Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
410
Views
0
Helpful
1
Replies

ezvpn doesn't work properly.

skytosky
Level 1
Level 1

‎07-22-2006 06:58 AM

I have some problems for configuring ezvpn between router IOS(Client) and VPN3K(Server). I want router to be connected with VPN3K without xauth (that is, without configuring username and password on router).

-----------------------------------------

Topology is following:

VPN3K(public)-(dmz)PIX(outside)-(fa0/0)Router

VPN3K public: 10.10.2.1

PIX dmz: 10.10.2.254

PIX outside: 20.x.2.254

Router fa0/0: 20.x.2.1

ezvpn mode: Client

address pool on VPN3K: 10.10.3.1/32

-----------------------------------------

On VPN3K:

1. IKE proposal: CiscoVPNClient-3DES-MD5

1) authentication mode: preshard (not preshard-xauth)

2. SA: ESP-3DES-MD5

1) IKE Peer: 0.0.0.0

2) Negotiation Mode: Main or Aggressive

3) IKE Proposal: CiscoVPNClient-3DES-MD5

3. Group

1) Name: ezvpn

2) Password: xxx

3) Type: Internal

4. Group-IPSec

1) IPSec SA: ESP-3DES-MD5

2) Tunnel Type: Remote Access

3) Authentication: Internal or None

On Router:

crypto ipsec client ezvpn SJVPN

connect auto

group ezvpn key xxx

peer 10.10.2.1

mode client

interface Loopback0

ip address 20.20.x.x.255.255.0

crypto ipsec client ezvpn SJVPN inside

interface fa0/0

ip address 20.20.x.x.255.255.0

crypto ipsec client ezvpn SJVPN

On PIX:

static (dmz,outside) 10.10.2.1 10.10.2.1

access-list outside permit icmp any any

access-list outside permit udp host 20.20.2.1 host 10.10.2.1 eq isakmp

access-list outside permit udp host 20.20.2.1 host 10.10.2.1 eq 4500

access-group outside in int outside

-----------------------------------------

On R1:

ping 10.10.2.1

!!!!!

After completing configuration like the above, ezvpn didn't work properly.

I saw the message like below:

5d16h: ISAKMP (0:9): beginning Aggressive Mode exchange

5d16h: ISAKMP (0:9): sending packet to 10.10.2.1 (I) AG_INIT_EXCH

5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH...

5d16h: ISAKMP (0:9): incrementing error counter on sa: retransmit phase 1

5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH

5d16h: ISAKMP (0:9): sending packet to 10.10.2.1 (I) AG_INIT_EXCH

5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH...

5d16h: ISAKMP (0:9): incrementing error counter on sa: retransmit phase 1

5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH

5d16h: ISAKMP (0:9): sending packet to 10.10.2.1 (I) AG_INIT_EXCH

What's wrong? What should I do?

TIA

Labels:
0 Helpful
1 Reply 1

andrew100
Level 1
Level 1

‎08-01-2006 08:38 AM

Hi,

Just a couple of quick questions to see if i understand the topology. Is your VPN3K Public interface on a private address? Also, did you manually put the loopback address in to the remote router configuration? With EzVPN Client mode the router obtains it's address from the pool configured on the VPN3K, this is the loopback interface created dynamically when the tunnel is built. All traffic then NAT's out on this loopback address. Is this the case?

Thanks :-)

Andy

0 Helpful
Customers Also Viewed These Support Documents