cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7241
Views
25
Helpful
28
Replies

Easy VPN Assistance

geoff.r.hill
Level 1
Level 1

Good Morning all.

I am trying to set up an Easy VPN connection between an 2811, and an 887 router. I am getting some errors which I cannot resolve. Your assistance in this would be greatly appreciated

They are set up in the following manner, with the intention that the 887 can be put in a users home, and connected into their generic DSL router, and provide connectivity into the enteprise. In this set up, it is a 877, but the intention is that the config of this device should not be adjusted.  

The Firewall NATs an external IP address to the 10.228.156.33 address present on R3

R1 attempts a connection to R3, but returns the error

Oct 11 08:48:42.905: %CRYPTO-4-EZVPN_FAILED_TO_CONNECT: EZVPN(Remote) Ezvpn is in state READY, previous state was CONNECT_REQUIRED and event is CONN_UP. Session is not up after 180 seconds of initiating session, resetting the connection

Oct 11 08:48:42.905: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=groupname  Client_public_addr=172.17.4.43  Server_public_addr=1.2.3.4

                

and a sh crypto isakmp sa, shows a connection to R3, however this times out after 180 seconds

R3 then shows a route to 10.153.100.0/24 via f0/1, but no SA fo R1

Usernames, passwords and keys are correct, but have been removed from the configs below

Thanks for your assistance

irl.jpg

R1 config


hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret xxxx

!
no aaa new-model
crypto pki token default removal timeout 0
!
!
ip source-route
ip cef
!
!
!
!
ip dhcp pool client
network 10.153.100.0 255.255.255.0
default-router 10.153.100.1
dns-server 10.203.2.10
!
!
no ipv6 cef
!
!
license udi pid C887VA-W-E-K9 sn xxxxx!
!
username xxxx privilege 15 password 0 xxxxx
!
!
!
!
controller VDSL 0
!
!
!
!
!
crypto ipsec client ezvpn Remote
connect auto
group groupname key xxxxxx
mode network-extension
peer 1.2.3.4 xauth userid mode interactive
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address

!
interface Vlan1
ip address dhcp
crypto ipsec client ezvpn Remote
!
interface Vlan2
ip address 10.153.100.1 255.255.255.0
crypto ipsec client ezvpn Remote inside
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip pim bidir-enable
ip route xxxxx 255.255.255.255 Vlan1
!
no cdp run
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

R3#

no service password-encryption

!

hostname R3

!

boot-start-marker

boot-end-marker

!

enable secret xxxxx

!

aaa new-model

!

!

aaa authentication login VPN_xauth local

aaa authorization network VPN_group local

!

aaa session-id common

!

!

ip cef

!

!

voice-card 0

no dspfarm

!

username xxxx privilege 15 password xxxx

archive

log config

  hidekeys

!

!

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group groupname

key xxxxx

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto ipsec profile remote-access

!

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list VPN_xauth

crypto map clientmap isakmp authorization list VPN_group

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface FastEthernet0/0

ip address 10.203.4.33 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.228.156.33 255.255.255.0

duplex full

speed 100

crypto map clientmap

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.228.156.254

ip route 10.0.0.0 255.0.0.0 10.203.4.254

!

!

ip http server

no ip http secure-server

!

!

line con 0

line aux 0

line vty 0 4

exec-timeout 360 0

password xxxx

!

scheduler allocate 20000 1000

!

end

2 Accepted Solutions

Accepted Solutions