Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
2
Replies

ASA 8.0 (EZVPN Server) router2821 (EZVPN remote) , Not working

cpradoscarvajal
Level 1
Level 1

‎09-22-2007 06:21 PM

I am configurin my ASA as an EZVPN server. This is the configuration:

tunnel-group Redes type remote-access

tunnel-group Redes general-attributes

address-pool RedesPool

default-group-policy Redes

tunnel-group Redes ipsec-attributes

pre-shared-key *

tunnel-group VPNROUTERS type remote-access

tunnel-group VPNROUTERS general-attributes

default-group-policy VPNROUTERS

tunnel-group VPNROUTERS ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

group-policy VPNROUTERS internal

group-policy VPNROUTERS attributes

vpn-tunnel-protocol IPSec

secure-unit-authentication disable

nem enable

address-pools none

ipv6-address-pools none

group-policy Redes internal

group-policy Redes attributes

dns-server value 10.1.4.2 10.1.4.3

vpn-tunnel-protocol IPSec

password-storage disable

default-domain value mf.gov.ve

I am configurin a router as EZVPN client. This is the configuration:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

!

!

!

!

crypto ipsec client ezvpn VPNROUTERS

connect manual

group VPNROUTERS key router1

mode network-extension

peer 200.11.187.58

acl 101

xauth userid mode interactive

!

The VPN negotiation gets stuck at this level:

*Sep 20 19:59:46.119: ISAKMP:(0:255:SW:1):Need config/address

*Sep 20 19:59:46.119: ISAKMP:(0:255:SW:1):Need config/address

*Sep 20 19:59:46.19: ISAKMP:(0:255:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Sep 20 19:59:46.119: ISAKMP:(0:255:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_MODE_REQ_SENT

*Sep 20 19:59:46.123: ISAKMP (0:134217983): received packet from 200.11.187.58 dport 500 sport 500 Global (I) CONF_ADDR

*Sep 20 19:59:46.123: ISAKMP: set new node -1061602860 to CONF_ADDR

%SYS-3-CPUHOG: Task is running for (6004)msecs, more than (2000)msecs (0/0),process = Crypto IKMP.

-Traceback= 0x40275E38 0x41245068 0x4124876C 0x41248884 0x427BAA00 0x427BD900 0x427BB2C4 0x427BBC48 0x427BC5F0 0x427B5354 0x427D5A84 0x42C9EDD0 0x427D801C 0x427A9244 0x427AAC2C 1

*Sep 20 19:59:46.119: ISAKMP:(0:255:SW:1):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE

Since i am configuring network extension, i am not suppouse to get conf_addr state.

I do not know why i am getting this state.

Labels:
0 Helpful
2 Replies 2

didyap
Level 6
Level 6

‎09-27-2007 02:46 PM

Add the following lines to your group-policy VPNROUTERS attributes

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

Following link may help you

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml

0 Helpful

andrew-usankin
Level 1
Level 1

‎07-31-2009 12:57 PM

Try this:

tunnel-group VPNROUTERS general-attributes

address-pool RedesPool

!

Just beat my head on this one last night and finally this morning I found out that since it's a client (even though hardware client) you need to give it IP address.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents