Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3601
Views
0
Helpful
16
Replies

EZVPN between Cisco 2801 and ASA

Go to solution
k.ramalingam
Level 1
Level 1

‎12-15-2010 07:53 PM

Hi Experts,

Need help in setting up ezvpn. I have a Cisco 2801 with the following configuration:

router version 124-24.T3 (advanceipservicesk9)

crypto ipsec client ezvpn BOS-BACKUP
connect auto
group bosnsw key clar3nc3
mode client
peer 202.47.85.1
xauth userid mode interactive

interface FastEthernet0/0
ip address 10.80.3.85 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn BOS-BACKUP inside

interface Cellular0/1/0
ip address negotiated
encapsulation ppp
load-interval 60
dialer in-band
dialer string GSM
dialer-group 2
async mode interactive
no fair-queue
ppp chap hostname dummy
ppp chap password 0 dummy
ppp ipcp dns request
crypto ipsec client ezvpn BOS-BACKUP
!
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0
!
dialer-list 2 protocol ip permit

Celuular interface is up and the router is able to ping to vpn peer:

Router# ping 202.47.85.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.47.85.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 396/473/780 ms

ASA configuration:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

username bosnsw password UaV1j04bjTagjYnj encrypted privilege 0
username bosnsw attributes
vpn-group-policy DfltGrpPolicy
vpn-tunnel-protocol IPSec l2tp-ipsec
no vpn-framed-ip-address

tunnel-group bosnsw type remote-access
tunnel-group bosnsw general-attributes
address-pool BOS_CORPORATE
no ipv6-address-pool
authentication-server-group ACS_AUTH LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy BOS_CORPORATE
no dhcp-server
no strip-realm
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group bosnsw webvpn-attributes
hic-fail-group-policy DfltGrpPolicy
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group bosnsw ipsec-attributes
pre-shared-key *
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 300 retry 2
no radius-sdi-xauth
isakmp ikev1-user-authentication xauth

BOS-NRD-IT-FW1#                    sh cry isa sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 112.213.172.108
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_TM_INIT_XAUTH_V6H


I have attached the debug output from router and the firewall. Hope someone can shed some light on this issue. Thanks in advance.

Labels:
77109-router-deb-cry-isa.txt.zip
77110-ASA-deb-cry-isa-127.txt.zip
0 Helpful
16 Replies 16

Go to solution
k.ramalingam
Level 1
Level 1
In response to manasjai

‎12-29-2010 08:24 PM

Thanks, so if i want to retain the IP, then i need to configure as network-extension?

Router(config-crypto-ezvpn)#mode ?
  client             Client
  network-extension  Network Extension
  network-plus       Request a IP address identifier in NEM

What are the changes required on the ASA end. Thanks

0 Helpful

Go to solution
manasjai
Cisco Employee
Cisco Employee
In response to k.ramalingam

‎12-29-2010 08:30 PM

Thats is correct!! You need to configure mode as network-extension if you want to retain the IP

Following is the guide to configure router and ASA in network-extension mode. Hope you find it useful.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml#ts1

Thanks,

Manasi

0 Helpful
Customers Also Viewed These Support Documents