08-07-2008 10:34 PM - edited 02-21-2020 03:52 PM
I'm trying to configure a 1721 router to connect to a PIX at the office, essentially putting the router in place of a software VPN client. I can connect to the PIX with both a software VPN client and a hardware VPN 3002, but whenever I try to configure the router with EZVPN, the tunnel fails to come up after the XAUTH negotiation. I've tried a few variations on configurations with no luck. Can anyone comment if this is possible? I've attached a config and debug info. Thanks in advance for any help and comments.
Ken
08-07-2008 10:57 PM
under crypto ipsec client ezvpn OfficeVPN
put password -save
or save-password
not in my mind but to save the password u have entered with username and password
also make sure u use the rought username and password
make ur tunnel connect auto instead of manul
and i think u need nat examption
lets say ur remote site behind the pix is 10.1.1.0/24
do
ip nat inside source list 100 interface Ethernet0 overload
!
!
!
access-list 100 DENY ip 192.168.5.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
good luck
08-08-2008 05:28 AM
Thank you for the suggestions. Currently, the PIX is configured to not allow the save password option on the remote end. Was hoping the PIX config wouldn't need any changes since its working for the software VPN clients. I tried your NAT suggestion:
ip nat inside source list 100 interface Ethernet0 overload
ip nat inside source list Lan_Addresses interface Ethernet0 overload
!
!
!
ip access-list standard Lan_Addresses
permit 192.168.5.0 0.0.0.255
access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
This didn't change things. Also, things behave differently when I use a bad username/password, for example:
AADDAA#crypto ipsec client ezvpn xauth OfficeVPN
Username: baduser
Password:
AADDAA#
*Mar 14 06:27:07.891: xauth-type: 0
*Mar 14 06:27:07.895: username: baduser
*Mar 14 06:27:07.895: password:
*Mar 14 06:27:07.899: ISAKMP:(1032): responding to peer config from 2XX.XXX.XXX.
XX. ID = -475558296
*Mar 14 06:27:07.903: ISAKMP:(1032): sending packet to 2XX.XXX.XXX.XX my_port 50
0 peer_port 500 (I) CONF_XAUTH
*Mar 14 06:27:07.907: ISAKMP:(1032):Sending an IKE IPv4 Packet.
*Mar 14 06:27:07.907: ISAKMP:(1032):deleting node -475558296 error FALSE reason
"Done with xauth request/reply exchange"
*Mar 14 06:27:07.907: ISAKMP:(1032):Input = IKE_MESG_INTERNAL, IKE_XAUTH_REPLY_A
TTR
*Mar 14 06:27:07.907: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_AWAIT New State
= IKE_XAUTH_REPLY_SENT
*Mar 14 06:27:07.963: ISAKMP (0:1032): received packet from 2XX.XXX.XXX.XX dport
500 sport 500 Global (I) CONF_XAUTH
*Mar 14 06:27:07.967: ISAKMP: set new node 559535353 to CONF_XAUTH
*Mar 14 06:27:07.971: ISAKMP:(1032):processing transaction payload from 2XX.XXX.
XXX.XX. message ID = 559535353
*Mar 14 06:27:07.979: ISAKMP: Config payload REQUEST
*Mar 14 06:27:07.979: ISAKMP:(1032):Xauth process request
*Mar 14 06:27:07.979: ISAKMP:(1032):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Mar 14 06:27:07.979: ISAKMP:(1032):Old State = IKE_XAUTH_REPLY_SENT New State
= IKE_XAUTH_REPLY_AWAIT
*Mar 14 06:27:08.983: EZVPN(OfficeVPN): Pending XAuth Request, Please enter the fo
llowing command:
*Mar 14 06:27:08.983: EZVPN: crypto ipsec client ezvpn xauth
Thanks again,
Ken
08-08-2008 06:20 AM
the nat i sent u should use it instead of urs
so delet ur old stander acl and the nat line associated with it.
08-08-2008 07:26 AM
Thanks, I misunderstood. I've changed nat to the following and receiving the same failure trying to bring up the tunnel. The router does have a VPN module in it; I may try removing the module soon to see if its a hardware issue.
ip nat inside source list 100 interface Ethernet0 overload
!
!
access-list 100 deny ip 192.168.5.0 0.0.0.255 10.0.0.0 0.0.15.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
no cdp run
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide