EZVPN missing IPsec flow?

samhopealpha · ‎11-07-2012

Hi everybody,

I have configured a EZVPN on a router 2811,

I can successfully VPN to 10.10.10.0 by using a PC

However, it fails when using Android mobile phone to VPN the 10.10.10.0

(but this Android phone can VPN the 10.10.10.0 few days ago, )

when "show crypto session", it shows

Crypto session current status

Interface: FastEthernet0/0

Username: user1

Group: EZVPN_GROUP_1

Assigned address: 10.10.10.23

Session status: UP-ACTIVE

Peer: 202.202.202.202 port 52888

IKEv1 SA: local 111.111.111.111/4500 remote 202.202.202.202/52888 Active

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.10.10.23

Active SAs: 2, origin: dynamic crypto map

Interface: FastEthernet0/0

Username: user1

Group: EZVPN_GROUP_1

Assigned address: 10.10.10.22

Session status: UP-IDLE

Peer: 202.202.202.202 port 4500

IKEv1 SA: local 111.111.111.111/4500 remote 202.202.202.202/4500 Active

IKEv1 SA: local 111.111.111.111/4500 remote 202.202.202.202/4500 Inactive

REMOTE_IP = 202.202.202.202

ROUTE_PUBLIC_IP = 111.111.111.111

Remote PC assigned IP: 10.10.10.23

Remote Mobile assigned IP: 10.10.10.22

And I found there is a missing IPSEC FLOW on the 10.10.10.22,

and abnormal IKEv1 SA (1st row Active, but 2nd row Inactive?)

In this situation, what should I need to check and verify the settings again?

Thanks in advance

Sam

Marcin Latosiewicz · ‎11-07-2012

Sam,

This "just" means that no phase 2 has been established or phase 2 SA was deleted.

Run debugs, comapre them with:

If in doubt - open up a TAC case so we can dig into this.

I was not aware that Andorid can do pure IPsec (AFIR it was only L2tp over IPsec).

M.