Cisco 877 and EZVPN !?!?!

Hi.

Ezvpn has been the pain in my side the last 2 x days. Long story and I won't bore you with it.

You would set the Ezvpn inside and outside address on your router. On the Cisco Press example I have it uses PPPoE and therefore it requires E0 as the outside and Fa0 / VLAN as the inside (try both) as the config has to have these. In your example try nominating Fa0 as the inside before nominating Di0 as the outside. The command should be 'crypto ipsec client hw-client inside' for 'inside' and 'outside' for outside.

Under your config (server) make sure you a relevant password setting for you client.

Also, on your Ezvpn server, make sure you have the 'save password' statement. If not each time your user tries to authenticate he will have to enter an Xauth username & password.

I have a Ciscopress example that I was working from and we got QM idle. Can dig it out and send if you are still having problems, again though this uses Ethernet not Dialer0

Regadrs

Darren

------------------------------------------------------------------------------------------------------------

Hi Darren,

As i have a 877 there is no E0 just FA0 -1-2-3,

So i'm having to use the FA0 as the "Outside" will that matter to your knowledge?

Thanks,

Ry.

On the 877, the layer-3 "outside" interface is 'VLAN 1' (by default).

The FastEthernet? interfaces are the layer-2 switch managed ports so you can control each individually, including which VLAN they are part of.

The default is to have all the FastEthernet? ports as part of VLAN1.

(Now that Cisco has merged layer-2 and layer-3 configs into one big blob, I do wish they had choosen to identifier which is which to avoid this sort of confusion. Maybe L2-interface marks layer-2 only interfaces, and regular old 'interface' marks only layer-3 interfaces? Of course, this goes out the door for something like a Catalyst 4500 SupIV/V where the ports can be either.. :(

On Jul 9, 6:40 pm, Doug McIntyre wrote:

OK!

I seem to have the EZVPN working, however i can't seem to get a connection!?!?!?

These are the errors i get from the Debug on crypto ISAKMP and Debug Crypto EZVPN ect,

*Jul 9 18:02:51.143: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=hw

-client-password Client_public_addr=86.133.174.102 Server_public_addr=195.92.1

30.40 *Jul 9 18:02:51.143: EZVPN(hw-client): Current State: READY *Jul 9 18:02:51.143: EZVPN(hw-client): Event: RESET *Jul 9 18:02:51.143: EZVPN(hw-client): ezvpn_close *Jul 9 18:02:51.143: ISAKMP: Deleting peer node by peer_reap for 195.92.130.40: 8294D648 *Jul 9 18:02:51.143: EZVPN(hw-client): Deleted PSK for address 195.92.130.40

*Jul 9 18:02:51.143: EzVPN(hw-client): rollback skipped!

*Jul 9 18:02:51.143: EZVPN(hw-client): No Connect ACL checking status change *Jul 9 18:02:51.147: EZVPN(hw-client): New active peer is 195.92.130.40 *Jul 9 18:02:51.147: EZVPN(hw-client): Ready to connect to peer 195.92.130.40 *Jul 9 18:02:51.147: EZVPN(hw-client): ezvpn_reset *Jul 9 18:02:51.147: EZVPN(hw-client): New State: CONNECT_REQUIRED *Jul 9 18:02:51.147: EZVPN(hw-client): Current State: CONNECT_REQUIRED *Jul 9 18:02:51.147: EZVPN(hw-client): Event: CONNECT *Jul 9 18:02:51.147: EZVPN(hw-client): ezvpn_connect_request *Jul 9 18:02:51.147: EZVPN(hw-client): Found valid peer 195.92.130.40 *Jul 9 18:02:51.147: EZVPN(hw-client): Added PSK for address 195.92.130.40

*Jul 9 18:02:51.147: ISAKMP: Created a peer struct for 195.92.130.40, peer port 500

*Jul 9 18:02:51.147: EzVPN(hw-client): sleep jitter delay 1599 *Jul 9 18:02:52.747: del_node src 10.250.24.1:500 dst 195.92.130.40:500 fvrf 0x 0, ivrf 0x0 *Jul 9 18:02:52.747: ISAKMP:(0):peer does not do paranoid keepalives.

*Jul 9 18:02:52.747: del_node src 10.250.24.1:500 dst

195.92.130.40:500 fvrf 0x 0, ivrf 0x0 *Jul 9 18:02:52.747: ISAKMP:(0):peer does not do paranoid keepalives.

