09-22-2007 06:21 PM
I am configurin my ASA as an EZVPN server. This is the configuration:
tunnel-group Redes type remote-access
tunnel-group Redes general-attributes
address-pool RedesPool
default-group-policy Redes
tunnel-group Redes ipsec-attributes
pre-shared-key *
tunnel-group VPNROUTERS type remote-access
tunnel-group VPNROUTERS general-attributes
default-group-policy VPNROUTERS
tunnel-group VPNROUTERS ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
group-policy VPNROUTERS internal
group-policy VPNROUTERS attributes
vpn-tunnel-protocol IPSec
secure-unit-authentication disable
nem enable
address-pools none
ipv6-address-pools none
group-policy Redes internal
group-policy Redes attributes
dns-server value 10.1.4.2 10.1.4.3
vpn-tunnel-protocol IPSec
password-storage disable
default-domain value mf.gov.ve
I am configurin a router as EZVPN client. This is the configuration:
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
!
!
!
!
crypto ipsec client ezvpn VPNROUTERS
connect manual
group VPNROUTERS key router1
mode network-extension
peer 200.11.187.58
acl 101
xauth userid mode interactive
!
The VPN negotiation gets stuck at this level:
*Sep 20 19:59:46.119: ISAKMP:(0:255:SW:1):Need config/address
*Sep 20 19:59:46.119: ISAKMP:(0:255:SW:1):Need config/address
*Sep 20 19:59:46.19: ISAKMP:(0:255:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Sep 20 19:59:46.119: ISAKMP:(0:255:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_REQ_SENT
*Sep 20 19:59:46.123: ISAKMP (0:134217983): received packet from 200.11.187.58 dport 500 sport 500 Global (I) CONF_ADDR
*Sep 20 19:59:46.123: ISAKMP: set new node -1061602860 to CONF_ADDR
%SYS-3-CPUHOG: Task is running for (6004)msecs, more than (2000)msecs (0/0),process = Crypto IKMP.
-Traceback= 0x40275E38 0x41245068 0x4124876C 0x41248884 0x427BAA00 0x427BD900 0x427BB2C4 0x427BBC48 0x427BC5F0 0x427B5354 0x427D5A84 0x42C9EDD0 0x427D801C 0x427A9244 0x427AAC2C 1
*Sep 20 19:59:46.119: ISAKMP:(0:255:SW:1):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE
Since i am configuring network extension, i am not suppouse to get conf_addr state.
I do not know why i am getting this state.
09-27-2007 02:46 PM
Add the following lines to your group-policy VPNROUTERS attributes
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
Following link may help you
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
07-31-2009 12:57 PM
Try this:
tunnel-group VPNROUTERS general-attributes
address-pool RedesPool
!
Just beat my head on this one last night and finally this morning I found out that since it's a client (even though hardware client) you need to give it IP address.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: