Solved: Hi again Marcin,with new Ike

Mohammed Al-odhari · ‎03-23-2015

Dear all,

can you help please regarding below: thanks in advance.

HQ which is configured to accept remote vpn client using crypto map and also it is configured for dynamic vpn with branch.

HQ static public ip is 82.114.179.120, tunnel 10 ip 172.16.10.1 and local lan is 192.168.1.0

Branch has dynamic public ip ,tunnel 10 ip 172.16.10.32 and local lan is 192.168.32.0. It is also configured using tunnel 0 with another Hq which works fine.

Branch Lan(192.168.32.0) is needed to access HQ lan(192.168.1.0)....

Debug file is attached

HQ:

aaa authentication login acs local
aaa authorization network acs local
!
aaa session-id common
!
ip cef
!

ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!

redundancy
!

controller VDSL 0/1/0
!

crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key users@NAMA
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 3600 5
crypto isakmp nat keepalive 3600
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group NAMA
key namanama
pool mypool
acl 101
save-password
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES-MD5
set isakmp-profile ccp-dmvpn-isakmprofile
!

crypto dynamic-map map 10
set transform-set test
reverse-route
!
crypto map i-map client authentication list acs
crypto map i-map isakmp authorization list acs
crypto map i-map client configuration address respond
crypto map i-map 10 ipsec-isakmp dynamic map

!
interface Tunnel10
bandwidth 1000
ip address 172.16.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
delay 1000
shutdown
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface ATM0/1/0
description DSL Interface
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1

!
interface Dialer0
no ip address
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname nama20004
ppp chap password 0 220004
ppp pap sent-username nama20004 password 0 220004
crypto map i-map
!
ip local pool mypool 192.168.30.1 192.168.30.100
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat inside source list 171 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.32.0 255.255.255.0 172.16.10.32
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 171 permit ip any any
dialer-list 2 protocol ip permit
!

HQ#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.114.179.120 78.137.84.92 CONF_XAUTH 1486 ACTIVE
82.114.179.120 78.137.84.92 MM_NO_STATE 1483 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 1482 ACTIVE (deleted)

Branch show run:

!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key users@NAMA address 82.114.179.105
crypto isakmp key users@NAMA address 82.114.179.120
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
mode transport
crypto ipsec transform-set To-Taiz esp-aes esp-md5-hmac comp-lzs
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES-MD5
!
crypto ipsec profile To-Taiz-Profile
set transform-set To-Taiz
!
interface Tunnel0
bandwidth 1000
ip address 172.16.0.32 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 172.16.0.1 82.114.179.105
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 82.114.179.105
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Tunnel10
bandwidth 1000
ip address 172.16.10.32 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 172.16.10.1 82.114.179.120
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.10.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 82.114.179.120
tunnel key 22334455
tunnel protection ipsec profile To-Taiz-Profile
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description ## CONNECT TO LAN ##
no ip address
!
interface FastEthernet1
description ## CONNECT TO LAN ##
no ip address
!
interface FastEthernet2
description ## CONNECT TO LAN ##
no ip address
!
interface FastEthernet3
description ## CONNECT TO LAN ##
no ip address
!
interface Vlan1
description ## LAN INTERFACE ##
ip dhcp client hostname none
ip address 192.168.32.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname mohammadaa
ppp chap password 0 123456
ppp pap sent-username mohammadaa password 0 123456
!
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 172.16.0.1
ip route 192.168.1.0 255.255.255.0 172.16.10.1
!
ip sla auto discovery
dialer-list 1 protocol ip permit
!
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
!

Branch#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.114.179.120 78.137.84.92 MM_NO_STATE 2061 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 2060 ACTIVE (deleted)

Marcin Latosiewicz · ‎03-30-2015

Mohammed,

No probs, keep safe.

The config you attached has a single IKE profile again. i.e. your DMVPN and ezvpn fall into same basket.

What you need is a clear separation.

In the example you have

crypto isakmp profile VPNclient
 match identity group hw-client-groupname
 client authentication list userauthen
 isakmp authorization list hw-client-groupname
 client configuration address respond

which is then bound to:

crypto dynamic-map dynmap 10
 set isakmp-profile VPNclient
 reverse-route
 set transform-set strong

and separately a DMVPN IKE Profile:

crypto isakmp profile DMVPN
 keyring dmvpnspokes
 match identity address 0.0.0.0

bound to your DMVPN IPsec profile:

crypto ipsec profile cisco
 set security-association lifetime seconds 120
 set transform-set strong 
 set isakmp-profile DMVPN

You should apply the same logic here and clean up your current config (i.e. move the features you have applied on crypto map level to your new IKE profile).

M.

View solution in original post

Marcin Latosiewicz · ‎03-23-2015

Your hub is trying to do xauth to that peer. The remote end is not configired to do it.

In hub debugs you have

*Mar 19 06:58:44.111: ISAKMP:(0):found peer pre-shared key matching 46.35.80.59
*Mar 19 06:58:44.111: ISAKMP:(0): local preshared key found
*Mar 19 06:58:44.111: ISAKMP:(0): Authentication by xauth preshared
*Mar 19 06:58:44.111: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 19 06:58:44.111: ISAKMP:      encryption 3DES-CBC

and

*Mar 19 06:58:44.835: ISAKMP:(1176):Need XAUTH
*Mar 19 06:58:44.835: ISAKMP: set new node -1334962039 to CONF_XAUTH   
*Mar 19 06:58:44.835: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Mar 19 06:58:44.835: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Mar 19 06:58:44.835: ISAKMP:(1176): initiating peer config to 46.35.80.59. ID = 2960005257
*Mar 19 06:58:44.835: ISAKMP:(1176): sending packet to 46.35.80.59 my_port 500 peer_port 500 (R) CONF_XAUTH

Have a look here to correct your config:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/47541-dmvpn-ezvpn-isakmp.html

I.e. make sure you have a separate IKE profile for your VPN users.

Mohammed Al-odhari · ‎03-24-2015

Thanks Marcin for your replay,

i did exactly as you said and as the link you send but still the issue exists, how can i config the spoke for the xauth with the hub to solve the issue?? final sh run is attached for both .

thanks.

Marcin Latosiewicz · ‎03-24-2015

The config you attached does not have a new IKE profile.

Check how it was implemented exactly in the doc I sent over, once that's done and it still does not work compare the previous debugs, and try with a VTI configuration.

Mohammed Al-odhari · ‎03-24-2015

Hi again Marcin,

i used the same IKE profile as below but i changed the password. ok i`ll do and i`ll inform you back.

crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
!
crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123

Mohammed Al-odhari · ‎03-25-2015

Hi again Marcin,

with new Ike profile i face the same issue and i need this to be solved.

if i switch to use easy vpn in both!!! i removed the dmvpn config which is highlighted in bold above and in addition to above config i added the below.

HQ:

!
crypto isakmp client configuration group NAMANAMA
key namanama
pool mypool
save-password
!

Branch:

!
crypto ipsec client ezvpn NAMANAMA
connect auto
group NAMANAMA key namanama
mode network-extension
peer 82.114.179.120
username maeen password maeen123456
xauth userid mode local
!

interface Vlan1

crypto ipsec client ezvpn NAMANAMA inside
!

interface Dialer0

crypto ipsec client ezvpn NAMANAMA
!

the result is ;

- vpn is up hq can ping branch interface (192.168.32.254) only not the branch lan.

- branch fail to reach the hq.

- as soon i put crypto ipsec client ezvpn NAMANAMA in the Dialer0 of the branch , the local lan fail to reach the INTERNET .

can u solve please this matter???

In this scenario, branch router already configured with dmvpn with other site using tunnel 0 and at the same time i want it to connect to the HQ using easy vpn.

regards,

Marcin Latosiewicz · ‎03-25-2015

If you need urgent help, head to the folks in TAC. On support forums we try as much as we can to help people help themselves.

Can you show me the config from hub when you the two IKE profiles and the debugs?

Mohammed Al-odhari · ‎03-30-2015

Hi marcin again and sorry for being late due to war in our country (yemen).

attached is the show run with new isakamp profile with debug and same for branch whos ip 78.137.83.54

hope this time you find something to solve my issue.

regards,

Marcin Latosiewicz · ‎03-30-2015

Mohammed,

No probs, keep safe.

The config you attached has a single IKE profile again. i.e. your DMVPN and ezvpn fall into same basket.

What you need is a clear separation.

In the example you have

crypto isakmp profile VPNclient
 match identity group hw-client-groupname
 client authentication list userauthen
 isakmp authorization list hw-client-groupname
 client configuration address respond

which is then bound to:

crypto dynamic-map dynmap 10
 set isakmp-profile VPNclient
 reverse-route
 set transform-set strong

and separately a DMVPN IKE Profile:

crypto isakmp profile DMVPN
 keyring dmvpnspokes
 match identity address 0.0.0.0

bound to your DMVPN IPsec profile:

crypto ipsec profile cisco
 set security-association lifetime seconds 120
 set transform-set strong 
 set isakmp-profile DMVPN

You should apply the same logic here and clean up your current config (i.e. move the features you have applied on crypto map level to your new IKE profile).

M.

Mohammed Al-odhari · ‎03-30-2015

thanks Mr. Marcin for your help and time.

i appreciate it.

regards,

DMVPN issue "changing btwn CONF_XAUTH & MM_NO_STATE "