

I didn't try to terminate EasyVPN in vrf before.

Can You help me?

With Best Regards,

Ugis

---------------------

*Dec 29 11:35:45.518: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2

*Dec 29 11:35:45.518: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

*Dec 29 11:35:45.519: ISAKMP:(35007):deleting node -1674984011 error FALSE reason "Done with xauth request/reply exchange"

*Dec 29 11:35:45.519: ISAKMP:(35007):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY

*Dec 29 11:35:45.519: ISAKMP:(35007):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

*Dec 29 11:35:45.519: ISAKMP: set new node -1291909677 to CONF_XAUTH

*Dec 29 11:35:45.519: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

*Dec 29 11:35:45.519: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

------------------------

*Dec 29 11:35:45.519: ISAKMP:(35007): initiating peer config to 4.3.2.1. ID = 3003057619

*Dec 29 11:35:45.519: ISAKMP:(35007): sending packet to 4.3.2.1 my_port 4500 peer_port 56966 (R) CONF_XAUTH

*Dec 29 11:35:45.519: ISAKMP:(35007):Sending an IKE IPv4 Packet.

*Dec 29 11:35:45.520: ISAKMP:(35007):Input = IKE_MESG_FROM_AAA, IKE_AAA_START_LOGIN

*Dec 29 11:35:45.520: ISAKMP:(35007):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT

*Dec 29 11:35:52.528: ISAKMP (35007): received packet from 4.3.2.1 dport 4500 sport 56966 inet (R) CONF_XAUTH

*Dec 29 11:35:52.529: ISAKMP:(35007):processing transaction payload from 4.3.2.1. message ID = -1291909677

*Dec 29 11:35:52.529: ISAKMP: Config payload REPLY

*Dec 29 11:35:52.529: ISAKMP/xauth: reply attribute XAUTH_STATUS_V2 unexpected.

*Dec 29 11:35:52.529: ISAKMP:(35007):peer does not do paranoid keepalives.

*Dec 29 11:35:52.529: ISAKMP:(35007):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY

*Dec 29 11:35:52.530: ISAKMP:(35007):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_REQ_SENT

*Dec 29 11:35:52.530: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Dec 29 11:35:52.530: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

*Dec 29 11:35:52.530: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 4.3.2.1

*Dec 29 11:35:52.532: ISAKMP (35007): received packet from 4.3.2.1 dport 4500 sport 56966 inet (R) CONF_XAUTH

*Dec 29 11:35:52.532: ISAKMP: set new node 1500321808 to CONF_XAUTH

*Dec 29 11:35:52.533: ISAKMP:(35007): processing HASH payload. message ID = 1500321808

*Dec 29 11:35:52.533: ISAKMP:received payload type 18

*Dec 29 11:35:52.533: ISAKMP:(35007):Processing delete with reason payload

*Dec 29 11:35:52.533: ISAKMP:(35007):delete doi = 0

*Dec 29 11:35:52.534: ISAKMP:(35007):delete protocol id = 1

*Dec 29 11:35:52.534: ISAKMP:(35007):delete spi_size = 16

*Dec 29 11:35:52.534: ISAKMP:(35007):delete num spis = 1

*Dec 29 11:35:52.534: ISAKMP:(35007):delete_reason = 2

*Dec 29 11:35:52.534: ISAKMP:(35007): processing DELETE_WITH_REASON payload, message ID = 1500321808, reason: DELETE_BY_USER_COMMAND

*Dec 29 11:35:52.534: ISAKMP:(35007):peer does not do paranoid keepalives.

*Dec 29 11:35:52.534: ISAKMP:(35007):peer does not do paranoid keepalives.

*Dec 29 11:35:52.534: ISAKMP:(35007):deleting SA reason "BY user command" state (R) CONF_XAUTH (peer 4.3.2.1)

*Dec 29 11:35:52.534: ISAKMP:(35007):deleting node 1500321808 error FALSE reason "Informational (in) state 1"

*Dec 29 11:35:52.534: IPSEC(key_engine): got a queue event with 1 KMI message(s)

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group ezvpngroup

key xxxremote

pool ezvpn

netmask 255.255.255.192

crypto isakmp profile ezvpn

vrf inet (tried with and without this line)

match identity group ezvpngroup

client authentication list ez

isakmp authorization list ez

client configuration address respond

virtual-template 3

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set AES256_SHA esp-aes 256 esp-sha-hmac

mode tunnel

!

!

Labels:
0 Helpful
2 Replies 2

ugisducmanis
Level 1
Level 1

‎12-29-2012 11:48 AM

!

crypto ipsec profile ezvpn

set transform-set AES256_SHA

set isakmp-profile ezvpn

!

interface GigabitEthernet0/0/1

ip vrf forwarding inet

ip address 1.2.3.4 255.255.255.240

negotiation auto

interface GigabitEthernet0/0/3

ip address 192.168.34.1 255.255.255.0

interface Virtual-Template3 type tunnel

ip unnumbered GigabitEthernet0/0/3

tunnel source GigabitEthernet0/0/1

tunnel mode ipsec ipv4

tunnel vrf inet

tunnel protection ipsec profile ezvpn

ip local pool ezvpn 192.168.33.194 192.168.33.254

0 Helpful

ugisducmanis
Level 1
Level 1

‎12-29-2012 11:53 AM

Here is log from client:

Cisco Systems VPN Client Version 5.0.07.0410

Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7601 Service Pack 1

506    21:50:03.799  12/29/12  Sev=Info/4     CM/0x63100002

Begin connection process

507    21:50:03.799  12/29/12  Sev=Info/4     CM/0x63100004

Establish secure connection

508    21:50:03.799  12/29/12  Sev=Info/4     CM/0x63100024

Attempt connection with server "1.2.3.4"

509    21:50:03.835  12/29/12  Sev=Info/6     IKE/0x6300003B

Attempting to establish a connection with 1.2.3.4.

510    21:50:03.835  12/29/12  Sev=Info/4     IKE/0x63000001

Starting IKE Phase 1 Negotiation

511    21:50:03.835  12/29/12  Sev=Info/4     IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 1.2.3.4

512    21:50:03.884  12/29/12  Sev=Info/5     IKE/0x6300002F

Received ISAKMP packet: peer = 1.2.3.4

513    21:50:03.884  12/29/12  Sev=Info/4     IKE/0x63000014

RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 1.2.3.4

514    21:50:03.884  12/29/12  Sev=Info/5     IKE/0x63000001

Peer is a Cisco-Unity compliant peer

515    21:50:03.884  12/29/12  Sev=Info/5     IKE/0x63000001

Peer supports DPD

516    21:50:03.884  12/29/12  Sev=Info/5     IKE/0x63000001

Peer supports DWR Code and DWR Text

517    21:50:03.884  12/29/12  Sev=Info/5     IKE/0x63000001

Peer supports XAUTH

518    21:50:03.884  12/29/12  Sev=Info/5     IKE/0x63000001

Peer supports NAT-T

519    21:50:03.900  12/29/12  Sev=Info/6     IKE/0x63000001

IOS Vendor ID Contruction successful

520    21:50:03.900  12/29/12  Sev=Info/4     IKE/0x63000013

SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 1.2.3.4

521    21:50:03.900  12/29/12  Sev=Info/6     IKE/0x63000055

Sent a keepalive on the IPSec SA

522    21:50:03.900  12/29/12  Sev=Info/4     IKE/0x63000083

IKE Port in use - Local Port =  0xD7B9, Remote Port = 0x1194

523    21:50:03.900  12/29/12  Sev=Info/5     IKE/0x63000072

Automatic NAT Detection Status:

Remote end is NOT behind a NAT device

This   end IS behind a NAT device

524    21:50:03.900  12/29/12  Sev=Info/4     CM/0x6310000E

Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

525    21:50:03.933  12/29/12  Sev=Info/5     IKE/0x6300002F

Received ISAKMP packet: peer = 1.2.3.4

526    21:50:03.933  12/29/12  Sev=Info/4     IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 1.2.3.4

527    21:50:03.933  12/29/12  Sev=Info/5     IKE/0x63000045

RESPONDER-LIFETIME notify has value of 86400 seconds

528    21:50:03.933  12/29/12  Sev=Info/5     IKE/0x63000047

This SA has already been alive for 0 seconds, setting expiry to 86400 seconds from now

529    21:50:03.936  12/29/12  Sev=Info/5     IKE/0x6300002F

Received ISAKMP packet: peer = 1.2.3.4

530    21:50:03.936  12/29/12  Sev=Info/4     IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.3.4

531    21:50:03.936  12/29/12  Sev=Info/4     CM/0x63100015

Launch xAuth application

532    21:50:04.032  12/29/12  Sev=Info/4     IPSEC/0x63700008

IPSec driver successfully started

533    21:50:04.032  12/29/12  Sev=Info/4     IPSEC/0x63700014

Deleted all keys

534    21:50:08.598  12/29/12  Sev=Info/4     CM/0x63100017

xAuth application returned

535    21:50:08.598  12/29/12  Sev=Info/4     IKE/0x63000013

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.3.4

536    21:50:08.635  12/29/12  Sev=Info/5     IKE/0x6300002F

Received ISAKMP packet: peer = 1.2.3.4

537    21:50:08.635  12/29/12  Sev=Info/4     IKE/0x63000014

RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 1.2.3.4

538    21:50:08.635  12/29/12  Sev=Info/4     CM/0x63100015

Launch xAuth application

0 Helpful
Customers Also Viewed These Support Documents