cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1733
Views
0
Helpful
9
Replies

DMVPN issue "changing btwn CONF_XAUTH & MM_NO_STATE "

Dear all,

can you help please regarding below: thanks in advance.

HQ which is configured to accept remote vpn client using crypto map and also it is  configured for dynamic vpn with branch.

HQ static public ip is 82.114.179.120, tunnel 10 ip 172.16.10.1 and local lan is 192.168.1.0

Branch has dynamic public ip ,tunnel 10 ip 172.16.10.32 and local lan is 192.168.32.0. It is also configured using tunnel 0 with another Hq which works fine.

Branch Lan(192.168.32.0) is needed to access HQ lan(192.168.1.0)....

Debug file is attached

HQ:


aaa authentication login acs local
aaa authorization network acs local
!
aaa session-id common
!
ip cef
!

ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!

redundancy
!

controller VDSL 0/1/0
!

crypto keyring ccp-dmvpn-keyring
  pre-shared-key address 0.0.0.0 0.0.0.0 key users@NAMA
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp keepalive 3600 5
crypto isakmp nat keepalive 3600
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group NAMA
 key namanama
 pool mypool
 acl 101
 save-password
crypto isakmp profile ccp-dmvpn-isakmprofile
   keyring ccp-dmvpn-keyring
   match identity address 0.0.0.0
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
 mode transport
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-AES-MD5
 set isakmp-profile ccp-dmvpn-isakmprofile
!

crypto dynamic-map map 10
 set transform-set test
 reverse-route
!
crypto map i-map client authentication list acs
crypto map i-map isakmp authorization list acs
crypto map i-map client configuration address respond
crypto map i-map 10 ipsec-isakmp dynamic map

!
interface Tunnel10
 bandwidth 1000
 ip address 172.16.10.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip tcp adjust-mss 1360
 delay 1000
 shutdown
 tunnel source Dialer1
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface ATM0/1/0
 description DSL Interface
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1

!
interface Dialer0
 no ip address
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap pap callin
 ppp chap hostname nama20004
 ppp chap password 0 220004
 ppp pap sent-username nama20004 password 0 220004
 crypto map i-map
!
ip local pool mypool 192.168.30.1 192.168.30.100
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat inside source list 171 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.32.0 255.255.255.0 172.16.10.32
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny   ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny   ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny   ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny   ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 171 permit ip any any
dialer-list 2 protocol ip permit
!

HQ#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
82.114.179.120  78.137.84.92    CONF_XAUTH        1486 ACTIVE
82.114.179.120  78.137.84.92    MM_NO_STATE       1483 ACTIVE (deleted)
82.114.179.120  78.137.84.92    MM_NO_STATE       1482 ACTIVE (deleted)


Branch show run:

!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key users@NAMA address 82.114.179.105
crypto isakmp key users@NAMA address 82.114.179.120
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
 mode transport
crypto ipsec transform-set To-Taiz esp-aes esp-md5-hmac comp-lzs
 mode transport
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-AES-MD5
!
crypto ipsec profile To-Taiz-Profile
 set transform-set To-Taiz
!
interface Tunnel0
 bandwidth 1000
 ip address 172.16.0.32 255.255.255.0
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map 172.16.0.1 82.114.179.105
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 172.16.0.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source Dialer0
 tunnel destination 82.114.179.105
 tunnel key 100000
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Tunnel10
 bandwidth 1000
 ip address 172.16.10.32 255.255.255.0
 ip mtu 1400
 ip nhrp authentication DMVPN_NW
 ip nhrp map 172.16.10.1 82.114.179.120
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip nhrp nhs 172.16.10.1
 ip tcp adjust-mss 1360
 delay 1000
 tunnel source Dialer0
 tunnel destination 82.114.179.120
 tunnel key 22334455
 tunnel protection ipsec profile To-Taiz-Profile
!
interface Ethernet0
 no ip address
 shutdown
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 description ## CONNECT TO LAN ##
 no ip address
!
interface FastEthernet1
 description ## CONNECT TO LAN ##
 no ip address
!
interface FastEthernet2
 description ## CONNECT TO LAN ##
 no ip address
!
interface FastEthernet3
 description ## CONNECT TO LAN ##
 no ip address
!
interface Vlan1
 description ## LAN INTERFACE ##
 ip dhcp client hostname none
 ip address 192.168.32.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname mohammadaa
 ppp chap password 0 123456
 ppp pap sent-username mohammadaa password 0 123456
!
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 172.16.0.1
ip route 192.168.1.0 255.255.255.0 172.16.10.1
!
ip sla auto discovery
dialer-list 1 protocol ip permit
!
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
!

Branch#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
82.114.179.120  78.137.84.92    MM_NO_STATE       2061 ACTIVE (deleted)
82.114.179.120  78.137.84.92    MM_NO_STATE       2060 ACTIVE (deleted)

1 Accepted Solution

Accepted Solutions

Mohammed, 

No probs, keep safe. 

The config you attached has a single IKE profile again. i.e. your DMVPN and ezvpn fall into same basket. 

 

What you need is a clear separation. 

In the example you have 

crypto isakmp profile VPNclient
 match identity group hw-client-groupname
 client authentication list userauthen
 isakmp authorization list hw-client-groupname
 client configuration address respond
which is then bound to:
crypto dynamic-map dynmap 10
 set isakmp-profile VPNclient
 reverse-route
 set transform-set strong

 

and separately a DMVPN IKE Profile: 

crypto isakmp profile DMVPN
 keyring dmvpnspokes
 match identity address 0.0.0.0

bound to your DMVPN IPsec profile: 

crypto ipsec profile cisco
 set security-association lifetime seconds 120
 set transform-set strong 
 set isakmp-profile DMVPN

 

You should apply the same logic here and clean up your current config (i.e. move the features you have applied on crypto map level to your new IKE profile).

 

M.

 

 

 

 

View solution in original post

9 Replies 9

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Your hub is trying to do xauth to that peer. The remote end is not configired to do it.

In hub debugs you have

*Mar 19 06:58:44.111: ISAKMP:(0):found peer pre-shared key matching 46.35.80.59
*Mar 19 06:58:44.111: ISAKMP:(0): local preshared key found
*Mar 19 06:58:44.111: ISAKMP:(0): Authentication by xauth preshared
*Mar 19 06:58:44.111: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 19 06:58:44.111: ISAKMP:      encryption 3DES-CBC

 

and

*Mar 19 06:58:44.835: ISAKMP:(1176):Need XAUTH
*Mar 19 06:58:44.835: ISAKMP: set new node -1334962039 to CONF_XAUTH   
*Mar 19 06:58:44.835: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Mar 19 06:58:44.835: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Mar 19 06:58:44.835: ISAKMP:(1176): initiating peer config to 46.35.80.59. ID = 2960005257
*Mar 19 06:58:44.835: ISAKMP:(1176): sending packet to 46.35.80.59 my_port 500 peer_port 500 (R) CONF_XAUTH  

 

 

Have a look here to correct your config:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/47541-dmvpn-ezvpn-isakmp.html

I.e. make sure you have a separate IKE profile for your VPN users.

Thanks Marcin for your replay,

i did exactly as you said and as the link you send but still the issue exists, how can i config the spoke for the xauth with  the hub to solve the issue?? final sh run is attached for both .

thanks.

The config you attached does not have a new IKE profile.

Check how it was implemented exactly in the doc I sent over, once that's done and it still does not work compare the previous debugs, and try with a VTI configuration. 

Hi again Marcin,

i used the same IKE profile as below but i changed the password. ok i`ll do and i`ll inform you back.

crypto isakmp profile ccp-dmvpn-isakmprofile
   keyring ccp-dmvpn-keyring
   match identity address 0.0.0.0
!
crypto keyring ccp-dmvpn-keyring
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123

Hi again Marcin,

with new Ike profile i face the same issue and i need this to be solved.

if i switch to use easy vpn in both!!! i removed the dmvpn config which is highlighted in bold above and in addition to above config i added the below.

HQ:

!
crypto isakmp client configuration group NAMANAMA
 key namanama
 pool mypool
 save-password
!

Branch:

!
crypto ipsec client ezvpn NAMANAMA
 connect auto
 group NAMANAMA key namanama
 mode network-extension
 peer 82.114.179.120
 username maeen password maeen123456
 xauth userid mode local
!

interface Vlan1

 crypto ipsec client ezvpn NAMANAMA inside
!

interface Dialer0

 crypto ipsec client ezvpn NAMANAMA
!

the result is ;

- vpn is up hq can ping branch interface (192.168.32.254) only not the branch lan.

- branch fail to reach the hq.

- as soon i put crypto ipsec client ezvpn NAMANAMA in the Dialer0 of the branch , the local lan fail to reach the INTERNET .

 can u solve please this matter???

In this scenario, branch router already configured with dmvpn with other site using tunnel 0 and at the same time i want it to connect to the HQ using easy vpn.

regards,

If you need urgent help, head to the folks in TAC. On support forums we try as much as we can to help people help themselves. 

 

Can you show me the config from hub when you the two IKE profiles and the debugs?

Hi marcin again and sorry for being late due to war in our country (yemen).

attached is the show run with new isakamp profile with debug and same for branch whos ip 78.137.83.54 

hope this time you find something to solve my issue.

regards,

Mohammed, 

No probs, keep safe. 

The config you attached has a single IKE profile again. i.e. your DMVPN and ezvpn fall into same basket. 

 

What you need is a clear separation. 

In the example you have 

crypto isakmp profile VPNclient
 match identity group hw-client-groupname
 client authentication list userauthen
 isakmp authorization list hw-client-groupname
 client configuration address respond
which is then bound to:
crypto dynamic-map dynmap 10
 set isakmp-profile VPNclient
 reverse-route
 set transform-set strong

 

and separately a DMVPN IKE Profile: 

crypto isakmp profile DMVPN
 keyring dmvpnspokes
 match identity address 0.0.0.0

bound to your DMVPN IPsec profile: 

crypto ipsec profile cisco
 set security-association lifetime seconds 120
 set transform-set strong 
 set isakmp-profile DMVPN

 

You should apply the same logic here and clean up your current config (i.e. move the features you have applied on crypto map level to your new IKE profile).

 

M.

 

 

 

 

thanks Mr. Marcin for your help and time.

i appreciate it.

regards,