EasyVPN :crypto ipsec client ezvpn xauth

Unanswered Question
May 13th, 2010

Hi

Everytime when I reboot a easyVPN client it is prompting for username and password by prompting following command "crypto ipsec client ezvpn xauth".

How do I make connection persistent, so that it won't ask for username and password during next reboot.

I am using cisco 877 router as easyVPN server and Cisco 877 router as EasyVPN client.

My Easy VPN server configuration is  as follows cisco 877

sh run
Building configuration...

Current configuration : 2306 bytes
!

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!

!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common

!
!
dot11 syslog
ip cef
!
!
!
!
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
!
multilink bundle-name authenticated
!
!
username cisco password 5 121A0C0411045D5679
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngrp
key cisco123
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
  hidekeys
!
!
!
!
!
interface Loopback10
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
!
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto map clientmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip dns server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
ntp clock-period 17182092
ntp server 202.83.64.3
end

My cisco877 router client configuration...

sh run
Building configuration...

Current configuration : 1919 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Goldcoast
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model

!
!
dot11 syslog
ip cef
!
!
!
!
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
!
multilink bundle-name authenticated
!
!
!
!

!
!
!
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 165.228.130.43
xauth userid mode interactive
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface Loopback0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn ez inside
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
!
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password
crypto ipsec client ezvpn ez
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
ntp clock-period 17182119
ntp server 202.83.64.3
end

I am able to connect. But I want to make the connection dynamic rather than user interactive. Please help me.

Siva.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 05/13/2010 - 11:35

Hi,

Have you tried on the client to specify the user?

crypto ipsec client ezvpn ez
     username password

Federico.

sivakumar_ks Thu, 05/13/2010 - 15:00

I tried that , but still it came up manual xauth at set at server end. But I can't find any option at EasyVPN server related to manual or dynamic.

Siva.

Federico Coto F... Thu, 05/13/2010 - 16:05

The ''save-password'' command on the server should allow the remote client to save the XAUTH password.
If you issue the command:
''no xauth userid mode interactive''
On the client, does it ask for user credentials?

Federico.

sivakumar_ks Fri, 05/14/2010 - 05:48

Sorry for the late reply.

I am getting following error after removing xauth. Here is the error.

ay 14 12:43:47.020: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:47.020: EZVPN(ez): *** Logic Error ***
May 14 12:43:47.020: EZVPN(ez): Current State: READY
May 14 12:43:47.020: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:47.020: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:47.020: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=


May 14 12:43:49.272: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:49.272: EZVPN(ez): *** Logic Error ***
May 14 12:43:49.272: EZVPN(ez): Current State: READY
May 14 12:43:49.272: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:49.272: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:49.272: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=
May 14 12:43:51.620: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:51.620: EZVPN(ez): *** Logic Error ***
May 14 12:43:51.620: EZVPN(ez): Current State: READY
May 14 12:43:51.620: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:51.620: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:51.624: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=
May 14 12:43:53.701: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:53.701: EZVPN(ez): *** Logic Error ***
May 14 12:43:53.701: EZVPN(ez): Current State: READY
May 14 12:43:53.701: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:53.701: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:53.701: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr= Server_public_addr=
May 14 12:43:55.989: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:55.989: EZVPN(ez): *** Logic Error ***
May 14 12:43:55.989: EZVPN(ez): Current State: READY
May 14 12:43:55.989: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:55.989: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:55.989: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=
Goldcoast(config-crypto-ezvpn)#
May 14 12:43:58.009: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:58.009: EZVPN(ez): *** Logic Error ***
May 14 12:43:58.009: EZVPN(ez): Current State: READY
May 14 12:43:58.009: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:58.009: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:58.009: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=

Thanks,

siva.

Federico Coto F... Fri, 05/14/2010 - 07:44

Ok,
Add again the commands you have originally.

Question:
When you do a:
show crypto ipsec client ezvpn
on the client, does it say:
Save Password: Allowed

It could also be a software version issue. This would depend on which release this feature was introduced.
Please add this command:
crypto map clientmap client configuration address respond

Test again.

Federico.

sivakumar_ks Sat, 05/15/2010 - 05:12

Hi

show crypto ipsec client ezvpn

output

Inside interface list: Loopback0
Outside interface: Dialer0
Current State: XAUTH_REQ
Last Event: XAUTH_REQUEST
Save Password: Disallowed
Current EzVPN Peer:

I tried this command

crypto map clientmap client configuration address respond at client side and still no luck.

Thanks,

siva.

Federico Coto F... Sat, 05/15/2010 - 13:43

You're getting:

Save Password: Disallowed
That's why it keeps prompting for password everytime.

What's your IOS version?

Would you be able to upgrade if necessary?

Federico.

sambikar1s Wed, 03/05/2014 - 07:16

Hi Federico,

I have the same issue where my ezvpn gets reset. Can anyone please help?

I have the following information.

1. My IOS is c2900-universalk9-mz.SPA.151-4.M4.bin.

2. My configuration under EzVPN is:

crypto ipsec client ezvpn vpnclient

connect auto

group *********** key ************

mode network-extension

peer ********

acl 102

username ****** password **********

xauth userid mode local

3. Router#  show crypto ipsec client ezvpn

Easy VPN Remote Phase: 8

Tunnel name : vpnclient

Inside interface list: GigabitEthernet0/2, GigabitEthernet1/0

Outside interface: GigabitEthernet0/0

Current State: IPSEC_ACTIVE

Last Event: MTU_CHANGED

Save Password: Allowed

The issue:  Keep getting the same error:

Mar  4 22:38:13.706: EZVPN(vpnclient): *** Logic Error ***

Mar  4 22:38:13.706: EZVPN(vpnclient): Current State: CONNECT_REQUIRED

Mar  4 22:38:13.706: EZVPN(vpnclient): Event: XAUTH_STATUS

Mar  4 22:38:13.706: EZVPN(vpnclient): Resetting the EZVPN state machine to recover

Actions

This Discussion