06-20-2013 07:55 AM
Hi everybody,
I'm trying to setup a EZvpn connection in lab prior to installing at a client's site.
My configs
SERVER
[code]
sh run
Building configuration...
Current configuration : 2096 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SERVER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login USER local
aaa authorization network GROUP local
!
!
aaa session-id common
memory-size iomem 25
dot11 syslog
ip source-route
!
!
!
!
ip cef
!
multilink bundle-name authenticated
!
!
!
username ezvpn password 0 ezvpn
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 7200
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local po
!
crypto isakmp client configuration group EZVPN
key Cisco123
dns 4.2.2.2
wins 4.2.2.2
pool EZVPN_POOL
netmask 255.255.255.0
crypto isakmp profile EZVPN_PROFILE
match identity group EZVPN
client authentication list USER
isakmp authorization list GROUP
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
!
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
set isakmp-profile EZVPN_PROFILE
!
!
crypto dynamic-map DYNMAP 10
!
!
crypto map EZVPN 10 ipsec-isakmp dynamic DYNMAP
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.248
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
!
ip local pool EZVPN_POOL 10.0.0.10 10.0.0.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.6
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end
SERVER#
[/code]
CLIENT
[code]
sh run
Building configuration...
Current configuration : 2447 bytes
!
! Last configuration change at 16:33:15 LEGALE Thu Jun 20 2013 by Gencom2010
! NVRAM config last updated at 16:33:16 LEGALE Thu Jun 20 2013 by Gencom2010
! NVRAM config last updated at 16:33:16 LEGALE Thu Jun 20 2013 by Gencom2010
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CLIENT
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
clock timezone SOLARE 1 0
clock summer-time LEGALE recurring last Sun Mar 2:00 last Sun Oct 3:00
crypto pki token default removal timeout 0
!
!
ip source-route
ip cef
!
!
!
!
!
no ipv6 cef
!
!
license udi pid C887VA-W-E-K9 sn FCZ1708C26E
!
!
!
!
!
!
controller VDSL 0
!
!
!
!
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
!
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
!
!
!
crypto ipsec client ezvpn EZVPN
connect auto
group EZVPN key Cisco123
mode network-extension
peer 192.168.2.1
idletime 86400
ipsec-profile EZVPN_PROFILE
username ezvpn password ezvpn
xauth userid mode local
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
switchport access vlan 2
no ip address
!
interface FastEthernet1
description OUTSIDE
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
!
interface Vlan1
description OUTSIDE
ip address 192.168.3.1 255.255.255.248
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1300
crypto ipsec client ezvpn EZVPN
!
interface Vlan2
description INSIDE
ip address 192.168.4.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1300
crypto ipsec client ezvpn EZVPN inside
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.3.6
!
!
!
!
!
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
end
CLIENT#
[/code]
There is a L3 switch in between that is doing routing, and the two routers can ping each others. When VPN is started up
SERVER
[code]
*Jun 20 14:48:58.050: ISAKMP:(0): claimed IOS but failed authentication
*Jun 20 14:49:08.534: ISAKMP (1393): Unknown Attr: MODECFG_HOSTNAME (0x700A)
*Jun 20 14:49:08.534: ISAKMP:FSM error - Message from AAA grp/user.
*Jun 20 14:49:08.542: ISAKMP:(1393):deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (R) QM_IDLE (peer 192.168.3.1)
*Jun 20 14:49:08.546: ISAKMP:(1393):deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (R) QM_IDLE (peer 192.168.3.1)
*Jun 20 14:49:08.546: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Jun 20 14:49:09.650: ISAKMP:(0): claimed IOS but failed authentication
*Jun 20 14:49:09.690: ISAKMP (1394): Unknown Attr: MODECFG_HOSTNAME (0x700A)
*Jun 20 14:49:09.694: ISAKMP:FSM error - Message from AAA grp/user.
[/code]
CLIENT
[code]
Jun 20 14:52:16.337: EZVPN(EZVPN) Server does not allow save password option,
enter your username and password manually
Jun 20 14:52:16.337: EZVPN(EZVPN): *** Logic Error ***
Jun 20 14:52:16.337: EZVPN(EZVPN): Current State: READY
Jun 20 14:52:16.337: EZVPN(EZVPN): Event: MODE_CONFIG_REPLY
Jun 20 14:52:16.337: EZVPN(EZVPN): Resetting the EZVPN state machine to recover
Jun 20 14:52:16.337: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZVPN Client_public_addr=192.168.3.1 Server_public_addr=192.168.2.1
Jun 20 14:52:16.337: ISAKMP:isadb_key_addr_delete: no key for address 192.168.2.1 (NULL root)
Jun 20 14:52:16.337: ISAKMP:(2120):deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) QM_IDLE (peer 192.168.2.1)
Jun 20 14:52:16.341: ISAKMP:(2120):deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) QM_IDLE (peer 192.168.2.1)
[/code]
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: