Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
0
Helpful
1
Replies

IOS Easy VPN client connecting to a Pix (6.2) Easy VPN server doing XAUTH

swatkins
Level 1
Level 1

‎06-16-2005 12:34 AM

Hi

I'm having a bit of trouble getting this working. Phase I on the client is completing succesfully but Phase II is failing. I'm getting the following error message on my 837 client: -

Jun 15 17:11:12 BST: EZVPN(vpn-hw-client) Server does not allow save password option

My config on my 837 is like this: -

crypto ipsec client ezvpn vpn-hw-client

connect auto

group vpn-hw-client-group key 0 xxxxxx

mode network-extension

peer 1.1.1.1

username test password 0 test1

I think that it probably a support issue with the Pix but I'm not entirely sure.

The config on the Pix is

vpngroup vpn-hw-client-group idle-time 1800

vpngroup vpn-hw-client-group password *

+ a standard XAUTH config which works fine with "normal" VPN clients

Basically what I'm trying to achieve is for a site on dynamic external IP to connect back to the central site automatically, such that no PC intiated traffic is required to bring up the tunnel.

We want to be able to administer the PC at the remote site, without necessarily knowing the external IP of the site.

Is there any other way to nail up a VPN connection? If I need to use fixed IPs at this site then there is the obvious cost implication!

Any help appreciated

Thanks

Simon

Labels:
0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎06-19-2005 08:44 PM

The fact you have this part of the config on your 837:

crypto ipsec client ezvpn vpn-hw-client

    username test password 0 test1

means that the other end needs to be configured to allow you to save the user password. Saving the username and password in the EZVPN client config is seen as a security risk, so the server needs to be set up to allow this to happen. Unfortunately though, you can't configure this on a PIX EzVPN server running 6.x code.

You have two options:

1. Deconfigure the username/password command on the 837, which means you'll have to manually reconnect the tunnel if it ever goes down again (a pain).

2. Upgrade the PIX (assuming it's not a 501/506 which doesn't support v7.0) to v7.0 and check out the following doco:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/vpngrp.htm#wp1045034

Note that your "vpngroup" config will change dramatically after you upgrade to v7.0, but you'll have much, much more control over what the users can do. v7.0 brings the PIX very close to the power of the VPN3000 with what you can define for groups. Search for the "password-storage" variable specifically in the URL above. Have fun.

0 Helpful
Customers Also Viewed These Support Documents