DMVPN & EzVPN

Unanswered Question
Nov 12th, 2009

Hello everyone , I have configured DMVPN Hub and EzVPN Server on Cisco 2811 at the headoffice and the branches are having 2600 routers . There are 5 Spokes at this moment for DMVPN . Users use Cisco EzVPN Client software to access HeadOffice network . However I am facing problems .

when i do sh crypto isakmp sa

I usually see errors like

MM_NO_STATE

CONF_XAUTH

And the IP address in the destination is the spokes of DMVPN . sometimes when i type in the HUB

crypto isakmp key cisco123 address 172.19.7.122 no-xauth

static entry for DMVPN spoke and type no-xauth , it works fine sometimes but sometimes not . I could not test all the spokes at this moment because the network is not in production at this point .

I think the ezvpn server and dmvpn server is having a conflict in this crypto isakmp key thing .

Attached is my DMVPN HUB + EZVPN Server configuration

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Thu, 11/12/2009 - 14:51

You will want to modify your configuration to use an isakmp profile. This will allow you to apply the EasyVPN xauth config to your incoming client connections only. For example,

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

crypto isakmp client configuration group testgroup

key testgroup

pool vpn-test-pool

crypto isakmp profile vpn-test-profile

match identity group testgroup

client authentication list VPN

isakmp authorization list VPN

client configuration address respond

!

!

crypto ipsec transform-set test esp-3des esp-md5-hmac

!

crypto ipsec profile test-profile

set transform-set test

!

!

crypto dynamic-map dyn-map 1

set transform-set test

set isakmp-profile vpn-test-profile

reverse-route remote-peer 1.1.1.1

!

!

crypto map test 1 ipsec-isakmp dynamic dyn-map

Actions

This Discussion