Secure Easy VPN and IOS issue.

Unanswered Question
May 18th, 2009
User Badges:

Hi,


I have an easy vpn set up on cisco 871 router as remote client, Cisco ASA firewall as vpn server. Everything works fine, except when i change/upgrade the IOS from 12.4.4T7(ED)to 12.4.20T1(ED); ping sourced from inside interface of 871 to internet fails ?? Just wanted to check if this is an IOS issue or I need to add any specific configuration for new IOS version ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vmoopeung Sun, 05/24/2009 - 17:47
User Badges:
  • Bronze, 100 points or more

If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails.


Note: This issue only applies to Cisco IOS and PIX 6.x. whereas PIX/ASA 7.x is not affected by this issue since it uses tunnel-groups.


Use the no-xauth keyword when you enter the isakmp key, so the device does not prompt the peer for XAUTH information (username and password). This keyword disables XAUTH for static IPsec peers. Enter a command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:


router(config)#crypto isakmp key cisco123 address

172.22.1.164 no-xauth


In the scenario where the PIX/ASA 7.x acts as the Easy VPN Server, the easy VPN client is unable to connect to headend because of the Xauth issue. Disable the user authentication in the PIX/ASA in order to resolve the issue as shown:


ASA(config)#tunnel-group example-group type ipsec-ra

ASA(config)#tunnel-group example-group ipsec-attributes

ASA(config-tunnel-ipsec)#isakmp ikev1-user-authentication none


vmoopeung Sun, 05/24/2009 - 17:47
User Badges:
  • Bronze, 100 points or more

If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails.


Note: This issue only applies to Cisco IOS and PIX 6.x. whereas PIX/ASA 7.x is not affected by this issue since it uses tunnel-groups.


Use the no-xauth keyword when you enter the isakmp key, so the device does not prompt the peer for XAUTH information (username and password). This keyword disables XAUTH for static IPsec peers. Enter a command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:


router(config)#crypto isakmp key cisco123 address

172.22.1.164 no-xauth


In the scenario where the PIX/ASA 7.x acts as the Easy VPN Server, the easy VPN client is unable to connect to headend because of the Xauth issue. Disable the user authentication in the PIX/ASA in order to resolve the issue as shown:


ASA(config)#tunnel-group example-group type ipsec-ra

ASA(config)#tunnel-group example-group ipsec-attributes

ASA(config-tunnel-ipsec)#isakmp ikev1-user-authentication none


Actions

This Discussion