*Jul 9 18:02:52.747: EZVPN(hw-client): New State: READY

*Jul 9 18:02:52.747: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jul 9 18:02:52.747: ISAKMP:(0): SA request profile is (NULL) *Jul 9 18:02:52.747: ISAKMP: Found a peer struct for 195.92.130.40, peer port 5 00 *Jul 9 18:02:52.747: ISAKMP: Locking peer struct 0x82EA87C8, refcount 1 for isa kmp_initiator *Jul 9 18:02:52.747: ISAKMP:(0):Setting client config settings 8294D648 *Jul 9 18:02:52.747: ISAKMP: local port 500, remote port 500 *Jul 9 18:02:52.747: ISAKMP: Find a dup sa in the avl tree during calling isadb _insert sa = 82978DD8 *Jul 9 18:02:52.747: ISAKMP:(0): client mode configured. *Jul 9 18:02:52.751: ISAKMP:(0): constructed NAT-T vendor-07 ID *Jul 9 18:02:52.751: ISAKMP:(0): constructed NAT-T vendor-03 ID *Jul 9 18:02:52.751: ISAKMP:(0): constructed NAT-T vendor-02 ID *Jul 9 18:02:52.779: ISKAMP: growing send buffer from 1024 to 3072 *Jul 9 18:02:52.779: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID *Jul 9 18:02:52.783: ISAKMP (0:0): ID payload next-payload : 13 type : 11 group id : hw-client-password protocol : 17 port : 0 length : 26 *Jul 9 18:02:52.783: ISAKMP:(0):Total payload length: 26 *Jul 9 18:02:52.783: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM *Jul 9 18:02:52.783: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1

*Jul 9 18:02:52.783: ISAKMP:(0): beginning Aggressive Mode exchange

*Jul 9 18:02:52.783: ISAKMP:(0): sending packet to 195.92.130.40 my_port 500 pe er_port 500 (I) AG_INIT_EXCH *Jul 9 18:02:53.011: ISAKMP:(0):purging SA., sa=825B7894, delme=825B7894 *Jul 9 18:02:55.315: ISAKMP:(0):purging SA., sa=82FF35CC, delme=82FF35CC *Jul 9 18:03:02.783: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Jul 9 18:03:02.783: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *Jul 9 18:03:02.783: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH *Jul 9 18:03:02.783: ISAKMP:(0): sending packet to 195.92.130.40 my_port 500 pe er_port 500 (I) AG_INIT_EXCH adsltest# adsltest# adsltest# adsltest# *Jul 9 18:03:12.783: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Jul 9 18:03:12.783: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 *Jul 9 18:03:12.783: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH *Jul 9 18:03:12.783: ISAKMP:(0): sending packet to 195.92.130.40 my_port 500 pe er_port 500 (I) AG_INIT_EXCH *Jul 9 18:03:22.783: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Jul 9 18:03:22.783: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 *Jul 9 18:03:22.783: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH *Jul 9 18:03:22.783: ISAKMP:(0): sending packet to 195.92.130.40 my_port 500 pe er_port 500 (I) AG_INIT_EXCH

*Jul 9 18:05:34.783: EZVPN(hw-client): Event: CONN_DOWN

*Jul 9 18:05:34.783: EZVPN(hw-client): No state change *Jul 9 18:05:34.783: EZVPN(hw-client): Current State: TUNNEL_INT_UP *Jul 9 18:05:34.783: EZVPN(hw-client): Event: TUNNEL_HAS_PUBLIC_IP_ADD

Does anybody have any suggestions bec this is getting VERY stresful!

my config:

Current configuration : 2583 bytes ! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname adsltest ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings enable secret 5 $1$SL5m$emaZnfH1Z4iRZ4yIwvu2Y1 ! no aaa new-model ! resource policy ! clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ip subnet-zero no ip source-route ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool sdm-pool1 import all network 10.250.*.0 255.255.255.0 default-router 10.250.*.* ! ! no ip bootp server no ip domain lookup ip domain name adsltest.co.uk ! ! ! username vpn024 ! ! ! ! crypto ipsec client ezvpn hw-client connect manual group hw-client-password key cisco local-address Vlan1 mode network-extension peer 195.92.130.40 acl 10 username vpn024 password cisco xauth userid mode local ! ! ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $FW_OUTSIDE$$ES_WAN$ pvc 0/38 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 ip address 10.250.*.* 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip tcp adjust-mss 1412 crypto ipsec client ezvpn hw-client inside ! interface Dialer0 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname ********** ppp chap password 0 ********* ppp pap sent-username ******* password 0 ******** crypto ipsec client ezvpn hw-client ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map ezvpn interface Vlan1 overload ! dialer-list 1 protocol ip permit no cdp run route-map ezvpn permit 10 match ip address 10 ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 password cisco login no modem enable line aux 0 line vty 0 4 privilege level 15 password cisco login transport input telnet ssh ! scheduler max-task-time 5000 end

PLEASE HELP :-(