Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
520
Views
0
Helpful
2
Replies

Secure Easy VPN and IOS issue.

atulrpatil
Level 1
Level 1

‎05-18-2009 10:23 AM

Hi,

I have an easy vpn set up on cisco 871 router as remote client, Cisco ASA firewall as vpn server. Everything works fine, except when i change/upgrade the IOS from 12.4.4T7(ED)to 12.4.20T1(ED); ping sourced from inside interface of 871 to internet fails ?? Just wanted to check if this is an IOS issue or I need to add any specific configuration for new IOS version ?

Labels:
0 Helpful
2 Replies 2

vmoopeung
Level 5
Level 5

‎05-24-2009 05:47 PM

If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails.

Note: This issue only applies to Cisco IOS and PIX 6.x. whereas PIX/ASA 7.x is not affected by this issue since it uses tunnel-groups.

Use the no-xauth keyword when you enter the isakmp key, so the device does not prompt the peer for XAUTH information (username and password). This keyword disables XAUTH for static IPsec peers. Enter a command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:

router(config)#crypto isakmp key cisco123 address

172.22.1.164 no-xauth

In the scenario where the PIX/ASA 7.x acts as the Easy VPN Server, the easy VPN client is unable to connect to headend because of the Xauth issue. Disable the user authentication in the PIX/ASA in order to resolve the issue as shown:

ASA(config)#tunnel-group example-group type ipsec-ra

ASA(config)#tunnel-group example-group ipsec-attributes

ASA(config-tunnel-ipsec)#isakmp ikev1-user-authentication none

0 Helpful

vmoopeung
Level 5
Level 5

‎05-24-2009 05:47 PM

If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails.

Note: This issue only applies to Cisco IOS and PIX 6.x. whereas PIX/ASA 7.x is not affected by this issue since it uses tunnel-groups.

Use the no-xauth keyword when you enter the isakmp key, so the device does not prompt the peer for XAUTH information (username and password). This keyword disables XAUTH for static IPsec peers. Enter a command similar to this on the device that has both L2L and RA VPN configured on the same crypto map:

router(config)#crypto isakmp key cisco123 address

172.22.1.164 no-xauth

In the scenario where the PIX/ASA 7.x acts as the Easy VPN Server, the easy VPN client is unable to connect to headend because of the Xauth issue. Disable the user authentication in the PIX/ASA in order to resolve the issue as shown:

ASA(config)#tunnel-group example-group type ipsec-ra

ASA(config)#tunnel-group example-group ipsec-attributes

ASA(config-tunnel-ipsec)#isakmp ikev1-user-authentication none

0 Helpful
Customers Also Viewed These Support Documents