Easy VPN and Xauth

Unanswered Question
Jun 29th, 2009

I am setting up an EzVPN connection from an 1811 router to my ASA 5540. I have everything setup and working properly with the exception of xauth.

I haven't had this problem with my VPN concentrator, and the configurations on the client side are identical.

Is there a way to not use xauth? I can't have my users logging into the router and typing in the command to login via xauth everytime their tunnel drops. I need to make this as seemless as I possibly can to the end user.

Any help is appreciated,

Craig

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Maxim Zimovets Mon, 06/29/2009 - 23:03

Hello, Craig!

You did not specified IOS's version of your 1841. But.

You have 2 options:

1. Set up username within EasyVPN group on a router:

crypto ipsec client ezvpn EZ

:

username cisco password cisco

xauth userid mode local

:

And don't forget to add "password-storage enable" to corresponding group-policy.

2. Switch off xauth for a tunnel-group.

tunnel-group NAME-GROUP ipsec-attributes

isakmp ikev1-user-authentication none

But be careful with such configuration. There are some security implication with IKE Aggressive mode.

Hope this helps.

With best regards.

xcz504d1114 Tue, 06/30/2009 - 07:47

Thanks for the help! I will put the configurations up in a few and give it a whirl!

IOS on the 1811 is 12.4(6)T7.

Craig

xcz504d1114 Mon, 07/06/2009 - 10:05

Setting up the xauth to local and definind a user/pw worked great! Thanks for the help.

But I'm having another issue, there is definately something wrong with my configuration.

The tunnel is up and active, and from my internal network I can ping the remote default-gateway, but I cannot ping the host on the other side of the default gateway. I have checked routing on my cores and the VPN ASA. I can see the correct network range from the ASA as well:

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 10, local addr: 192.168.20.11

local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.127.129.0/255.255.255.128/0/0)

current_peer: XX.XX.XX.XX, username: GRPNAME

dynamic allocated peer ip: 0.0.0.0

From the above output you can see it's matching the 10.127.129.0/25 netowrk.

Here is the config:

group-policy DfltGrpPolicy attributes

dns-server value 10.64.10.1 10.64.10.2

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SplitTunnel

split-dns value xxxxx.net

nem enable

tunnel-group EZ type remote-access

tunnel-group EZ ipsec-attributes

pre-shared-key *

I can set these up all day as static entries, and I have VPN clients remoting in just fine, just not this EZVPN setup.

Thanks,

Craig

srue Tue, 07/07/2009 - 07:33

for the ezvpn tunnel group, do you have the following command:

isakmp ikev1-user-authentication none

xcz504d1114 Tue, 07/07/2009 - 08:12

I was an idiot, I had my NAT wrong on the VPN clinet router. I was allowing all communication sourced from the remote network to be NAT'd (worked well for internet access) but it was also NAT'ing the traffic destined to the VPN tunnel.

Thanks for the help,

Craig

Actions

This Discussion