cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
869
Views
0
Helpful
6
Replies

EZvpn configuration issues

joe.gauthier
Level 1
Level 1

I'm trying to setup a remote site via EZVpn. The home office has a VPN3015 and the remote office has a 2801 router. I've followed the "EzVPN with NEM on IOS Router with VPN 3000 Concentrator Configuration Example" but no dice. In fact when the document says to check for the tunnel there isn't one started (I'm not sure how the tunnel starts before the router in configured). I've attached the router configuration any ideas what I'm doing wrong?

Link to document:http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml

1 Accepted Solution

Accepted Solutions

Hi,

Try adding the following to the config on the router side:

crypto ipsec client ezvpn SJVPN

username XXXXX password XXXXX

xauth userid mode local

Make sure you save password on the concentrator side for the Sites group.

Hope it helps.

Remi

View solution in original post

6 Replies 6

remi-reszka
Level 1
Level 1

Hi Joe,

I can't see your router's config, the link is not active.

Did you check what debug says on the router? "debug crypto ipsec client ezvpn"?

Did you remember to allow IPSec traffic on the routers's outside interface? I think the documents doesn't say that.

Thanks,

Remi

I opened the config without error of the site Let me post it here.

VPNTest(config)#do sh run

Building configuration...

Current configuration : 2811 bytes

!

version 12.4

service nagle

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname VPNTest

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$ObiR$.wljotM2hsU1zhWUgx2MH1

enable password 7 13554E4A5C5A517E787679

!

no aaa new-model

!

resource policy

!

clock timezone EST -5

clock summer-time EDT recurring

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.133.10.1 10.133.10.99

!

ip dhcp pool 0

network 10.133.10.0 255.255.255.0

domain-name easternacs.org

dns-server 10.133.4.12 204.117.214.10 199.2.252.10

default-router 10.133.10.2

lease 2

!

!

ip ssh version 2

!

!

!

!

username admin privilege 15 password 7 08061D420514550517

!

!

!

!

crypto ipsec client ezvpn SJVPN

connect auto

group Sites key 8jeboa9bU

mode network-extension

peer nn.nn.nn.nn

xauth userid mode interactive

!

!

!

interface FastEthernet0/0

description outside int

ip address nn.nn.nn.nn 255.255.255.248

ip nat outside

ip virtual-reassembly

ip route-cache flow

no ip mroute-cache

duplex auto

speed auto

no cdp enable

crypto ipsec client ezvpn SJVPN

!

interface FastEthernet0/1

description Inside

ip address 10.133.10.2 255.255.255.0

ip nat inside

no ip virtual-reassembly

no ip mroute-cache

duplex auto

speed auto

no cdp enable

crypto ipsec client ezvpn SJVPN inside

!

ip classless

no ip forward-protocol udp bootps

no ip forward-protocol udp tacacs

ip route 0.0.0.0 0.0.0.0 nn.nn.nn.nn

!

no ip http server

no ip http secure-server

ip nat inside source route-map EZPVN interface FastEthernet0/0 overload

!

access-list 101 deny ip 10.133.10.0 0.0.0.255 10.133.0.0 0.0.255.255

access-list 101 deny ip 10.133.10.0 0.0.0.255 10.131.0.0 0.0.255.255

access-list 101 permit ip 10.133.10.0 0.0.0.255 any

no cdp run

route-map EZVPN permit 10

match ip address 101

!

!

!

control-plane

!

!

line con 0

password 7 0874564F5B0E5544

login

line aux 0

line vty 0 4

session-timeout 30

exec-timeout 30 0

password 7 091954084B124741

logout-warning 15

login local

transport input ssh

line vty 5 15

login

!

end

Joe,

This line:

xauth userid mode interactive

makes the login prompt happen at the console or web interface. Do you have a username that you're configuring on the concentrator side that also has a group? If so, you can use the "username" command under the crypt ipsec client ezvpn section. That might help.

--John

HTH, John *** Please rate all useful posts ***

Hi,

Try adding the following to the config on the router side:

crypto ipsec client ezvpn SJVPN

username XXXXX password XXXXX

xauth userid mode local

Make sure you save password on the concentrator side for the Sites group.

Hope it helps.

Remi

Found my issue. In the VPN3000 Network extension was disabled. One check box :-). Thanks for you help!!!

Hi Joe,

I am glad you found where the problem was and thanks for the voting.

Saludos,

Remi

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: