cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
480
Views
0
Helpful
4
Replies

Eazy VPN between 2 directly connected 2611 XM routers.

I am unable to bring up a tunnel using EZVPN with the below setup.

I am running IOS flash:c2600-ik8o3s-mz.123-22.bin on two CISCO 2611 XM routers.

The 2611XM routers are directly connected using ethernet ports.

2611XM:EZVPN_SERVER( Loopback 0: 1.1.1.1/24 , Fa 0/0 : 10.0.0.1/30 ) <-------> 2611XM:EZVPN_CLIENT( Fa 0/0 : 10.0.0.2/30 , Loopback 0: 2.2.2.2/24 )

I have attached the router configurations along with the crypto debugs to the e-mail. Phase I is coming up but IPSEC is not becoming active

EZVPN_CLIENT#sh crypto ipsec client ezvpn

Easy VPN Remote Phase: 2

Tunnel name : ez

Inside interface list: Loopback0

Outside interface: FastEthernet0/0

Current State: SS_OPEN

Last Event: SOCKET_READY

Address: 172.16.1.30

Mask: 255.255.255.255

DNS Primary: 172.16.1.1

NBMS/WINS Primary: 172.16.1.1

Also i don't see the encryption settings when is issue SH CRYPTO IPSEC TRANSFORM-SET on the Eazy VPN Remote/Client as shown below , is this normal.

Transform set ezvpn-profile-autoconfig-transform-0: { esp-sha-hmac }

will negotiate = { Tunnel, },

Transform set ezvpn-profile-autoconfig-transform-1: { esp-md5-hmac }

will negotiate = { Tunnel, },

I can't understand what's wrong with the configs.

I have attached the router configs and the debug to the the conversation.

4 Replies 4

router configs and the debug are attached

Hi,

Configure route in the EZVPN_SERVER and if you are good at routing give specfic route (Static route) or give default route and try access.

Hi, I have reachability between the EZVPN Server & Remote , the problem is that Phase I is coming it's the phase II that's not coming up. If you look at the " EAZY_VPN_DEBUGS " file that is attached , it clearly indicates that " IPSEC: unable to initialize ............ " , I have copied the debug messages below so that it would be easy for you :

*Mar 1 00:13:57.893: IPSEC(sa_find_prot): invalid protocol on SADB lookup -- addr: 10.0.0.2, prot 0

*Mar 1 00:13:57.893: IPSEC(get_next_avail_spi): invalid protocol -- addr: 10.0.0.2, prot 0

*Mar 1 00:13:57.893: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.0.0.2, remote= 10.0.0.1,

local_proxy= 172.16.1.10/255.255.255.255/0/0 (type=1),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= PCP, transform= NONE (Tunnel),

lifedur= 2147483s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400A

*Mar 1 00:13:57.897: IPSEC(sa_find_prot): invalid protocol on SADB lookup -- addr: 10.0.0.2, prot 0

*Mar 1 00:13:57.897: IPSEC(get_next_avail_spi): invalid protocol -- addr: 10.0.0.2, prot 0

*Mar 1 00:13:57.897: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.0.0.2, remote= 10.0.0.1,

local_proxy= 172.16.1.10/255.255.255.255/0/0 (type=1),

remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

protocol= PCP, transform= NONE (Tunnel),

lifedur= 2147483s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400A

*Mar 1 00:13:57.901: ISAKMP: received ke message (1/2)

*Mar 1 00:13:57.901: ISAKMP: isadb_find_my_outstanding_by_cookies: Unable to initialize ipsec_sa_list

Hi ,

I had to add the encryption to the transform-sets on the EZVPN Remote/Client with the below statements and the ezvpn tunnel has coem up.

crypto ipsec transform-set ezvpn-profile-autoconfig-transform-0 esp-des esp-sha-mac

crypto ipsec transform-set ezvpn-profile-autoconfig-transform-1 esp-des esp-md5-mac

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: