Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3449
Views
1
Helpful
7
Replies

Ezvpn problem with Xauth auto connect

e-chuah
Level 1
Level 1

‎11-18-2008 08:39 PM

Hi..

I have problem auto connect EasyVPN client to EasyVPN server using saved Xauth username/password.

The ezvpn client is a Cisco 2691 using IOS 12.4.15T7. The config is as follows:

crypto ipsec client ezvpn EZ

connect auto

group VPNGRP key cisco123

mode network-extension

peer 100.100.100.1

username cisco password cisco123

xauth userid mode local

the router keeps prompting me to manually enter username/password. connectivity will work be established after i manually enter the username/password. But this is not what i desired. I need it to connect automatically.

The Ezvpn server is a 7200 running 12.4.22T. COnfig as follows:

aaa new-model

aaa authentication login USERAUTHEN local

aaa authorization network GROUPAUTHOR local

username cisco password 0 cisco123

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 60

!

crypto isakmp client configuration group VPNGRP

key cisco123

save-password

!

!

crypto ipsec transform-set MYSET esp-3des esp-sha-hmac

!

crypto dynamic-map DYNMAP 10

set transform-set MYSET

!

!

crypto map CLIENTMAP client authentication list USERAUTHEN

crypto map CLIENTMAP isakmp authorization list GROUPAUTHOR

crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP

Any advise will be greatly appreciated.

Thanks

Eng Wee

Labels:
0 Helpful
7 Replies 7

e-chuah
Level 1
Level 1

‎11-18-2008 10:45 PM

Hi...

I saw this message

EZVPN(EZ) Server does not allow save password option

in the ezvpn client (Cisco 2691).

But I already have "save-password" configured in the Ezvpn IOS server.

Did i miss out anything?

Thanks

Eng Wee

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to e-chuah

‎11-19-2008 12:56 AM

When you do a:

show crypto ipsec client ezvpn

on the client, does it say:

Save Password: Allowed

Regards

Farrukh

0 Helpful

e-chuah
Level 1
Level 1
In response to Farrukh Haroon

‎11-19-2008 01:14 AM

Hi Farrukh,

i checked that as well, it indicates not allowed.

I tested this in GNS3..but i believe should be the same as actual router platform...

Rgds

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to e-chuah

‎11-19-2008 01:41 AM

It could also be a software version issue. This would depend on which release this feature was introduced.

Regards

Farrukh

0 Helpful

anakin
Level 1
Level 1
In response to Farrukh Haroon

‎02-17-2009 11:05 PM

I too am having the same problem. Is this an IOS bug?

0 Helpful

e-chuah
Level 1
Level 1
In response to anakin

‎02-17-2009 11:15 PM

Yes, i log a case with TAC, it is a bug + config issue.

If you are using 2800/3800 platform, upgrade to 12.2.22T and above.

In addition to the IOS upgrade, it appeared to be non-obvious config issue. If we add the following command line on hub side

crypto map client configuration address respond

Then it starts working fine. It appears that this command turns on not only address assignment for client (which we do not need in network extension mode and it will be ignored by client), but also other client configuration options negotiation.

Hope this helps..

Rgds

Eng Wee

c_martinez
Level 1
Level 1
In response to e-chuah

‎05-31-2013 08:29 AM

its working adding the

crypto map client configuration address respond

Thanks for your help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents