×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

EzVPN Server - Address allocation is broken in IOS 12.3(4)T, T1, T2

Unanswered Question

Hi!


Can anybody explain what happened with address allocation from a local pool for Cisco VPN Clients in IOS 12.3(4)T?


The config:


crypto isakmp client configuration group localgroup

key cisco

pool default

acl 150

ip local pool default 192.168.3.1 192.168.3.254


no longer works. Anybody please open a case!



IOS 12.3(4)T debug shows:


AAA/AUTHOR (0x2): Pick method list 'VPN-local'

ISAKMP/author: Author request successfully sent to AAA

ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

ISAKMP:(0:1:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

ISAKMP:(0:1:HW:2):attributes sent in message:

Address: 0.2.0.0

ISAKMP: Using Framed-IP-Address 255.255.255.255

ISAKMP:(0:1:HW:2):allocating address 255.255.255.255

ISAKMP: Sending private address: 255.255.255.255


I.e. the pool allocates 255.255.255.255 !?



In IOS 12.3(2)T everything is ok and debug shows:


AAA/AUTHOR/CRYPTO AAA: ISAKMP500(4220974356) user='localgroup'

ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): send AV service=ike

ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): send AV protocol=ipsec

ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): found list "VPN-local"

ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): Method=LOCAL

AAA/AUTHOR (4220974356): Post authorization status = PASS_ADD

ISAKMP: got callback 1

AAA/AUTHOR/IKE: Processing AV service=ike

AAA/AUTHOR/IKE: Processing AV protocol=ipsec

AAA/AUTHOR/IKE: Processing AV tunnel-password=cisco

AAA/AUTHOR/IKE: Processing AV addr-pool*default

...

ISAKMP (0:3): attributes sent in message:

Address: 0.2.0.0

ISAKMP (0:3): allocating address 192.168.3.2

ISAKMP: Sending private address: 192.168.3.2


Oleg Tipisov,

REDCENTER,

Moscow


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Attention: Cisco programmers


It seems that the problem may have relationship with the new 12.3(4)T feature that allows for per-user IPSec RADIUS attributes. Now it is possible to allocate addresses on a per-user basis as part of XAUTH processing. The RADIUS attribute Framed-IP-Address is used for this. If this attribute is not present or set to 255.x.y.z tunnel establishement fails.


The workaround is to either specify IP-address on a per-user basis or use AAA-server-defined address pool for XAUTHenticated users.


Note, that AAA-client-defined address pools (the name of the pool is returned via the addr-pool cisco-avpair) do not work, so the bug should be corrected anyway.


Regards,

Oleg Tipisov,

REDCENTER,

Moscow


msingla Sat, 01/17/2004 - 02:19
User Badges:

Hi ,

I have local aaa defined and tested on 12.3(4)T1 on 72xx router, It works fine.I am able to allocate address to the IOS Vpn client from the local pool defined on the VPN server



See the debugs:

===========

Jan 17 15:43:28.838: ISAKMP (0:134217804): received packet from 1.1.1.2 dport 5

00 sport 500 Global (R) QM_IDLE

*Jan 17 15:43:28.838: ISAKMP: set new node -1349827177 to QM_IDLE

*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):processing transaction payload from 1.1

.1.2. message ID = -1349827177

*Jan 17 15:43:28.838: ISAKMP: Config payload REQUEST

*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):checking request:

*Jan 17 15:43:28.838: ISAKMP: IP4_ADDRESS

*Jan 17 15:43:28.838: ISAKMP: IP4_NETMASK

*Jan 17 15:43:28.838: ISAKMP: IP4_DNS

*Jan 17 15:43:28.838: ISAKMP: IP4_DNS

*Jan 17 15:43:28.838: ISAKMP: IP4_NBNS

*Jan 17 15:43:28.838: ISAKMP: IP4_NBNS

*Jan 17 15:43:28.838: ISAKMP: SPLIT_INCLUDE

*Jan 17 15:43:28.838: ISAKMP: SPLIT_DNS

*Jan 17 15:43:28.838: ISAKMP: DEFAULT_DOMAIN

*Jan 17 15:43:28.838: ISAKMP: MODECFG_SAVEPWD

*Jan 17 15:43:28.838: ISAKMP: INCLUDE_LOCAL_LAN

*Jan 17 15:43:28.838: ISAKMP: PFS

*Jan 17 15:43:28.838: ISAKMP: BACKUP_SERVER

*Jan 17 15:43:28.838: ISAKMP: APPLICATION_VERSION

*Jan 17 15:43:28.838: ISAKMP/author: setting up the authorization request

*Jan 17 15:43:28.838: ISAKMP/author: Author request successfully sent to AAA

*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQ

UEST

*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):Old State = IKE_P1_COMPLETE New State

= IKE_CONFIG_AUTHOR_AAA_AWAIT


*Jan 17 15:43:28.842: ISAKMP:(0:76:SW:1):attributes sent in message:

*Jan 17 15:43:28.842: Address: 0.2.0.0

*Jan 17 15:43:28.842: ISAKMP:(0:76:SW:1):allocating address 192.168.1.17

(***** note here address has been allocated after ike phase1)

*Jan 17 15:43:28.842: ISAKMP: Sending private address: 192.168.1.17

*Jan 17 15:43:28.842: ISAKMP: Sending Loopback0 subnet mask: 255.255.255.0

*Jan 17 15:43:28.842: ISAKMP: Sending save password reply value 0

*Jan 17 15:43:28.842: ISAKMP: Sending APPLICATION_VERSION string:


Could you please send me the config details


Thanx,

Munit

Actions

This Discussion