EZVPN Problem on 877 to Cisco 300 Concentrator

Hi Everybody,

I'm trying to run EZVPN over to a 3000 VPN Concentrator, however i'm having a total "nightmare".

Here is my config and problems!

PROBLEMS:

adsltest#sh crypto ipsec client ezvpn Easy VPN Remote Phase: 6

Tunnel name : hw-client Inside interface list: Vlan1 Outside interface: Dialer0 Current State: CONNECT_REQUIRED Last Event: TUNNEL_HAS_PUBLIC_IP_ADD Save Password: Allowed Current EzVPN Peer: 195.92.130.40

adsltest#crypto ipsec client ezvpn conne adsltest#crypto ipsec client ezvpn connect adsltest#

*Jul 10 15:30:08.255: ISAKMP:isadb_key_addr_delete: no key for address 195.92.13 0.40 (NULL root) *Jul 10 15:30:08.255: EZVPN(hw-client): Deleted PSK for address 195.92.130.40

*Jul 10 15:30:08.255: EzVPN(hw-client): rollback skipped!

*Jul 10 15:30:08.255: EZVPN(hw-client): No Connect ACL checking status change *Jul 10 15:30:08.259: EZVPN(hw-client): Current State: CONNECT_REQUIRED *Jul 10 15:30:08.259: EZVPN(hw-client): Event: CONNECT *Jul 10 15:30:08.259: EZVPN(hw-client): ezvpn_connect_request *Jul 10 15:30:08.259: EZVPN(hw-client): Found valid peer 195.92.130.40 *Jul 10 15:30:08.259: EZVPN(hw-client): Added PSK for address 195.92.130.40

*Jul 10 15:30:08.259: ISAKMP: Created a peer struct for 195.92.130.40, peer port 500

*Jul 10 15:30:08.259: EzVPN(hw-client): sleep jitter delay 1322 *Jul 10 15:30:09.583: EZVPN(hw-client): New State: READY *Jul 10 15:30:09.583: ISAKMP:(0): SA request profile is (NULL) *Jul 10 15:30:09.583: ISAKMP: Found a peer struct for 195.92.130.40, peer port 5 00 *Jul 10 15:30:09.583: ISAKMP: Locking peer struct 0x828F3360, refcount 1 for isa kmp_initiator *Jul 10 15:30:09.583: ISAKMP:(0):Setting client config settings 82D0040C *Jul 10 15:30:09.583: ISAKMP: local port 500, remote port 500 *Jul 10 15:30:09.583: insert sa successfully sa = 828F35BC *Jul 10 15:30:09.583: ISAKMP:(0): client mode configured. *Jul 10 15:30:09.583: ISAKMP:(0): constructed NAT-T vendor-07 ID *Jul 10 15:30:09.583: ISAKMP:(0): constructed NAT-T vendor-03 ID *Jul 10 15:30:09.583: ISAKMP:(0): constructed NAT-T vendor-02 ID *Jul 10 15:30:09.587: crypto_engine: Create DH *Jul 10 15:30:09.587: CryptoEngine0: CRYPTO_ISA_DH_CREATE(hw)(ipsec) *Jul 10 15:30:09.619: ISKAMP: growing send buffer from 1024 to 3072 *Jul 10 15:30:09.619: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID *Jul 10 15:30:09.619: ISAKMP (0:0): ID payload next-payload : 13 type : 11 group id : hw-client-password protocol : 17 port : 0 length : 26 *Jul 10 15:30:09.619: ISAKMP:(0):Total payload length: 26 *Jul 10 15:30:09.619: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM *Jul 10 15:30:09.619: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1

*Jul 10 15:30:09.619: ISAKMP:(0): beginning Aggressive Mode exchange

*Jul 10 15:30:09.619: ISAKMP:(0): sending packet to 195.92.130.40 my_port 500 pe er_port 500 (I) AG_INIT_EXCH *Jul 10 15:30:19.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Jul 10 15:30:19.619: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *Jul 10 15:30:19.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH *Jul 10 15:30:19.619: ISAKMP:(0): sending packet to 195.92.130.40 my_port 500 pe er_port 500 (I) AG_INIT_EXCH *Jul 10 15:30:29.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Jul 10 15:30:29.619: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 *Jul 10 15:30:29.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH *Jul 10 15:30:29.619: ISAKMP:(0): sending packet to 195.92.130.40 my_port 500 pe er_port 500 (I) AG_INIT_EXCH *Jul 10 15:30:39.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Jul 10 15:30:39.619: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 *Jul 10 15:30:39.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH *Jul 10 15:30:39.619: ISAKMP:(0): sending packet to 195.92.130.40 my_port 500 pe er_port 500 (I) AG_INIT_EXCH *Jul 10 15:30:49.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Jul 10 15:30:49.619: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1 *Jul 10 15:30:49.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH *Jul 10 15:30:49.619: ISAKMP:(0): sending packet to 195.92.130.40 my_port 500 pe er_port 500 (I) AG_INIT_EXCH *Jul 10 15:30:59.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Jul 10 15:30:59.619: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1 *Jul 10 15:30:59.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH *Jul 10 15:30:59.619: ISAKMP:(0): sending packet to 195.92.130.40 my_port 500 pe er_port 500 (I) AG_INIT_EXCH EZVPN(hw-client): IPSec connection terminated *Jul 10 15:31:09.619: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH... *Jul 10 15:31:09.619: ISAKMP:(0):peer does not do paranoid keepalives.

*Jul 10 15:31:09.619: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 195.92.130.40)

*Jul 10 15:31:09.619: EZVPN(hw-client): Current State: READY *Jul 10 15:31:09.619: EZVPN(hw-client): Event: CONNECT_NEXT_PEER *Jul 10 15:31:09.619: EZVPN(hw-client): ezvpn_close *Jul 10 15:31:09.619: EZVPN(hw-client): Deleted PSK for address 195.92.130.40

*Jul 10 15:31:09.619: EzVPN(hw-client): rollback skipped!

*Jul 10 15:31:09.619: EZVPN(hw-client): No Connect ACL checking status change *Jul 10 15:31:09.619: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=hw

-client-password Client_public_addr=81.129.236.202 Server_public_addr=195.92.1

30.40 *Jul 10 15:31:09.619: EZVPN(hw-client): New active peer is 195.92.130.40 *Jul 10 15:31:09.619: EZVPN(hw-client): Ready to connect to peer 195.92.130.40 *Jul 10 15:31:09.619: EZVPN(hw-client): New State: CONNECT_REQUIRED *Jul 10 15:31:09.623: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 195.92.130.40) *Jul 10 15:31:09.623: ISAKMP: Unlocking peer struct 0x828F3360 for isadb_mark_sa _deleted(), count 0 *Jul 10 15:31:09.623: ISAKMP: Deleting peer node by peer_reap for 195.92.130.40: 828F3360 *Jul 10 15:31:09.623: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL *Jul 10 15:31:09.623: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_DEST_SA

*Jul 10 15:31:09.623: EZVPN(hw-client): Current State: CONNECT_REQUIRED

*Jul 10 15:31:09.623: EZVPN(hw-client): Event: CONN_DOWN *Jul 10 15:31:09.623: EZVPN(hw-client): No state change *Jul 10 15:31:09.623: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Jul 10 15:32:09.623: ISAKMP:(0):purging SA., sa=828F35BC, delme=828F35BC *Jul 10 15:32:09.623: crypto engine: deleting DH C87X_MBRD:1 *Jul 10 15:32:09.623: crypto_engine: Delete DH *Jul 10 15:32:09.623: CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec)

--------------------------------------------------------------------------------------------------------------------------------------------------------------------

CONFIG:! version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname adsltest ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings enable secret 5 $1$SL5m$emaZnfH1Z4iRZ4yIwvu2Y1 ! no aaa new-model ! resource policy ! clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ip subnet-zero no ip source-route ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool sdm-pool1 import all network 10.250.24.0 255.255.255.0 default-router 10.250.24.1 ! ! no ip bootp server no ip domain lookup ip domain name *******co.uk ! ! ! username vpn024 ! ! ! ! crypto ipsec client ezvpn hw-client connect manual group hw-client-password key s3cur1ty local-address Vlan1 mode network-extension peer 195.92.130.40 acl 100 username vpn024 password 53cur1ty xauth userid mode local ! ! ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $FW_OUTSIDE$$ES_WAN$ pvc 0/38 pppoe-client dial-pool-number 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 ip address 10.250.24.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip tcp adjust-mss 1412 crypto ipsec client ezvpn hw-client inside ! interface Dialer0 ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip nat outside ip nat enable ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname ********.btclick.com ppp chap password 0 syssup0rt ppp pap sent-username *******@btclick.com password 0 ******** crypto ipsec client ezvpn hw-client ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat Stateful id 1 primary 10.250.24.1 peer 195.92.130.40 mapping-id 1 mapping-id 10 ip nat service fullrange udp port 500 ! access-list 10 permit 0.0.0.0 255.255.255.0 access-list 100 permit udp any any dialer-list 1 protocol ip permit no cdp run route-map ezvpn permit 10 match ip address 10 ! ! control-plane ! banner login ^CCAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 password cisco login no modem enable line aux 0 line vty 0 4 privilege level 15 password cisco login transport input telnet ssh ! scheduler max-task-time 5000 end

PLEASE HELP!

Ta,

RY.

Reply to
Ry
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.