cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14615
Views
5
Helpful
10
Replies

EasyVPN :crypto ipsec client ezvpn xauth

sivakumar_ks
Level 1
Level 1

Hi

Everytime when I reboot a easyVPN client it is prompting for username and password by prompting following command "crypto ipsec client ezvpn xauth".

How do I make connection persistent, so that it won't ask for username and password during next reboot.

I am using cisco 877 router as easyVPN server and Cisco 877 router as EasyVPN client.

My Easy VPN server configuration is  as follows cisco 877

sh run
Building configuration...

Current configuration : 2306 bytes
!

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!

!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common

!
!
dot11 syslog
ip cef
!
!
!
!
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
!
multilink bundle-name authenticated
!
!
username cisco password 5 121A0C0411045D5679
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngrp
key cisco123
save-password
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
  hidekeys
!
!
!
!
!
interface Loopback10
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
!
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname theend0@yah.net
ppp chap password
crypto map clientmap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip dns server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
ntp clock-period 17182092
ntp server 202.83.64.3
end

My cisco877 router client configuration...

sh run
Building configuration...

Current configuration : 1919 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Goldcoast
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model

!
!
dot11 syslog
ip cef
!
!
!
!
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall rtsp
!
multilink bundle-name authenticated
!
!
!
!

!
!
!
crypto ipsec client ezvpn ez
connect auto
group vpngrp key cisco123
mode network-extension
peer 165.228.130.43
xauth userid mode interactive
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface Loopback0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn ez inside
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
shutdown
!
interface Dialer0
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname theend20@yg.net
ppp chap password
crypto ipsec client ezvpn ez
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
ntp clock-period 17182119
ntp server 202.83.64.3
end

I am able to connect. But I want to make the connection dynamic rather than user interactive. Please help me.

Siva.

10 Replies 10

Hi,

Have you tried on the client to specify the user?

crypto ipsec client ezvpn ez
     username password

Federico.

I tried that , but still it came up manual xauth at set at server end. But I can't find any option at EasyVPN server related to manual or dynamic.

Siva.

The ''save-password'' command on the server should allow the remote client to save the XAUTH password.
If you issue the command:
''no xauth userid mode interactive''
On the client, does it ask for user credentials?

Federico.

Sorry for the late reply.

I am getting following error after removing xauth. Here is the error.

ay 14 12:43:47.020: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:47.020: EZVPN(ez): *** Logic Error ***
May 14 12:43:47.020: EZVPN(ez): Current State: READY
May 14 12:43:47.020: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:47.020: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:47.020: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=


May 14 12:43:49.272: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:49.272: EZVPN(ez): *** Logic Error ***
May 14 12:43:49.272: EZVPN(ez): Current State: READY
May 14 12:43:49.272: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:49.272: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:49.272: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=
May 14 12:43:51.620: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:51.620: EZVPN(ez): *** Logic Error ***
May 14 12:43:51.620: EZVPN(ez): Current State: READY
May 14 12:43:51.620: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:51.620: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:51.624: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=
May 14 12:43:53.701: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:53.701: EZVPN(ez): *** Logic Error ***
May 14 12:43:53.701: EZVPN(ez): Current State: READY
May 14 12:43:53.701: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:53.701: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:53.701: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr= Server_public_addr=
May 14 12:43:55.989: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:55.989: EZVPN(ez): *** Logic Error ***
May 14 12:43:55.989: EZVPN(ez): Current State: READY
May 14 12:43:55.989: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:55.989: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:55.989: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=
Goldcoast(config-crypto-ezvpn)#
May 14 12:43:58.009: EZVPN(ez) Server does not allow save password option,
enter your username and password manually
May 14 12:43:58.009: EZVPN(ez): *** Logic Error ***
May 14 12:43:58.009: EZVPN(ez): Current State: READY
May 14 12:43:58.009: EZVPN(ez): Event: MODE_CONFIG_REPLY
May 14 12:43:58.009: EZVPN(ez): Resetting the EZVPN state machine to recover
May 14 12:43:58.009: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=vpngrp  Client_public_addr=Server_public_addr=

Thanks,

siva.

Ok,
Add again the commands you have originally.

Question:
When you do a:
show crypto ipsec client ezvpn
on the client, does it say:
Save Password: Allowed

It could also be a software version issue. This would depend on which release this feature was introduced.
Please add this command:
crypto map clientmap client configuration address respond

Test again.

Federico.

Hi

show crypto ipsec client ezvpn

output

Inside interface list: Loopback0
Outside interface: Dialer0
Current State: XAUTH_REQ
Last Event: XAUTH_REQUEST
Save Password: Disallowed
Current EzVPN Peer:

I tried this command

crypto map clientmap client configuration address respond at client side and still no luck.

Thanks,

siva.

Can you confirm me whether below URL blog configuration is correct to auto connect...

http://infotechaudit.blogspot.com/2009/10/dynamic-virtual-tunnel-interface-easy.html

siva

You're getting:

Save Password: Disallowed
That's why it keeps prompting for password everytime.

What's your IOS version?

Would you be able to upgrade if necessary?

Federico.

Hi Federico,

I have the same issue where my ezvpn gets reset. Can anyone please help?

I have the following information.

1. My IOS is c2900-universalk9-mz.SPA.151-4.M4.bin.

2. My configuration under EzVPN is:

crypto ipsec client ezvpn vpnclient

connect auto

group *********** key ************

mode network-extension

peer ********

acl 102

username ****** password **********

xauth userid mode local

3. Router#  show crypto ipsec client ezvpn

Easy VPN Remote Phase: 8

Tunnel name : vpnclient

Inside interface list: GigabitEthernet0/2, GigabitEthernet1/0

Outside interface: GigabitEthernet0/0

Current State: IPSEC_ACTIVE

Last Event: MTU_CHANGED

Save Password: Allowed

The issue:  Keep getting the same error:

Mar  4 22:38:13.706: EZVPN(vpnclient): *** Logic Error ***

Mar  4 22:38:13.706: EZVPN(vpnclient): Current State: CONNECT_REQUIRED

Mar  4 22:38:13.706: EZVPN(vpnclient): Event: XAUTH_STATUS

Mar  4 22:38:13.706: EZVPN(vpnclient): Resetting the EZVPN state machine to recover

ashegai
Level 1
Level 1

hello,

you probably have resolved this by now

for someone who is experiencing same issue, the following might help:

on client side add following under crypto ipsec client ezvpn xxx

- username *** password ***

- xauth userid mode local

this should do it

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: