Ezvpn problem with Xauth auto connect

Unanswered Question
Nov 18th, 2008
User Badges:


I have problem auto connect EasyVPN client to EasyVPN server using saved Xauth username/password.

The ezvpn client is a Cisco 2691 using IOS 12.4.15T7. The config is as follows:

crypto ipsec client ezvpn EZ

connect auto

group VPNGRP key cisco123

mode network-extension


username cisco password cisco123

xauth userid mode local

the router keeps prompting me to manually enter username/password. connectivity will work be established after i manually enter the username/password. But this is not what i desired. I need it to connect automatically.

The Ezvpn server is a 7200 running 12.4.22T. COnfig as follows:

aaa new-model

aaa authentication login USERAUTHEN local

aaa authorization network GROUPAUTHOR local

username cisco password 0 cisco123

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 60


crypto isakmp client configuration group VPNGRP

key cisco123




crypto ipsec transform-set MYSET esp-3des esp-sha-hmac


crypto dynamic-map DYNMAP 10

set transform-set MYSET



crypto map CLIENTMAP client authentication list USERAUTHEN

crypto map CLIENTMAP isakmp authorization list GROUPAUTHOR

crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP

Any advise will be greatly appreciated.


Eng Wee

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
e-chuah Tue, 11/18/2008 - 22:45
User Badges:


I saw this message

EZVPN(EZ) Server does not allow save password option

in the ezvpn client (Cisco 2691).

But I already have "save-password" configured in the Ezvpn IOS server.

Did i miss out anything?


Eng Wee

Farrukh Haroon Wed, 11/19/2008 - 00:56
User Badges:
  • Red, 2250 points or more

When you do a:

show crypto ipsec client ezvpn

on the client, does it say:

Save Password: Allowed



e-chuah Wed, 11/19/2008 - 01:14
User Badges:

Hi Farrukh,

i checked that as well, it indicates not allowed.

I tested this in GNS3..but i believe should be the same as actual router platform...


Farrukh Haroon Wed, 11/19/2008 - 01:41
User Badges:
  • Red, 2250 points or more

It could also be a software version issue. This would depend on which release this feature was introduced.



e-chuah Tue, 02/17/2009 - 23:15
User Badges:

Yes, i log a case with TAC, it is a bug + config issue.

If you are using 2800/3800 platform, upgrade to 12.2.22T and above.

In addition to the IOS upgrade, it appeared to be non-obvious config issue. If we add the following command line on hub side

crypto map client configuration address respond

Then it starts working fine. It appears that this command turns on not only address assignment for client (which we do not need in network extension mode and it will be ignored by client), but also other client configuration options negotiation.

Hope this helps..


Eng Wee

c_martinez Fri, 05/31/2013 - 08:29
User Badges:

its working adding the

crypto map client configuration address respond

Thanks for your help


This Discussion