cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3797
Views
0
Helpful
16
Replies

EZVPN between Cisco 2801 and ASA

k.ramalingam
Level 1
Level 1

Hi Experts,

Need help in setting up ezvpn. I have a Cisco 2801 with the following configuration:

router version 124-24.T3 (advanceipservicesk9)

crypto ipsec client ezvpn BOS-BACKUP
connect auto
group bosnsw key clar3nc3
mode client
peer 202.47.85.1
xauth userid mode interactive

interface FastEthernet0/0
ip address 10.80.3.85 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn BOS-BACKUP inside

interface Cellular0/1/0
ip address negotiated
encapsulation ppp
load-interval 60
dialer in-band
dialer string GSM
dialer-group 2
async mode interactive
no fair-queue
ppp chap hostname dummy
ppp chap password 0 dummy
ppp ipcp dns request
crypto ipsec client ezvpn BOS-BACKUP
!
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0
!
dialer-list 2 protocol ip permit

Celuular interface is up and the router is able to ping to vpn peer:

Router# ping 202.47.85.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 202.47.85.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 396/473/780 ms

ASA configuration:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

username bosnsw password UaV1j04bjTagjYnj encrypted privilege 0
username bosnsw attributes
vpn-group-policy DfltGrpPolicy
vpn-tunnel-protocol IPSec l2tp-ipsec
no vpn-framed-ip-address

tunnel-group bosnsw type remote-access
tunnel-group bosnsw general-attributes
address-pool BOS_CORPORATE
no ipv6-address-pool
authentication-server-group ACS_AUTH LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy BOS_CORPORATE
no dhcp-server
no strip-realm
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group bosnsw webvpn-attributes
hic-fail-group-policy DfltGrpPolicy
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group bosnsw ipsec-attributes
pre-shared-key *
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 300 retry 2
no radius-sdi-xauth
isakmp ikev1-user-authentication xauth

BOS-NRD-IT-FW1#                    sh cry isa sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 112.213.172.108
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_TM_INIT_XAUTH_V6H


I have attached the debug output from router and the firewall. Hope someone can shed some light on this issue. Thanks in advance.

1 Accepted Solution

Accepted Solutions

Thats is correct!! You need to configure mode as network-extension if you want to retain the IP

Following is the guide to configure router and ASA in network-extension mode. Hope you find it useful.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml#ts1

Thanks,

Manasi

View solution in original post

16 Replies 16

Jennifer Halim
Cisco Employee
Cisco Employee

From the following debug output from router:

*Dec 16 03:29:09.902: EZVPN(BOS-BACKUP): Pending XAuth Request, Please enter the following command:
*Dec 16 03:29:09.902: EZVPN: crypto ipsec client ezvpn xauth

You would need to type in your xauth because you have configured "xauth userid mode interactive". Interactive means you have to manually enter in the username and password to connect to the ezvpn server.

From the router, you would need to issue: crypto ipsec client ezvpn xauth, and then enter in the username and password.

Alternatively, you can configure "xauth userid mode local" instead, and it would use the local configured username and password to automatically connect.

Hope that helps.

I did put in the username and password but it still doesn't work. I

also did

local username with same result.

what username did you use? do you use "bosnsw" as the username with the corresponding password?

When you use local, did you configure the "bosnsw" username and password locally on the ezvpn client (router)?

Yes, i used bosnsw for both local and interactive mode.

Hi,

I am not sure if you have managed to get this working. In case you are still facing issues, please send the following debugs:

from ASA: "debug cry isa 127" and "debug cry ips 127"

from router: "debug cry isa", "debug cry ips" and "debug cry ipsec client ezvpn".

Also, fr the ASA, please get the output of "show run all group-policy".

Cheers,

Prapanch

The debugs are attached. Thanks

Hi,

Could you change the mode to xauth userid mode local, run the debugs again on both the ASA and the router and send over the outputs

Thanks,

Manasi

debugs commands would be the same as mentioned by prapanch in the post above !:)

Please find the debug attached. Did i miss any configuration on the router or firewall. Thanks

Hey ramlingam,

We see the following debugs

Dec 30 02:45:22 [IKEv1 DEBUG]: Group = bosnsw, Username = cisco, IP = 112.213.174.43, Processing cfg ACK attributes
Dec 30 02:45:22 [IKEv1]: Group = bosnsw, Username = cisco, IP = 112.213.174.43, Remote peer has failed user authentication -  check configured username and password

Do you have Cisco username and password configured on router ?

Or with user mode interactive, try using cisco and corresponding password and check if that works!!

Thanks,

Manasi

Hi,

I have the same username and password configured at both end;

router

=====

crypto ipsec client ezvpn BOS-BACKUP
connect auto
group bosnsw key clar3nc3
mode client
peer 202.47.85.1
username cisco password cisco
xauth userid mode local

BOS-NRD-IT-FW1# sh run username
username cisco password cisco

But i reconfigured the group on the router:

group DefaultRAGroup pass netstar

and now the debug show the router is trying to obtain IP address and sorts. We want the IP address to remain as it is on the router which would be the ISP assigned IP address. The debug cry isa 127 from the router is attached.

Can you paste the conf of DefaultRAGroup and the corresponding group policy

tunnel-group DefaultRAGroup type remote-access

tunnel-group DefaultRAGroup general-attributes

no address-pool

no ipv6-address-pool

authentication-server-group LOCAL

secondary-authentication-server-group none

no accounting-server-group

default-group-policy DfltGrpPolicy

no dhcp-server

no strip-realm

no password-management

no override-account-disable

no strip-group

no authorization-required

username-from-certificate CN OU

secondary-username-from-certificate CN OU

authentication-attr-from-server primary

authenticated-session-username primary

tunnel-group DefaultRAGroup webvpn-attributes

hic-fail-group-policy DfltGrpPolicy

customization DfltCustomization

authentication aaa

no override-svc-download

no radius-reject-message

no proxy-auth sdi

no pre-fill-username ssl-client

no pre-fill-username clientless

no secondary-pre-fill-username ssl-client

no secondary-pre-fill-username clientless

dns-group DefaultDNS

no without-csd

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 300 retry 2

no radius-sdi-xauth

isakmp ikev1-user-authentication xauth

tunnel-group DefaultRAGroup ppp-attributes

no authentication pap

authentication chap

authentication ms-chap-v1

no authentication ms-chap-v2

no authentication eap-proxy

group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
  url-list none
  filter none
  homepage none
  html-content-filter none
  port-forward name Application Access
  port-forward disable
  http-proxy disable
  sso-server none
  svc dtls enable
  svc mtu 1406
  svc keep-installer installed
  svc keepalive 20
  svc rekey time none
  svc rekey method none
  svc dpd-interval client 30
  svc dpd-interval gateway 30
  svc compression none
  svc modules none
  svc profiles none
  svc ask none
  ike-retry-timeout 10
  ike-retry-count 3
  customization none
  keep-alive-ignore 4
  http-comp gzip
  download-max-size 2147483647
  upload-max-size 2147483647
  post-max-size 2147483647
  user-storage none
  storage-objects value cookies,credentials
  storage-key none
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  unix-auth-uid 65534
  unix-auth-gid 65534
  file-entry enable
  file-browsing enable
  url-entry enable

you are using client mode and so you need to have an address pool from which an IP address would be assigned to the

ezvpn client.

tunnel-group DefaultRAGroup type remote-access

tunnel-group DefaultRAGroup general-attributes

no address-pool

I request you to create a local pool and apply the pool in the DefaultRAGroup as follows

tunnel-group DefaultRAGroup general-attributes

address-pool BOS_CORPORATE

Thanks

Manasi