05-13-2010 05:44 AM - edited 02-21-2020 04:39 PM
Hi
Everytime when I reboot a easyVPN client it is prompting for username and password by prompting following command "crypto ipsec client ezvpn xauth".
How do I make connection persistent, so that it won't ask for username and password during next reboot.
I am using cisco 877 router as easyVPN server and Cisco 877 router as EasyVPN client.
My Easy VPN server configuration is as follows cisco 877
sh run
Building configuration...
Current configuration : 2306 bytes
!
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
!
!
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
!
multilink bundle-name authenticated
!
!
username cisco password 5 121A0C0411045D5679
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngrp
key cisco123
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback10
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
!
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname theend0@yah.net
ppp chap password
crypto map clientmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip dns server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
ntp clock-period 17182092
ntp server 202.83.64.3
end
My cisco877 router client configuration...
sh run
Building configuration...
Current configuration : 1919 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Goldcoast
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
!
!
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 165.228.130.43
xauth userid mode interactive
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Loopback0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn ez inside
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
!
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname theend20@yg.net
ppp chap password
crypto ipsec client ezvpn ez
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
ntp clock-period 17182119
ntp server 202.83.64.3
end
I am able to connect. But I want to make the connection dynamic rather than user interactive. Please help me.
Siva.
05-13-2010 11:35 AM
Hi,
Have you tried on the client to specify the user?
crypto ipsec client ezvpn ez
username
Federico.
05-13-2010 03:00 PM
I tried that , but still it came up manual xauth at set at server end. But I can't find any option at EasyVPN server related to manual or dynamic.
Siva.
05-13-2010 04:05 PM
The ''save-password'' command on the server should allow the remote client to save the XAUTH password.
If you issue the command:
''no xauth userid mode interactive''
On the client, does it ask for user credentials?
Federico.
05-14-2010 05:48 AM
Sorry for the late reply.
I am getting following error after removing xauth. Here is the error.
ay 14 12:43:47.020: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:47.020: EZVPN(ez): *** Logic Error ***
May 14 12:43:47.020: EZVPN(ez): Current State: READY
May 14 12:43:47.020: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:47.020: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:47.020: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:49.272: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:49.272: EZVPN(ez): *** Logic Error ***
May 14 12:43:49.272: EZVPN(ez): Current State: READY
May 14 12:43:49.272: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:49.272: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:49.272: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:51.620: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:51.620: EZVPN(ez): *** Logic Error ***
May 14 12:43:51.620: EZVPN(ez): Current State: READY
May 14 12:43:51.620: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:51.620: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:51.624: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
May 14 12:43:53.701: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:53.701: EZVPN(ez): *** Logic Error ***
May 14 12:43:53.701: EZVPN(ez): Current State: READY
May 14 12:43:53.701: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:53.701: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:53.701: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr= Server_public_addr=
May 14 12:43:55.989: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:55.989: EZVPN(ez): *** Logic Error ***
May 14 12:43:55.989: EZVPN(ez): Current State: READY
May 14 12:43:55.989: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:55.989: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:55.989: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Goldcoast(config-crypto-ezvpn)#
May 14 12:43:58.009: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:58.009: EZVPN(ez): *** Logic Error ***
May 14 12:43:58.009: EZVPN(ez): Current State: READY
May 14 12:43:58.009: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:58.009: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:58.009: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=vpngrp Client_public_addr=Server_public_addr=
Thanks,
siva.
05-14-2010 07:44 AM
Ok,
Add again the commands you have originally.
Question:
When you do a:
show crypto ipsec client ezvpn
on the client, does it say:
Save Password: Allowed
It could also be a software version issue. This would depend on which release this feature was introduced.
Please add this command:
crypto map clientmap client configuration address respond
Test again.
Federico.
05-15-2010 05:12 AM
Hi
show crypto ipsec client ezvpn
output
Inside interface list: Loopback0
Outside interface: Dialer0
Current State: XAUTH_REQ
Last Event: XAUTH_REQUEST
Save Password: Disallowed
Current EzVPN Peer:
I tried this command
crypto map clientmap client configuration address respond at client side and still no luck.
Thanks,
siva.
05-15-2010 05:37 AM
Can you confirm me whether below URL blog configuration is correct to auto connect...
http://infotechaudit.blogspot.com/2009/10/dynamic-virtual-tunnel-interface-easy.html
siva
05-15-2010 01:43 PM
You're getting:
Save Password: Disallowed
That's why it keeps prompting for password everytime.
What's your IOS version?
Would you be able to upgrade if necessary?
Federico.
03-05-2014 07:16 AM
Hi Federico,
I have the same issue where my ezvpn gets reset. Can anyone please help?
I have the following information.
1. My IOS is c2900-universalk9-mz.SPA.151-4.M4.bin.
2. My configuration under EzVPN is:
crypto ipsec client ezvpn vpnclient
connect auto
group *********** key ************
mode network-extension
peer ********
acl 102
username ****** password **********
xauth userid mode local
3. Router# show crypto ipsec client ezvpn
Easy VPN Remote Phase: 8
Tunnel name : vpnclient
Inside interface list: GigabitEthernet0/2, GigabitEthernet1/0
Outside interface: GigabitEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Save Password: Allowed
The issue: Keep getting the same error:
Mar 4 22:38:13.706: EZVPN(vpnclient): *** Logic Error ***
Mar 4 22:38:13.706: EZVPN(vpnclient): Current State: CONNECT_REQUIRED
Mar 4 22:38:13.706: EZVPN(vpnclient): Event: XAUTH_STATUS
Mar 4 22:38:13.706: EZVPN(vpnclient): Resetting the EZVPN state machine to recover
12-02-2010 09:09 AM
hello,
you probably have resolved this by now
for someone who is experiencing same issue, the following might help:
on client side add following under crypto ipsec client ezvpn xxx
- username *** password ***
- xauth userid mode local
this should do it
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide