11-20-2008 08:16 AM
I'm trying to setup a remote site via EZVpn. The home office has a VPN3015 and the remote office has a 2801 router. I've followed the "EzVPN with NEM on IOS Router with VPN 3000 Concentrator Configuration Example" but no dice. In fact when the document says to check for the tunnel there isn't one started (I'm not sure how the tunnel starts before the router in configured). I've attached the router configuration any ideas what I'm doing wrong?
Link to document:http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml
Solved! Go to Solution.
11-24-2008 01:15 PM
Hi,
Try adding the following to the config on the router side:
crypto ipsec client ezvpn SJVPN
username XXXXX password XXXXX
xauth userid mode local
Make sure you save password on the concentrator side for the Sites group.
Hope it helps.
Remi
11-20-2008 08:19 PM
Hi Joe,
I can't see your router's config, the link is not active.
Did you check what debug says on the router? "debug crypto ipsec client ezvpn"?
Did you remember to allow IPSec traffic on the routers's outside interface? I think the documents doesn't say that.
Thanks,
Remi
11-21-2008 06:18 AM
I opened the config without error of the site Let me post it here.
VPNTest(config)#do sh run
Building configuration...
Current configuration : 2811 bytes
!
version 12.4
service nagle
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname VPNTest
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ObiR$.wljotM2hsU1zhWUgx2MH1
enable password 7 13554E4A5C5A517E787679
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.133.10.1 10.133.10.99
!
ip dhcp pool 0
network 10.133.10.0 255.255.255.0
domain-name easternacs.org
dns-server 10.133.4.12 204.117.214.10 199.2.252.10
default-router 10.133.10.2
lease 2
!
!
ip ssh version 2
!
!
!
!
username admin privilege 15 password 7 08061D420514550517
!
!
!
!
crypto ipsec client ezvpn SJVPN
connect auto
group Sites key 8jeboa9bU
mode network-extension
peer nn.nn.nn.nn
xauth userid mode interactive
!
!
!
interface FastEthernet0/0
description outside int
ip address nn.nn.nn.nn 255.255.255.248
ip nat outside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn SJVPN
!
interface FastEthernet0/1
description Inside
ip address 10.133.10.2 255.255.255.0
ip nat inside
no ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn SJVPN inside
!
ip classless
no ip forward-protocol udp bootps
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 nn.nn.nn.nn
!
no ip http server
no ip http secure-server
ip nat inside source route-map EZPVN interface FastEthernet0/0 overload
!
access-list 101 deny ip 10.133.10.0 0.0.0.255 10.133.0.0 0.0.255.255
access-list 101 deny ip 10.133.10.0 0.0.0.255 10.131.0.0 0.0.255.255
access-list 101 permit ip 10.133.10.0 0.0.0.255 any
no cdp run
route-map EZVPN permit 10
match ip address 101
!
!
!
control-plane
!
!
line con 0
password 7 0874564F5B0E5544
login
line aux 0
line vty 0 4
session-timeout 30
exec-timeout 30 0
password 7 091954084B124741
logout-warning 15
login local
transport input ssh
line vty 5 15
login
!
end
11-24-2008 07:21 AM
Joe,
This line:
xauth userid mode interactive
makes the login prompt happen at the console or web interface. Do you have a username that you're configuring on the concentrator side that also has a group? If so, you can use the "username" command under the crypt ipsec client ezvpn
--John
11-24-2008 01:15 PM
Hi,
Try adding the following to the config on the router side:
crypto ipsec client ezvpn SJVPN
username XXXXX password XXXXX
xauth userid mode local
Make sure you save password on the concentrator side for the Sites group.
Hope it helps.
Remi
12-04-2008 10:57 AM
Found my issue. In the VPN3000 Network extension was disabled. One check box :-). Thanks for you help!!!
12-04-2008 01:17 PM
Hi Joe,
I am glad you found where the problem was and thanks for the voting.
Saludos,
Remi
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: