01-13-2004 02:51 AM
Hi!
Can anybody explain what happened with address allocation from a local pool for Cisco VPN Clients in IOS 12.3(4)T?
The config:
crypto isakmp client configuration group localgroup
key cisco
pool default
acl 150
ip local pool default 192.168.3.1 192.168.3.254
no longer works. Anybody please open a case!
IOS 12.3(4)T debug shows:
AAA/AUTHOR (0x2): Pick method list 'VPN-local'
ISAKMP/author: Author request successfully sent to AAA
ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
ISAKMP:(0:1:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
ISAKMP:(0:1:HW:2):attributes sent in message:
Address: 0.2.0.0
ISAKMP: Using Framed-IP-Address 255.255.255.255
ISAKMP:(0:1:HW:2):allocating address 255.255.255.255
ISAKMP: Sending private address: 255.255.255.255
I.e. the pool allocates 255.255.255.255 !?
In IOS 12.3(2)T everything is ok and debug shows:
AAA/AUTHOR/CRYPTO AAA: ISAKMP500(4220974356) user='localgroup'
ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): send AV service=ike
ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): send AV protocol=ipsec
ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): found list "VPN-local"
ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): Method=LOCAL
AAA/AUTHOR (4220974356): Post authorization status = PASS_ADD
ISAKMP: got callback 1
AAA/AUTHOR/IKE: Processing AV service=ike
AAA/AUTHOR/IKE: Processing AV protocol=ipsec
AAA/AUTHOR/IKE: Processing AV tunnel-password=cisco
AAA/AUTHOR/IKE: Processing AV addr-pool*default
...
ISAKMP (0:3): attributes sent in message:
Address: 0.2.0.0
ISAKMP (0:3): allocating address 192.168.3.2
ISAKMP: Sending private address: 192.168.3.2
Oleg Tipisov,
REDCENTER,
Moscow
01-13-2004 07:51 AM
Attention: Cisco programmers
It seems that the problem may have relationship with the new 12.3(4)T feature that allows for per-user IPSec RADIUS attributes. Now it is possible to allocate addresses on a per-user basis as part of XAUTH processing. The RADIUS attribute Framed-IP-Address is used for this. If this attribute is not present or set to 255.x.y.z tunnel establishement fails.
The workaround is to either specify IP-address on a per-user basis or use AAA-server-defined address pool for XAUTHenticated users.
Note, that AAA-client-defined address pools (the name of the pool is returned via the addr-pool cisco-avpair) do not work, so the bug should be corrected anyway.
Regards,
Oleg Tipisov,
REDCENTER,
Moscow
01-17-2004 02:19 AM
Hi ,
I have local aaa defined and tested on 12.3(4)T1 on 72xx router, It works fine.I am able to allocate address to the IOS Vpn client from the local pool defined on the VPN server
See the debugs:
===========
Jan 17 15:43:28.838: ISAKMP (0:134217804): received packet from 1.1.1.2 dport 5
00 sport 500 Global (R) QM_IDLE
*Jan 17 15:43:28.838: ISAKMP: set new node -1349827177 to QM_IDLE
*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):processing transaction payload from 1.1
.1.2. message ID = -1349827177
*Jan 17 15:43:28.838: ISAKMP: Config payload REQUEST
*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):checking request:
*Jan 17 15:43:28.838: ISAKMP: IP4_ADDRESS
*Jan 17 15:43:28.838: ISAKMP: IP4_NETMASK
*Jan 17 15:43:28.838: ISAKMP: IP4_DNS
*Jan 17 15:43:28.838: ISAKMP: IP4_DNS
*Jan 17 15:43:28.838: ISAKMP: IP4_NBNS
*Jan 17 15:43:28.838: ISAKMP: IP4_NBNS
*Jan 17 15:43:28.838: ISAKMP: SPLIT_INCLUDE
*Jan 17 15:43:28.838: ISAKMP: SPLIT_DNS
*Jan 17 15:43:28.838: ISAKMP: DEFAULT_DOMAIN
*Jan 17 15:43:28.838: ISAKMP: MODECFG_SAVEPWD
*Jan 17 15:43:28.838: ISAKMP: INCLUDE_LOCAL_LAN
*Jan 17 15:43:28.838: ISAKMP: PFS
*Jan 17 15:43:28.838: ISAKMP: BACKUP_SERVER
*Jan 17 15:43:28.838: ISAKMP: APPLICATION_VERSION
*Jan 17 15:43:28.838: ISAKMP/author: setting up the authorization request
*Jan 17 15:43:28.838: ISAKMP/author: Author request successfully sent to AAA
*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQ
UEST
*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):Old State = IKE_P1_COMPLETE New State
= IKE_CONFIG_AUTHOR_AAA_AWAIT
*Jan 17 15:43:28.842: ISAKMP:(0:76:SW:1):attributes sent in message:
*Jan 17 15:43:28.842: Address: 0.2.0.0
*Jan 17 15:43:28.842: ISAKMP:(0:76:SW:1):allocating address 192.168.1.17
(***** note here address has been allocated after ike phase1)
*Jan 17 15:43:28.842: ISAKMP: Sending private address: 192.168.1.17
*Jan 17 15:43:28.842: ISAKMP: Sending Loopback0 subnet mask: 255.255.255.0
*Jan 17 15:43:28.842: ISAKMP: Sending save password reply value 0
*Jan 17 15:43:28.842: ISAKMP: Sending APPLICATION_VERSION string:
Could you please send me the config details
Thanx,
Munit
01-17-2004 06:36 AM
Hi!
Put the user into the RADIUS and it will stop working. I have sent you configuration and debug output.
Thank you,
Oleg Tipisov,
REDCENTER,
Moscow
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide