I have ezvpn running on a my 877 on the Dialer0: config: crypto ipsec client ezvpn hw-client connect auto group hw-client-password key ******** local-address Vlan1 mode network-extension peer 195.*.*.* username vpn024 password ******** xauth userid mode local
but i keep getting an error message saying: CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)
When i try and configure a Inside or Outside it tells me there is no config for them?
Ezvpn has been the pain in my side the last 2 x days. Long story and I won't bore you with it.
You would set the Ezvpn inside and outside address on your router. On the Cisco Press example I have it uses PPPoE and therefore it requires E0 as the outside and Fa0 / VLAN as the inside (try both) as the config has to have these. In your example try nominating Fa0 as the inside before nominating Di0 as the outside. The command should be 'crypto ipsec client hw-client inside' for 'inside' and 'outside' for outside.
Under your config (server) make sure you a relevant password setting for you client.
Also, on your Ezvpn server, make sure you have the 'save password' statement. If not each time your user tries to authenticate he will have to enter an Xauth username & password.
I have a Ciscopress example that I was working from and we got QM idle. Can dig it out and send if you are still having problems, again though this uses Ethernet not Dialer0
On the 877, the layer-3 "outside" interface is 'VLAN 1' (by default).
The FastEthernet? interfaces are the layer-2 switch managed ports so you can control each individually, including which VLAN they are part of.
The default is to have all the FastEthernet? ports as part of VLAN1.
(Now that Cisco has merged layer-2 and layer-3 configs into one big blob, I do wish they had choosen to identifier which is which to avoid this sort of confusion. Maybe L2-interface marks layer-2 only interfaces, and regular old 'interface' marks only layer-3 interfaces? Of course, this goes out the door for something like a Catalyst 4500 SupIV/V where the ports can be either.. :(
*Jul 9 18:05:34.783: EZVPN(hw-client): No state change
*Jul 9 18:05:34.783: EZVPN(hw-client): Current State: TUNNEL_INT_UP
*Jul 9 18:05:34.783: EZVPN(hw-client): Event: TUNNEL_HAS_PUBLIC_IP_ADD
Does anybody have any suggestions bec this is getting VERY stresful!
my config:
Current configuration : 2583 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname adsltest ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings enable secret 5 $1$SL5m$emaZnfH1Z4iRZ4yIwvu2Y1 ! no aaa new-model ! resource policy ! clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ip subnet-zero no ip source-route ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool sdm-pool1 import all network 10.250.*.0 255.255.255.0 default-router 10.250.*.* ! ! no ip bootp server no ip domain lookup ip domain name adsltest.co.uk ! ! ! username vpn024 ! ! ! ! crypto ipsec client ezvpn hw-client connect manual group hw-client-password key cisco local-address Vlan1 mode network-extension peer 195.92.130.40 acl 10 username vpn024 password cisco xauth userid mode local ! ! ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $FW_OUTSIDE$$ES_WAN$ pvc 0/38 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 ip address 10.250.*.* 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip tcp adjust-mss 1412 crypto ipsec client ezvpn hw-client inside ! interface Dialer0 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname ********** ppp chap password 0 ********* ppp pap sent-username ******* password 0 ******** crypto ipsec client ezvpn hw-client ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map ezvpn interface Vlan1 overload ! dialer-list 1 protocol ip permit no cdp run route-map ezvpn permit 10 match ip address 10 ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 password cisco login no modem enable line aux 0 line vty 0 4 privilege level 15 password cisco login transport input telnet ssh ! scheduler max-task-time 5000 end
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.