EZVPN Router to PIX - vpn tunnel fails after xauth

Unanswered Question
Aug 7th, 2008

I'm trying to configure a 1721 router to connect to a PIX at the office, essentially putting the router in place of a software VPN client. I can connect to the PIX with both a software VPN client and a hardware VPN 3002, but whenever I try to configure the router with EZVPN, the tunnel fails to come up after the XAUTH negotiation. I've tried a few variations on configurations with no luck. Can anyone comment if this is possible? I've attached a config and debug info. Thanks in advance for any help and comments.

Ken

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Thu, 08/07/2008 - 22:57

under crypto ipsec client ezvpn OfficeVPN

put password -save

or save-password

not in my mind but to save the password u have entered with username and password

also make sure u use the rought username and password

make ur tunnel connect auto instead of manul

and i think u need nat examption

lets say ur remote site behind the pix is 10.1.1.0/24

do

ip nat inside source list 100 interface Ethernet0 overload

!

!

!

access-list 100 DENY ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 permit ip 192.168.5.0 0.0.0.255 any

good luck

kenragan1 Fri, 08/08/2008 - 05:28

Thank you for the suggestions. Currently, the PIX is configured to not allow the save password option on the remote end. Was hoping the PIX config wouldn't need any changes since its working for the software VPN clients. I tried your NAT suggestion:

ip nat inside source list 100 interface Ethernet0 overload

ip nat inside source list Lan_Addresses interface Ethernet0 overload

!

!

!

ip access-list standard Lan_Addresses

permit 192.168.5.0 0.0.0.255

access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.15.255

access-list 100 permit ip 192.168.5.0 0.0.0.255 any

This didn't change things. Also, things behave differently when I use a bad username/password, for example:

AADDAA#crypto ipsec client ezvpn xauth OfficeVPN

Username: baduser

Password:

AADDAA#

*Mar 14 06:27:07.891: xauth-type: 0

*Mar 14 06:27:07.895: username: baduser

*Mar 14 06:27:07.895: password:

*Mar 14 06:27:07.899: ISAKMP:(1032): responding to peer config from 2XX.XXX.XXX.

XX. ID = -475558296

*Mar 14 06:27:07.903: ISAKMP:(1032): sending packet to 2XX.XXX.XXX.XX my_port 50

0 peer_port 500 (I) CONF_XAUTH

*Mar 14 06:27:07.907: ISAKMP:(1032):Sending an IKE IPv4 Packet.

*Mar 14 06:27:07.907: ISAKMP:(1032):deleting node -475558296 error FALSE reason

"Done with xauth request/reply exchange"

*Mar 14 06:27:07.907: ISAKMP:(1032):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_A

TTR

*Mar 14 06:27:07.907: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_AWAIT New State

= IKE_XAUTH_REPLY_SENT

*Mar 14 06:27:07.963: ISAKMP (0:1032): received packet from 2XX.XXX.XXX.XX dport

500 sport 500 Global (I) CONF_XAUTH

*Mar 14 06:27:07.967: ISAKMP: set new node 559535353 to CONF_XAUTH

*Mar 14 06:27:07.971: ISAKMP:(1032):processing transaction payload from 2XX.XXX.

XXX.XX. message ID = 559535353

*Mar 14 06:27:07.979: ISAKMP: Config payload REQUEST

*Mar 14 06:27:07.979: ISAKMP:(1032):Xauth process request

*Mar 14 06:27:07.979: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

*Mar 14 06:27:07.979: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_SENT New State

= IKE_XAUTH_REPLY_AWAIT

*Mar 14 06:27:08.983: EZVPN(OfficeVPN): Pending XAuth Request, Please enter the fo

llowing command:

*Mar 14 06:27:08.983: EZVPN: crypto ipsec client ezvpn xauth

Thanks again,

Ken

Marwan ALshawi Fri, 08/08/2008 - 06:20

the nat i sent u should use it instead of urs

so delet ur old stander acl and the nat line associated with it.

kenragan1 Fri, 08/08/2008 - 07:26

Thanks, I misunderstood. I've changed nat to the following and receiving the same failure trying to bring up the tunnel. The router does have a VPN module in it; I may try removing the module soon to see if its a hardware issue.

ip nat inside source list 100 interface Ethernet0 overload

!

!

access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.15.255

access-list 100 permit ip 192.168.5.0 0.0.0.255 any

no cdp run

!

Actions

This Discussion