I am setting up an EzVPN connection from an 1811 router to my ASA 5540. I have everything setup and working properly with the exception of xauth.
I haven't had this problem with my VPN concentrator, and the configurations on the client side are identical.
Is there a way to not use xauth? I can't have my users logging into the router and typing in the command to login via xauth everytime their tunnel drops. I need to make this as seemless as I possibly can to the end user.
Any help is appreciated,
You did not specified IOS's version of your 1841. But.
You have 2 options:
1. Set up username within EasyVPN group on a router:
crypto ipsec client ezvpn EZ
username cisco password cisco
xauth userid mode local
And don't forget to add "password-storage enable" to corresponding group-policy.
2. Switch off xauth for a tunnel-group.
tunnel-group NAME-GROUP ipsec-attributes
isakmp ikev1-user-authentication none
But be careful with such configuration. There are some security implication with IKE Aggressive mode.
Hope this helps.
With best regards.
Setting up the xauth to local and definind a user/pw worked great! Thanks for the help.
But I'm having another issue, there is definately something wrong with my configuration.
The tunnel is up and active, and from my internal network I can ping the remote default-gateway, but I cannot ping the host on the other side of the default gateway. I have checked routing on my cores and the VPN ASA. I can see the correct network range from the ASA as well:
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 10, local addr: 192.168.20.11
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.127.129.0/255.255.255.128/0/0)
current_peer: XX.XX.XX.XX, username: GRPNAME
dynamic allocated peer ip: 0.0.0.0
From the above output you can see it's matching the 10.127.129.0/25 netowrk.
Here is the config:
group-policy DfltGrpPolicy attributes
dns-server value 10.64.10.1 10.64.10.2
split-tunnel-network-list value SplitTunnel
split-dns value xxxxx.net
tunnel-group EZ type remote-access
tunnel-group EZ ipsec-attributes
I can set these up all day as static entries, and I have VPN clients remoting in just fine, just not this EZVPN setup.
I was an idiot, I had my NAT wrong on the VPN clinet router. I was allowing all communication sourced from the remote network to be NAT'd (worked well for internet access) but it was also NAT'ing the traffic destined to the VPN tunnel.
Thanks for the help,