10-11-2012 01:50 AM
Good Morning all.
I am trying to set up an Easy VPN connection between an 2811, and an 887 router. I am getting some errors which I cannot resolve. Your assistance in this would be greatly appreciated
They are set up in the following manner, with the intention that the 887 can be put in a users home, and connected into their generic DSL router, and provide connectivity into the enteprise. In this set up, it is a 877, but the intention is that the config of this device should not be adjusted.
The Firewall NATs an external IP address to the 10.228.156.33 address present on R3
R1 attempts a connection to R3, but returns the error
Oct 11 08:48:42.905: %CRYPTO-4-EZVPN_FAILED_TO_CONNECT: EZVPN(Remote) Ezvpn is in state READY, previous state was CONNECT_REQUIRED and event is CONN_UP. Session is not up after 180 seconds of initiating session, resetting the connection
Oct 11 08:48:42.905: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=groupname Client_public_addr=172.17.4.43 Server_public_addr=1.2.3.4
and a sh crypto isakmp sa, shows a connection to R3, however this times out after 180 seconds
R3 then shows a route to 10.153.100.0/24 via f0/1, but no SA fo R1
Usernames, passwords and keys are correct, but have been removed from the configs below
Thanks for your assistance
R1 config
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret xxxx
!
no aaa new-model
crypto pki token default removal timeout 0
!
!
ip source-route
ip cef
!
!
!
!
ip dhcp pool client
network 10.153.100.0 255.255.255.0
default-router 10.153.100.1
dns-server 10.203.2.10
!
!
no ipv6 cef
!
!
license udi pid C887VA-W-E-K9 sn xxxxx!
!
username xxxx privilege 15 password 0 xxxxx
!
!
!
!
controller VDSL 0
!
!
!
!
!
crypto ipsec client ezvpn Remote
connect auto
group groupname key xxxxxx
mode network-extension
peer 1.2.3.4 xauth userid mode interactive
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface Vlan1
ip address dhcp
crypto ipsec client ezvpn Remote
!
interface Vlan2
ip address 10.153.100.1 255.255.255.0
crypto ipsec client ezvpn Remote inside
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip pim bidir-enable
ip route xxxxx 255.255.255.255 Vlan1
!
no cdp run
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
R3#
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
enable secret xxxxx
!
aaa new-model
!
!
aaa authentication login VPN_xauth local
aaa authorization network VPN_group local
!
aaa session-id common
!
!
ip cef
!
!
voice-card 0
no dspfarm
!
username xxxx privilege 15 password xxxx
archive
log config
hidekeys
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group groupname
key xxxxx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto ipsec profile remote-access
!
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list VPN_xauth
crypto map clientmap isakmp authorization list VPN_group
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 10.203.4.33 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.228.156.33 255.255.255.0
duplex full
speed 100
crypto map clientmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.228.156.254
ip route 10.0.0.0 255.0.0.0 10.203.4.254
!
!
ip http server
no ip http secure-server
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 360 0
password xxxx
!
scheduler allocate 20000 1000
!
end
Solved! Go to Solution.
10-11-2012 07:05 AM