Showing results for 
Search instead for 
Did you mean: 

Easy VPN and Xauth


I am setting up an EzVPN connection from an 1811 router to my ASA 5540. I have everything setup and working properly with the exception of xauth.

I haven't had this problem with my VPN concentrator, and the configurations on the client side are identical.

Is there a way to not use xauth? I can't have my users logging into the router and typing in the command to login via xauth everytime their tunnel drops. I need to make this as seemless as I possibly can to the end user.

Any help is appreciated,


5 Replies 5

Maxim Zimovets

Hello, Craig!

You did not specified IOS's version of your 1841. But.

You have 2 options:

1. Set up username within EasyVPN group on a router:

crypto ipsec client ezvpn EZ


username cisco password cisco

xauth userid mode local


And don't forget to add "password-storage enable" to corresponding group-policy.

2. Switch off xauth for a tunnel-group.

tunnel-group NAME-GROUP ipsec-attributes

isakmp ikev1-user-authentication none

But be careful with such configuration. There are some security implication with IKE Aggressive mode.

Hope this helps.

With best regards.

Thanks for the help! I will put the configurations up in a few and give it a whirl!

IOS on the 1811 is 12.4(6)T7.


Setting up the xauth to local and definind a user/pw worked great! Thanks for the help.

But I'm having another issue, there is definately something wrong with my configuration.

The tunnel is up and active, and from my internal network I can ping the remote default-gateway, but I cannot ping the host on the other side of the default gateway. I have checked routing on my cores and the VPN ASA. I can see the correct network range from the ASA as well:

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 10, local addr:

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (

current_peer: XX.XX.XX.XX, username: GRPNAME

dynamic allocated peer ip:

From the above output you can see it's matching the netowrk.

Here is the config:

group-policy DfltGrpPolicy attributes

dns-server value

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

split-dns value

nem enable

tunnel-group EZ type remote-access

tunnel-group EZ ipsec-attributes

pre-shared-key *

I can set these up all day as static entries, and I have VPN clients remoting in just fine, just not this EZVPN setup.



for the ezvpn tunnel group, do you have the following command:

isakmp ikev1-user-authentication none

I was an idiot, I had my NAT wrong on the VPN clinet router. I was allowing all communication sourced from the remote network to be NAT'd (worked well for internet access) but it was also NAT'ing the traffic destined to the VPN tunnel.

Thanks for the help,


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: