Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
0
Helpful
0
Replies

EZVPN CISCO 1841 to CISCO 887VAW

amadoriale
Level 1
Level 1

‎06-20-2013 07:55 AM

Hi everybody,

I'm trying to setup a EZvpn connection in lab prior to installing at a client's site.

My configs

SERVER

[code]

sh run

Building configuration...

Current configuration : 2096 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SERVER

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login USER local

aaa authorization network GROUP local

!

!

aaa session-id common

memory-size iomem 25

dot11 syslog

ip source-route

!

!

!

!

ip cef

!

multilink bundle-name authenticated

!

!

!

username ezvpn password 0 ezvpn

archive

log config

  hidekeys

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 7200

crypto isakmp key cisco address 0.0.0.0 0.0.0.0

crypto isakmp client configuration address-pool local po

!

crypto isakmp client configuration group EZVPN

key Cisco123

dns 4.2.2.2

wins 4.2.2.2

pool EZVPN_POOL

netmask 255.255.255.0

crypto isakmp profile EZVPN_PROFILE

   match identity group EZVPN

   client authentication list USER

   isakmp authorization list GROUP

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac

!

crypto ipsec profile EZVPN_PROFILE

set transform-set EZVPN_SET

set isakmp-profile EZVPN_PROFILE

!

!

crypto dynamic-map DYNMAP 10

!

!

crypto map EZVPN 10 ipsec-isakmp dynamic DYNMAP

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.248

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.248

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

no fair-queue

clock rate 2000000

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0/1

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile EZVPN_PROFILE

!

ip local pool EZVPN_POOL 10.0.0.10 10.0.0.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.2.6

no ip http server

no ip http secure-server

!

!

!

!

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

!

scheduler allocate 20000 1000

end

SERVER#

[/code]

CLIENT

[code]

sh run

Building configuration...

Current configuration : 2447 bytes

!

! Last configuration change at 16:33:15 LEGALE Thu Jun 20 2013 by Gencom2010

! NVRAM config last updated at 16:33:16 LEGALE Thu Jun 20 2013 by Gencom2010

! NVRAM config last updated at 16:33:16 LEGALE Thu Jun 20 2013 by Gencom2010

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CLIENT

!

boot-start-marker

boot-end-marker

!

!

!

aaa new-model

!

!

aaa authentication login default local

!

!

!

!

!

aaa session-id common

clock timezone SOLARE 1 0

clock summer-time LEGALE recurring last Sun Mar 2:00 last Sun Oct 3:00

crypto pki token default removal timeout 0

!

!

ip source-route

ip cef

!

!

!

!

!

no ipv6 cef

!

!

license udi pid C887VA-W-E-K9 sn FCZ1708C26E

!

!

!

!

!

!

controller VDSL 0

!

!

!

!

crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac

!

crypto ipsec profile EZVPN_PROFILE

set transform-set EZVPN_SET

!

!

!

crypto ipsec client ezvpn EZVPN

connect auto

group EZVPN key Cisco123

mode network-extension

peer 192.168.2.1

idletime 86400

ipsec-profile EZVPN_PROFILE

username ezvpn password ezvpn

xauth userid mode local

!

!

!

!

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface Ethernet0

no ip address

shutdown

!

interface FastEthernet0

switchport access vlan 2

no ip address

!

interface FastEthernet1

description OUTSIDE

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

no ip address

!

interface wlan-ap0

description Embedded Service module interface to manage the embedded AP

no ip address

!

interface Vlan1

description OUTSIDE

ip address 192.168.3.1 255.255.255.248

ip nat outside

ip virtual-reassembly in

ip tcp adjust-mss 1300

crypto ipsec client ezvpn EZVPN

!

interface Vlan2

description INSIDE

ip address 192.168.4.1 255.255.255.248

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1300

crypto ipsec client ezvpn EZVPN inside

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.3.6

!

!

!

!

!

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

stopbits 1

line vty 0 4

transport input all

!

scheduler allocate 20000 1000

end

CLIENT#

[/code]

There is a L3 switch in between that is doing routing, and the two routers can ping each others. When VPN is started up

SERVER

[code]

*Jun 20 14:48:58.050: ISAKMP:(0): claimed IOS but failed authentication

*Jun 20 14:49:08.534: ISAKMP (1393): Unknown Attr: MODECFG_HOSTNAME (0x700A)

*Jun 20 14:49:08.534: ISAKMP:FSM error - Message from AAA grp/user.

*Jun 20 14:49:08.542: ISAKMP:(1393):deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (R) QM_IDLE       (peer 192.168.3.1)

*Jun 20 14:49:08.546: ISAKMP:(1393):deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (R) QM_IDLE       (peer 192.168.3.1)

*Jun 20 14:49:08.546: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.

*Jun 20 14:49:09.650: ISAKMP:(0): claimed IOS but failed authentication

*Jun 20 14:49:09.690: ISAKMP (1394): Unknown Attr: MODECFG_HOSTNAME (0x700A)

*Jun 20 14:49:09.694: ISAKMP:FSM error - Message from AAA grp/user.

[/code]

CLIENT

[code]

Jun 20 14:52:16.337: EZVPN(EZVPN) Server does not allow save password option,

enter your username and password manually

Jun 20 14:52:16.337: EZVPN(EZVPN): *** Logic Error ***

Jun 20 14:52:16.337: EZVPN(EZVPN): Current State: READY

Jun 20 14:52:16.337: EZVPN(EZVPN): Event: MODE_CONFIG_REPLY

Jun 20 14:52:16.337: EZVPN(EZVPN): Resetting the EZVPN state machine to recover

Jun 20 14:52:16.337: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=EZVPN  Client_public_addr=192.168.3.1  Server_public_addr=192.168.2.1 

Jun 20 14:52:16.337: ISAKMP:isadb_key_addr_delete: no key for address 192.168.2.1 (NULL root)

Jun 20 14:52:16.337: ISAKMP:(2120):deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) QM_IDLE       (peer 192.168.2.1)

Jun 20 14:52:16.341: ISAKMP:(2120):deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) QM_IDLE       (peer 192.168.2.1)

[/code]

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents