Re: EZVPN on 857 to UC520

jamie.rickards · ‎07-06-2009

Hi

I'm trying to create a VPN between a remote 857 and a UC520 using EZVPN. UC520 is set up just fine and tested OK using the VPN client. However the 857 always fails asking for Xauth credentials stating they are incorrect. Have tried completely wiping the config and starting again, to no success. IOS is AdvSec 124-15.T8.

Must be something simple, but I cannot see it.

thanks in advance

Jamie

cbark · ‎07-07-2009

Hi Jamie,

can you post the config and topology?

So the 857 is the easy vpn server and the us520 is the easy vpn client?

Rgds,

Christian

cbark · ‎07-07-2009

Hi Jamie,

can you post the config and topology?

So the 857 is the easy vpn server and the us520 is the easy vpn client?

Rgds,

Christian

jamie.rickards · ‎07-07-2009

Hi Christian

Thanks for your help.

The UC520 is the Easy VPN server, and the 857 is the Easy VPN client. The UC520 has a 2621XM acting as it's ADSL modem, but it it set to pass everything through to the UC520 WAN port. It has been tested OK using the VPN client on a PC.

I've attached the configs for each box, and also a sample of the debug from the 857. Assume the public addresses xxx.xxx.xxx.xxx are correct ;-)

Hopefully I'm doing something simple and silly.

regards

Jamie

cbark · ‎07-10-2009

Hi Jamie,

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml

*Jun 3 05:59:30.242: EZVPN(ez): Pending XAuth Request, Please enter the

following command:

*Jun 3 05:59:30.242: EZVPN: crypto ipsec client ezvpn xauth

!--- Enter the crypto ipsec client ezvpn xauth command.

3-03-06-871W#crypto ipsec client ezvpn xauth

Username: cisco

Password:

*Jun 3 06:02:46.498: username: cisco

*Jun 3 06:02:46.498: password:

You see that "error message" means that you have to manually put in the username / password like in your pc vpn client.

So I guess in the first vpn dialin from the client to the server you have to put that maunualy in the router. That the

server can validate it and than the client can store it when you allow it on the server.

Step 14 save-password

Example: Router (config-isakmp-group)# save-password

Give it a try.

Rgds,

Christian

cbark · ‎07-10-2009

Or you can try:

xauth userid mode interactive

what is the default instead of

xauth userid mode local

option local

The saved username or password is used in the configuration.

So it needs the save password and doesn't use the configured one.

Therfore you must first authenticate over the cli (refer to my last post) than it should work if the easyvpn server allows to save the password.

But I personally never configured that option. Usually the interactive was ok and it uses the local configured username / password.

Please send a feedback if it works now.

Cheers,

Christian

Rgds,

Christian

jamie.rickards · ‎07-10-2009

Hi Christian

Many thanks for your time looking at this for me.

I'll try inputting the username and password from the CLI as you suggest. All previous attempts have been via SDM where it continually asked me to input the username and password.

I'll give it a go this evening and let you know.

best regards

Jamie

jamie.rickards · ‎07-10-2009

Hi Christian

I've tried entering the credientials at the CLI prompt, however it does not accept them and continues to request that I put them in.

The same credentials work fine on the VPN client from a PC on the same network.

Any ideas?

Jamie

cbark · ‎08-05-2009

Hi Jamie,

did you try:

xauth userid mode local

With a local configured user / password for the xauth configured-

Rgds,

Christian

jamie.rickards · ‎08-05-2009

Hi Christian

I've tried that one, still no change. It seems like whatever hash is being used for the password does not match at either end.

Can't work it out.

regards

Jamie