EZVPN on 857 to UC520

Unanswered Question
Jul 6th, 2009
User Badges:

Hi


I'm trying to create a VPN between a remote 857 and a UC520 using EZVPN. UC520 is set up just fine and tested OK using the VPN client. However the 857 always fails asking for Xauth credentials stating they are incorrect. Have tried completely wiping the config and starting again, to no success. IOS is AdvSec 124-15.T8.


Must be something simple, but I cannot see it.


thanks in advance


Jamie

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cbark Tue, 07/07/2009 - 05:50
User Badges:

Hi Jamie,

can you post the config and topology?


So the 857 is the easy vpn server and the us520 is the easy vpn client?


Rgds,

Christian

cbark Tue, 07/07/2009 - 06:01
User Badges:

Hi Jamie,

can you post the config and topology?


So the 857 is the easy vpn server and the us520 is the easy vpn client?


Rgds,

Christian

jamie.rickards Tue, 07/07/2009 - 11:16
User Badges:

Hi Christian


Thanks for your help.


The UC520 is the Easy VPN server, and the 857 is the Easy VPN client. The UC520 has a 2621XM acting as it's ADSL modem, but it it set to pass everything through to the UC520 WAN port. It has been tested OK using the VPN client on a PC.


I've attached the configs for each box, and also a sample of the debug from the 857. Assume the public addresses xxx.xxx.xxx.xxx are correct ;-)


Hopefully I'm doing something simple and silly.


regards


Jamie



Attachment: 
cbark Fri, 07/10/2009 - 03:04
User Badges:

Hi Jamie,


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml


*Jun 3 05:59:30.242: EZVPN(ez): Pending XAuth Request, Please enter the

following command:

*Jun 3 05:59:30.242: EZVPN: crypto ipsec client ezvpn xauth


!--- Enter the crypto ipsec client ezvpn xauth command.



3-03-06-871W#crypto ipsec client ezvpn xauth

Username: cisco

Password:

*Jun 3 06:02:46.498: username: cisco

*Jun 3 06:02:46.498: password:



You see that "error message" means that you have to manually put in the username / password like in your pc vpn client.


So I guess in the first vpn dialin from the client to the server you have to put that maunualy in the router. That the

server can validate it and than the client can store it when you allow it on the server.



Step 14 save-password

Example: Router (config-isakmp-group)# save-password


Give it a try.

Rgds,

Christian

cbark Fri, 07/10/2009 - 03:12
User Badges:

Or you can try:


xauth userid mode interactive


what is the default instead of


xauth userid mode local


option local

The saved username or password is used in the configuration.


So it needs the save password and doesn't use the configured one.

Therfore you must first authenticate over the cli (refer to my last post) than it should work if the easyvpn server allows to save the password.


But I personally never configured that option. Usually the interactive was ok and it uses the local configured username / password.


Please send a feedback if it works now.


Cheers,

Christian


Rgds,

Christian

jamie.rickards Fri, 07/10/2009 - 03:28
User Badges:

Hi Christian


Many thanks for your time looking at this for me.


I'll try inputting the username and password from the CLI as you suggest. All previous attempts have been via SDM where it continually asked me to input the username and password.


I'll give it a go this evening and let you know.


best regards


Jamie

jamie.rickards Fri, 07/10/2009 - 11:26
User Badges:

Hi Christian


I've tried entering the credientials at the CLI prompt, however it does not accept them and continues to request that I put them in.


The same credentials work fine on the VPN client from a PC on the same network.


Any ideas?


Jamie

cbark Wed, 08/05/2009 - 11:09
User Badges:

Hi Jamie,

did you try:

xauth userid mode local


With a local configured user / password for the xauth configured-


Rgds,

Christian

jamie.rickards Wed, 08/05/2009 - 11:54
User Badges:

Hi Christian


I've tried that one, still no change. It seems like whatever hash is being used for the password does not match at either end.


Can't work it out.


regards


Jamie

Actions

This Discussion