Ezvpn problem with Xauth auto connect

Unanswered Question
Nov 18th, 2008
User Badges:

Hi..


I have problem auto connect EasyVPN client to EasyVPN server using saved Xauth username/password.


The ezvpn client is a Cisco 2691 using IOS 12.4.15T7. The config is as follows:


crypto ipsec client ezvpn EZ

connect auto

group VPNGRP key cisco123

mode network-extension

peer 100.100.100.1

username cisco password cisco123

xauth userid mode local


the router keeps prompting me to manually enter username/password. connectivity will work be established after i manually enter the username/password. But this is not what i desired. I need it to connect automatically.


The Ezvpn server is a 7200 running 12.4.22T. COnfig as follows:


aaa new-model

aaa authentication login USERAUTHEN local

aaa authorization network GROUPAUTHOR local



username cisco password 0 cisco123


crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 60

!

crypto isakmp client configuration group VPNGRP

key cisco123

save-password

!

!

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP 10

set transform-set MYSET

!

!

crypto map CLIENTMAP client authentication list USERAUTHEN

crypto map CLIENTMAP isakmp authorization list GROUPAUTHOR

crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP


Any advise will be greatly appreciated.


Thanks

Eng Wee







  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
e-chuah Tue, 11/18/2008 - 22:45
User Badges:

Hi...


I saw this message


EZVPN(EZ) Server does not allow save password option


in the ezvpn client (Cisco 2691).


But I already have "save-password" configured in the Ezvpn IOS server.


Did i miss out anything?


Thanks

Eng Wee

Farrukh Haroon Wed, 11/19/2008 - 00:56
User Badges:
  • Red, 2250 points or more

When you do a:


show crypto ipsec client ezvpn


on the client, does it say:


Save Password: Allowed


Regards


Farrukh

e-chuah Wed, 11/19/2008 - 01:14
User Badges:

Hi Farrukh,


i checked that as well, it indicates not allowed.


I tested this in GNS3..but i believe should be the same as actual router platform...


Rgds

Farrukh Haroon Wed, 11/19/2008 - 01:41
User Badges:
  • Red, 2250 points or more

It could also be a software version issue. This would depend on which release this feature was introduced.


Regards


Farrukh

e-chuah Tue, 02/17/2009 - 23:15
User Badges:

Yes, i log a case with TAC, it is a bug + config issue.


If you are using 2800/3800 platform, upgrade to 12.2.22T and above.


In addition to the IOS upgrade, it appeared to be non-obvious config issue. If we add the following command line on hub side


crypto map client configuration address respond


Then it starts working fine. It appears that this command turns on not only address assignment for client (which we do not need in network extension mode and it will be ignored by client), but also other client configuration options negotiation.


Hope this helps..


Rgds

Eng Wee

c_martinez Fri, 05/31/2013 - 08:29
User Badges:

its working adding the


crypto map client configuration address respond


Thanks for your help

Actions

This Discussion