crypto ipsec client ezvpn - connect auto command Question

Unanswered Question
Aug 28th, 2007
User Badges:

here are my configs

crypto ipsec client ezvpn ezvpn

connect auto

group ezvpn key xxxxxxxx

mode network-extension

peer xxxxxxxxxxxx

acl 101

username xxxxxxxxx password xxxxxxxxxxxxxx

xauth userid mode local

Now, I am a little confused about the "connect auto" command. We have a server built behind this router SiteA that our middleware server at Site B communicates with at night over the VPN tunnel. We have been having problems where at night when the Middleware server tries to communicate with the server it is unable too intiate the ezvpn tunnel on the router and build the vpn tunnel. What we find is in the morning we have to logon to the server and ping out from Site A to intiate the VPN tunnel. Does this seem right? My thought was the connect auto command specifies the VPN tunnel to automatically connect?

As a test we build a ping request on the Server at Site A towards Site B to create interesting traffic and let it run. We did not experience the VPN tunnel drops as before.

So my question is, isn't "connect auto" supposed to prevent this from happening by always keeping the VPN tunnel up?

Second queston is, "crypto isakmp keepalive 30 20 periodic" required to prevent this instead vs the connect auto?

I read the cisco documenation and it makes sense to me, but I wanted someone else's viewpoint or explanation to this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
glenthms Wed, 09/05/2007 - 06:13
User Badges:

Thank you for your response, however it already is under the crypto ipsec client ezvpn. Thanks for you reply.

hacronin Thu, 09/13/2007 - 17:53
User Badges:

I believe with connect auto and the username/password specified you should not be specifying "xauth userid mode..." at all. Do a no on that command and try it again.

glenthms Thu, 09/13/2007 - 17:57
User Badges:

Thank you for responding but from reading cisco's documentation, if I remove this then I have to manually enter in a username password which I don't want. It should use the stored username password in the crypto ezvpn client configs

interactive <---this is the default

To authenticate, the user must use the command-line interface (CLI) prompts on the console. Interactive is the default behavior

a.alekseev Thu, 09/13/2007 - 20:25
User Badges:
  • Gold, 750 points or more

I think you should look at your ezvpn server.

Do you have on ezvpn server an option that permits users in group "ezvpn" to store their passwords?


This Discussion