07-30-2007 07:46 AM
I am unable to bring up a tunnel using EZVPN with the below setup.
I am running IOS flash:c2600-ik8o3s-mz.123-22.bin on two CISCO 2611 XM routers.
The 2611XM routers are directly connected using ethernet ports.
2611XM:EZVPN_SERVER( Loopback 0: 1.1.1.1/24 , Fa 0/0 : 10.0.0.1/30 ) <-------> 2611XM:EZVPN_CLIENT( Fa 0/0 : 10.0.0.2/30 , Loopback 0: 2.2.2.2/24 )
I have attached the router configurations along with the crypto debugs to the e-mail. Phase I is coming up but IPSEC is not becoming active
EZVPN_CLIENT#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 2
Tunnel name : ez
Inside interface list: Loopback0
Outside interface: FastEthernet0/0
Current State: SS_OPEN
Last Event: SOCKET_READY
Address: 172.16.1.30
Mask: 255.255.255.255
DNS Primary: 172.16.1.1
NBMS/WINS Primary: 172.16.1.1
Also i don't see the encryption settings when is issue SH CRYPTO IPSEC TRANSFORM-SET on the Eazy VPN Remote/Client as shown below , is this normal.
Transform set ezvpn-profile-autoconfig-transform-0: { esp-sha-hmac }
will negotiate = { Tunnel, },
Transform set ezvpn-profile-autoconfig-transform-1: { esp-md5-hmac }
will negotiate = { Tunnel, },
I can't understand what's wrong with the configs.
I have attached the router configs and the debug to the the conversation.
07-30-2007 07:49 AM
07-31-2007 02:13 AM
Hi,
Configure route in the EZVPN_SERVER and if you are good at routing give specfic route (Static route) or give default route and try access.
07-31-2007 02:56 AM
Hi, I have reachability between the EZVPN Server & Remote , the problem is that Phase I is coming it's the phase II that's not coming up. If you look at the " EAZY_VPN_DEBUGS " file that is attached , it clearly indicates that " IPSEC: unable to initialize ............ " , I have copied the debug messages below so that it would be easy for you :
*Mar 1 00:13:57.893: IPSEC(sa_find_prot): invalid protocol on SADB lookup -- addr: 10.0.0.2, prot 0
*Mar 1 00:13:57.893: IPSEC(get_next_avail_spi): invalid protocol -- addr: 10.0.0.2, prot 0
*Mar 1 00:13:57.893: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.0.2, remote= 10.0.0.1,
local_proxy= 172.16.1.10/255.255.255.255/0/0 (type=1),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= PCP, transform= NONE (Tunnel),
lifedur= 2147483s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:13:57.897: IPSEC(sa_find_prot): invalid protocol on SADB lookup -- addr: 10.0.0.2, prot 0
*Mar 1 00:13:57.897: IPSEC(get_next_avail_spi): invalid protocol -- addr: 10.0.0.2, prot 0
*Mar 1 00:13:57.897: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.0.0.2, remote= 10.0.0.1,
local_proxy= 172.16.1.10/255.255.255.255/0/0 (type=1),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= PCP, transform= NONE (Tunnel),
lifedur= 2147483s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:13:57.901: ISAKMP: received ke message (1/2)
*Mar 1 00:13:57.901: ISAKMP: isadb_find_my_outstanding_by_cookies: Unable to initialize ipsec_sa_list
07-31-2007 07:50 PM
Hi ,
I had to add the encryption to the transform-sets on the EZVPN Remote/Client with the below statements and the ezvpn tunnel has coem up.
crypto ipsec transform-set ezvpn-profile-autoconfig-transform-0 esp-des esp-sha-mac
crypto ipsec transform-set ezvpn-profile-autoconfig-transform-1 esp-des esp-md5-mac
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: