EZVPN-DVTI error message

ramikamel911 · ‎06-17-2011

Hi guys,

Am working on a Basic EZVPN-DVTI configuation, but the conncetion doesnt come up, am getting the follwoing errors when the client try to connect to the server:

On server:

%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 47.47.6.4 was not encrypted and it should've been.

On Client:

%CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=sales Server_public_addr=47.47.4.2

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 47.47.4.2

there is a firewall between them, and i'm allowing esp & udp 500.

I've attached the debug isakmp output for both routers.

on debug output (client) i find messages such:

peer matches *none* of the profiles

No pre-shared key with 47.47.4.2!

Encryption algorithm offered does not match policy!

Usually, there is no preshared kek for this scenario, only the group and its key!

and under the client there is only crypto ipsec client ezpn, and under it match the group and key.

thats why confused how to troublshoot.

Any suggestions how to find what is causing the problem or how to troublshoot?

Thanks & Regards

Rami

Marcin Latosiewicz · ‎06-17-2011

Rami,

I just fnished my docmument on debugging aggressive mode on IOS ;-)

https://supportforums.cisco.com/docs/DOC-17021

Here's part of the problem:

*Mar  1 00:15:39.907: ISAKMP:(0): phase 1 SA policy not acceptable! (local 47.47.6.4 remote 47.47.4.2)

Can I suggest also to attach configs? ;-)

Marcin

ramikamel911 · ‎06-17-2011

Hi Marcin,

Thanks for your reply, i will go thru the doccument you did.

I have attached the config files, kindly have a look on it.

Thanks & Regards,

Rami

ramikamel911 · ‎06-17-2011

Hi Marcin,

After long troublshooting, the problem solved by removing the "virtual-interface 1" under the "crypto ipsec client ezvpn ez".

any idea why? do we need the virtual-template in the ezvpn client? because without it, tunnel came up and every thing worked fine.

Regards.

Rami

Marcin Latosiewicz · ‎06-18-2011

Rami,

We do support DVTI on client.

Check the configuration or your template and compare to the ones available on CCO, I geuss you will spot the problem.

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1157075

All config guides.

http://www.cisco.com/en/US/products/ps10591/products_installation_and_configuration_guides_list.html

Hint. The "ip unnumbered" on VTI on case of EZVPN HW client is not required ... you need only on line there but different ;-)

Marcin

ramikamel911 · ‎06-18-2011

Hi Marcin,

thanks for the link.

I tried to solve it without removing the virtual interface, and after doing lot of tests, its solved by adding a static route on the client router (how to reach the server).

ip route 47.47.4.0 255.255.255.0 47.47.6.1

But what i cant understand that, without adding the static route, a default route is there (learned dynamicaly) as follows, and client can reach the server via this route

O*E2 0.0.0.0/0 [110/1] via 47.47.6.1, 00:21:00, FastEthernet0/0

so why i need to add the route statically?

Regards,

Rami

Marcin Latosiewicz · ‎06-19-2011

Rami,

DVTI on client will install a route via Vritual-access interface (upon connection), by default it is a default route :-)

That's why normally you need to have a more specific route for tunnel headend - typically a /32 static route.

Marcin