Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
3
Replies

EzVPN Server - Address allocation is broken in IOS 12.3(4)T, T1, T2

ovt
Level 4
Level 4

‎01-13-2004 02:51 AM

Hi!

Can anybody explain what happened with address allocation from a local pool for Cisco VPN Clients in IOS 12.3(4)T?

The config:

crypto isakmp client configuration group localgroup

key cisco

pool default

acl 150

ip local pool default 192.168.3.1 192.168.3.254

no longer works. Anybody please open a case!

IOS 12.3(4)T debug shows:

AAA/AUTHOR (0x2): Pick method list 'VPN-local'

ISAKMP/author: Author request successfully sent to AAA

ISAKMP:(0:1:HW:2):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST

ISAKMP:(0:1:HW:2):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

ISAKMP:(0:1:HW:2):attributes sent in message:

Address: 0.2.0.0

ISAKMP: Using Framed-IP-Address 255.255.255.255

ISAKMP:(0:1:HW:2):allocating address 255.255.255.255

ISAKMP: Sending private address: 255.255.255.255

I.e. the pool allocates 255.255.255.255 !?

In IOS 12.3(2)T everything is ok and debug shows:

AAA/AUTHOR/CRYPTO AAA: ISAKMP500(4220974356) user='localgroup'

ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): send AV service=ike

ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): send AV protocol=ipsec

ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): found list "VPN-local"

ISAKMP500 AAA/AUTHOR/CRYPTO AAA(4220974356): Method=LOCAL

AAA/AUTHOR (4220974356): Post authorization status = PASS_ADD

ISAKMP: got callback 1

AAA/AUTHOR/IKE: Processing AV service=ike

AAA/AUTHOR/IKE: Processing AV protocol=ipsec

AAA/AUTHOR/IKE: Processing AV tunnel-password=cisco

AAA/AUTHOR/IKE: Processing AV addr-pool*default

...

ISAKMP (0:3): attributes sent in message:

Address: 0.2.0.0

ISAKMP (0:3): allocating address 192.168.3.2

ISAKMP: Sending private address: 192.168.3.2

Oleg Tipisov,

REDCENTER,

Moscow

Labels:
0 Helpful
3 Replies 3

ovt
Level 4
Level 4

‎01-13-2004 07:51 AM

Attention: Cisco programmers

It seems that the problem may have relationship with the new 12.3(4)T feature that allows for per-user IPSec RADIUS attributes. Now it is possible to allocate addresses on a per-user basis as part of XAUTH processing. The RADIUS attribute Framed-IP-Address is used for this. If this attribute is not present or set to 255.x.y.z tunnel establishement fails.

The workaround is to either specify IP-address on a per-user basis or use AAA-server-defined address pool for XAUTHenticated users.

Note, that AAA-client-defined address pools (the name of the pool is returned via the addr-pool cisco-avpair) do not work, so the bug should be corrected anyway.

Regards,

Oleg Tipisov,

REDCENTER,

Moscow

0 Helpful

msingla
Level 1
Level 1

‎01-17-2004 02:19 AM

Hi ,

I have local aaa defined and tested on 12.3(4)T1 on 72xx router, It works fine.I am able to allocate address to the IOS Vpn client from the local pool defined on the VPN server

See the debugs:

===========

Jan 17 15:43:28.838: ISAKMP (0:134217804): received packet from 1.1.1.2 dport 5

00 sport 500 Global (R) QM_IDLE

*Jan 17 15:43:28.838: ISAKMP: set new node -1349827177 to QM_IDLE

*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):processing transaction payload from 1.1

.1.2. message ID = -1349827177

*Jan 17 15:43:28.838: ISAKMP: Config payload REQUEST

*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):checking request:

*Jan 17 15:43:28.838: ISAKMP: IP4_ADDRESS

*Jan 17 15:43:28.838: ISAKMP: IP4_NETMASK

*Jan 17 15:43:28.838: ISAKMP: IP4_DNS

*Jan 17 15:43:28.838: ISAKMP: IP4_DNS

*Jan 17 15:43:28.838: ISAKMP: IP4_NBNS

*Jan 17 15:43:28.838: ISAKMP: IP4_NBNS

*Jan 17 15:43:28.838: ISAKMP: SPLIT_INCLUDE

*Jan 17 15:43:28.838: ISAKMP: SPLIT_DNS

*Jan 17 15:43:28.838: ISAKMP: DEFAULT_DOMAIN

*Jan 17 15:43:28.838: ISAKMP: MODECFG_SAVEPWD

*Jan 17 15:43:28.838: ISAKMP: INCLUDE_LOCAL_LAN

*Jan 17 15:43:28.838: ISAKMP: PFS

*Jan 17 15:43:28.838: ISAKMP: BACKUP_SERVER

*Jan 17 15:43:28.838: ISAKMP: APPLICATION_VERSION

*Jan 17 15:43:28.838: ISAKMP/author: setting up the authorization request

*Jan 17 15:43:28.838: ISAKMP/author: Author request successfully sent to AAA

*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQ

UEST

*Jan 17 15:43:28.838: ISAKMP:(0:76:SW:1):Old State = IKE_P1_COMPLETE New State

= IKE_CONFIG_AUTHOR_AAA_AWAIT

*Jan 17 15:43:28.842: ISAKMP:(0:76:SW:1):attributes sent in message:

*Jan 17 15:43:28.842: Address: 0.2.0.0

*Jan 17 15:43:28.842: ISAKMP:(0:76:SW:1):allocating address 192.168.1.17

(***** note here address has been allocated after ike phase1)

*Jan 17 15:43:28.842: ISAKMP: Sending private address: 192.168.1.17

*Jan 17 15:43:28.842: ISAKMP: Sending Loopback0 subnet mask: 255.255.255.0

*Jan 17 15:43:28.842: ISAKMP: Sending save password reply value 0

*Jan 17 15:43:28.842: ISAKMP: Sending APPLICATION_VERSION string:

Could you please send me the config details

Thanx,

Munit

0 Helpful

ovt
Level 4
Level 4
In response to msingla

‎01-17-2004 06:36 AM

Hi!

Put the user into the RADIUS and it will stop working. I have sent you configuration and debug output.

Thank you,

Oleg Tipisov,

REDCENTER,

Moscow

0 Helpful
Customers Also Viewed These Support Documents