11-18-2008 08:39 PM
Hi..
I have problem auto connect EasyVPN client to EasyVPN server using saved Xauth username/password.
The ezvpn client is a Cisco 2691 using IOS 12.4.15T7. The config is as follows:
crypto ipsec client ezvpn EZ
connect auto
group VPNGRP key cisco123
mode network-extension
peer 100.100.100.1
username cisco password cisco123
xauth userid mode local
the router keeps prompting me to manually enter username/password. connectivity will work be established after i manually enter the username/password. But this is not what i desired. I need it to connect automatically.
The Ezvpn server is a 7200 running 12.4.22T. COnfig as follows:
aaa new-model
aaa authentication login USERAUTHEN local
aaa authorization network GROUPAUTHOR local
username cisco password 0 cisco123
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 60
!
crypto isakmp client configuration group VPNGRP
key cisco123
save-password
!
!
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set MYSET
!
!
crypto map CLIENTMAP client authentication list USERAUTHEN
crypto map CLIENTMAP isakmp authorization list GROUPAUTHOR
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
Any advise will be greatly appreciated.
Thanks
Eng Wee
11-18-2008 10:45 PM
Hi...
I saw this message
EZVPN(EZ) Server does not allow save password option
in the ezvpn client (Cisco 2691).
But I already have "save-password" configured in the Ezvpn IOS server.
Did i miss out anything?
Thanks
Eng Wee
11-19-2008 12:56 AM
When you do a:
show crypto ipsec client ezvpn
on the client, does it say:
Save Password: Allowed
Regards
Farrukh
11-19-2008 01:14 AM
Hi Farrukh,
i checked that as well, it indicates not allowed.
I tested this in GNS3..but i believe should be the same as actual router platform...
Rgds
11-19-2008 01:41 AM
It could also be a software version issue. This would depend on which release this feature was introduced.
Regards
Farrukh
02-17-2009 11:05 PM
I too am having the same problem. Is this an IOS bug?
02-17-2009 11:15 PM
Yes, i log a case with TAC, it is a bug + config issue.
If you are using 2800/3800 platform, upgrade to 12.2.22T and above.
In addition to the IOS upgrade, it appeared to be non-obvious config issue. If we add the following command line on hub side
crypto map
Then it starts working fine. It appears that this command turns on not only address assignment for client (which we do not need in network extension mode and it will be ignored by client), but also other client configuration options negotiation.
Hope this helps..
Rgds
Eng Wee
05-31-2013 08:29 AM
its working adding the
crypto map
Thanks for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide