That is the guide that I used, thank you.

Here is the full output from the router which is an ASA 5520

=================================================

: Saved
:
ASA Version 8.4(1)
!
hostname trustsec
enable password "password"
passwd "password"
names
!
interface GigabitEthernet0/0
shutdown
nameif outside
security-level 0
ip address a.b.c.d 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 10.1.20.249 255.255.240.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.0.3.2 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network Int-Gateway
host a.b.c.d
access-list inside_access_in extended permit ip any any
access-list global_access extended permit ip any any
access-list no-nat extended permit ip 10.1.20.0 255.255.240.0 10.10.1.240 255.255.255.240
access-list ezvpn1 extended permit ip 10.1.20.0 255.255.240.0 10.10.1.240 255.255.255.240
access-list Split_Tunnel_List remark The corporate network behind the ASA
access-list Split_Tunnel_List standard permit 10.0.0.0 255.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 management
no asdm history enable
arp timeout 14400
access-group inside_access_in in interface inside control-plane
access-group global_access global
route inside 10.0.0.0 255.0.0.0 10.1.20.1 1
route management 10.1.200.0 255.255.252.0 10.1.200.1 1
route outside 0.0.0.0 0.0.0.0 a.b.c.d 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set mySET esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map myDYN-MAP 5 set ikev1 transform-set mySET
crypto map myMAP 60 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 30
console timeout 0
management-access management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
nem enable
group-policy A1GroupPolicy1 internal
group-policy A1GroupPolicy1 attributes
vpn-idle-timeout 30
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ikev2 ssl-client
username admin password "password"
username sohouser password "password"
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global

: end
no asdm history enable

===============================================

thank you,

GMF

You're attempting to connect the 881 as an EzVPN client to the ASA 5520 in NEM mode correct?

Can you include the configuration from the 881?

Federico.

Cisco 881w config

============================

version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
service-module wlan-ap 0 bootimage unified
crypto pki token default removal timeout 0
ip source-route
!
!
!
ip dhcp excluded-address 10.30.16.1 10.30.16.243
ip dhcp excluded-address 10.30.16.255
!
ip dhcp pool MyDHCPpool
   import all
   network 10.30.16.240 255.255.255.240
   default-router 10.30.16.241
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated

crypto ipsec client ezvpn ASA
connect auto
group DefaultRAGroup key cisco
mode network-extension
peer a.b.c.d
xauth userid mode interactive

interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn ASA inside
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
!
interface Vlan1
ip address 10.30.16.241 255.255.255.240
ip access-group 100 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 23 interface FastEthernet4 overload
ip nat inside source route-map EzVPN1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
logging esm config
access-list 23 permit 10.30.16.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 103 permit ip 10.30.16.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
login
transport input all
!
end

=============================================================

also, I do not want to use NAT obviously due to NEM

thanks for the assistance,

GMF

Federico,

I am not using an 841. it is an ISR 881W and the guide you referred me to IS the guide that I used.

regards,

Greg

On the router you have:

interface FastEthernet4
crypto ipsec client ezvpn ASA inside

Should be:

interface FastEthernet4
crypto ipsec client ezvpn ASA

Also.... check the status of the following two commands when trying to establish the tunnel:

sh cry isa sa

sh cry ips sa

Federico.

Federico,

thanks for your suggestions and time.

will let you know how it goes.

GMF

Unfortunately, no luck.

Router#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

Router#sh cry ips sa

No SAs found

Let's do the following...

1. Can you PING between router and ASA?

If not we need to troubleshoot basic IP connectivity between the two boxes.

2. If PING is succesful, enable the commands:

debug cry isa 127

debug cry ips 127

On the ASA to check what's happening with the VPN packets.

Federico.

Federico,

getting somewhere now and getting close. here is what i am seeing on my 881

*Mar 10 17:10:02.091: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=DefaultRAGroup  Client_public_addr=192.168.2.30  Server_public_addr=a.b.c.d
*Mar 10 17:10:11.571: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from a.b.c.d was not encrypted and it should've been.

where a.b.c.d is the IP address of my ASA 5520 outside interface

what do you think?

my 881 is connect to an ISP router giving it the 192.168.2.30 ip address.

thanks,

GMF

The error says that the IOS received a packet from the ASA that should have been encrypted but it wasn't.
This could be because mismatch in the interesting traffic.

The ASA wants to encrypt the entire 10.0.0.0/8

The router on the other hand will send through the tunnel only from 10.30.16.0/24

Why do you have this line on the IOS?
ip nat inside source route-map EzVPN1 interface FastEthernet4 overload
There's no route-map defined.

Federico.

Federico,

here is my configuration from the 881W. I have modifed the ASA to encrypt only 10.30.16.0/26

I have added ip nat inside source route-map EzVPN1 interface FastEthernet4 overload because it was in the guide that you provided the URL to.

I think i missed something before. here is the ISR 881W configuration again.

==========================================================================================================

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
!
enable password 09812349082
!
no aaa new-model
!
memory-size iomem 10
service-module wlan-ap 0 bootimage unified

!
ip source-route
!
!
!
ip dhcp excluded-address 10.30.16.1 10.30.16.243
ip dhcp excluded-address 10.30.16.255
!
ip dhcp pool S0H0DHCPpool
   import all
   network 10.30.16.240 255.255.255.240
   default-router 10.30.16.241
   dns-server 192.168.2.1
!
!
ip cef
no ipv6 cef
!
!

!
!
!
!
!
!
!
!
!
!
crypto ipsec client ezvpn ASA
connect auto
group DefaultRAGroup key cisco
mode network-extension
peer a.b.c.d
xauth userid mode interactive
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
no ip address
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto ipsec client ezvpn ASA
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
shutdown
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
ip address 10.30.16.241 255.255.255.240
ip access-group 100 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 23 interface FastEthernet4 overload
ip nat inside source route-map EzVPN1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
logging esm config
access-list 23 permit 10.30.16.0 0.0.0.255
!
!
!
!
route-map EzVPN1 permit 1
match ip address 23
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
login
transport input all
!
end
=============================================================================================

if i missed something or if you can assist, that would be appreciated.

GMF

Federico,

I can ping from the ISR 881 to the ASA 5520

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to a.b.c.d, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/48 ms