Eazy VPN between 2 directly connected 2611 XM routers.

Unanswered Question
Jul 30th, 2007

I am unable to bring up a tunnel using EZVPN with the below setup.

I am running IOS flash:c2600-ik8o3s-mz.123-22.bin on two CISCO 2611 XM routers.

The 2611XM routers are directly connected using ethernet ports.

2611XM:EZVPN_SERVER( Loopback 0: 1.1.1.1/24 , Fa 0/0 : 10.0.0.1/30 ) <-------> 2611XM:EZVPN_CLIENT( Fa 0/0 : 10.0.0.2/30 , Loopback 0: 2.2.2.2/24 )

I have attached the router configurations along with the crypto debugs to the e-mail. Phase I is coming up but IPSEC is not becoming active

EZVPN_CLIENT#sh crypto ipsec client ezvpn

Easy VPN Remote Phase: 2

Tunnel name : ez

Inside interface list: Loopback0

Outside interface: FastEthernet0/0

Current State: SS_OPEN

Last Event: SOCKET_READY

Address: 172.16.1.30

Mask: 255.255.255.255

DNS Primary: 172.16.1.1

NBMS/WINS Primary: 172.16.1.1

Also i don't see the encryption settings when is issue SH CRYPTO IPSEC TRANSFORM-SET on the Eazy VPN Remote/Client as shown below , is this normal.

Transform set ezvpn-profile-autoconfig-transform-0: { esp-sha-hmac }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-1: { esp-md5-hmac }

will negotiate = { Tunnel, },

I can't understand what's wrong with the configs.

I have attached the router configs and the debug to the the conversation.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
krishnakomiti Tue, 07/31/2007 - 02:13

Hi,

Configure route in the EZVPN_SERVER and if you are good at routing give specfic route (Static route) or give default route and try access.

vikram_anumukonda Tue, 07/31/2007 - 02:56

Hi, I have reachability between the EZVPN Server & Remote , the problem is that Phase I is coming it's the phase II that's not coming up. If you look at the " EAZY_VPN_DEBUGS " file that is attached , it clearly indicates that " IPSEC: unable to initialize ............ " , I have copied the debug messages below so that it would be easy for you :

*Mar 1 00:13:57.893: IPSEC(sa_find_prot): invalid protocol on SADB lookup -- addr: 10.0.0.2, prot 0

*Mar 1 00:13:57.893: IPSEC(get_next_avail_spi): invalid protocol -- addr: 10.0.0.2, prot 0

*Mar 1 00:13:57.893: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.0.0.2, remote= 10.0.0.1,

local_proxy= 172.16.1.10/255.255.255.255/0/0 (type=1),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= PCP, transform= NONE (Tunnel),

lifedur= 2147483s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400A

*Mar 1 00:13:57.897: IPSEC(sa_find_prot): invalid protocol on SADB lookup -- addr: 10.0.0.2, prot 0

*Mar 1 00:13:57.897: IPSEC(get_next_avail_spi): invalid protocol -- addr: 10.0.0.2, prot 0

*Mar 1 00:13:57.897: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.0.0.2, remote= 10.0.0.1,

local_proxy= 172.16.1.10/255.255.255.255/0/0 (type=1),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= PCP, transform= NONE (Tunnel),

lifedur= 2147483s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400A

*Mar 1 00:13:57.901: ISAKMP: received ke message (1/2)

*Mar 1 00:13:57.901: ISAKMP: isadb_find_my_outstanding_by_cookies: Unable to initialize ipsec_sa_list

vikram_anumukonda Tue, 07/31/2007 - 19:50

Hi ,

I had to add the encryption to the transform-sets on the EZVPN Remote/Client with the below statements and the ezvpn tunnel has coem up.

crypto ipsec transform-set ezvpn-profile-autoconfig-transform-0 esp-des esp-sha-mac

crypto ipsec transform-set ezvpn-profile-autoconfig-transform-1 esp-des esp-md5-mac

Actions

This Discussion