ezvpn doesn't work properly.

Unanswered Question
Jul 22nd, 2006
User Badges:

I have some problems for configuring ezvpn between router IOS(Client) and VPN3K(Server). I want router to be connected with VPN3K without xauth (that is, without configuring username and password on router).

-----------------------------------------

Topology is following:

VPN3K(public)-(dmz)PIX(outside)-(fa0/0)Router

VPN3K public: 10.10.2.1

PIX dmz: 10.10.2.254

PIX outside: 20.x.2.254

Router fa0/0: 20.x.2.1

ezvpn mode: Client

address pool on VPN3K: 10.10.3.1/32

-----------------------------------------

On VPN3K:

1. IKE proposal: CiscoVPNClient-3DES-MD5

1) authentication mode: preshard (not preshard-xauth)

2. SA: ESP-3DES-MD5

1) IKE Peer: 0.0.0.0

2) Negotiation Mode: Main or Aggressive

3) IKE Proposal: CiscoVPNClient-3DES-MD5

3. Group

1) Name: ezvpn

2) Password: xxx

3) Type: Internal

4. Group-IPSec

1) IPSec SA: ESP-3DES-MD5

2) Tunnel Type: Remote Access

3) Authentication: Internal or None


On Router:

crypto ipsec client ezvpn SJVPN

connect auto

group ezvpn key xxx

peer 10.10.2.1

mode client

interface Loopback0

ip address 20.20.x.x.255.255.0

crypto ipsec client ezvpn SJVPN inside

interface fa0/0

ip address 20.20.x.x.255.255.0

crypto ipsec client ezvpn SJVPN


On PIX:

static (dmz,outside) 10.10.2.1 10.10.2.1

access-list outside permit icmp any any

access-list outside permit udp host 20.20.2.1 host 10.10.2.1 eq isakmp

access-list outside permit udp host 20.20.2.1 host 10.10.2.1 eq 4500

access-group outside in int outside

-----------------------------------------

On R1:

ping 10.10.2.1

!!!!!


After completing configuration like the above, ezvpn didn't work properly.

I saw the message like below:

5d16h: ISAKMP (0:9): beginning Aggressive Mode exchange

5d16h: ISAKMP (0:9): sending packet to 10.10.2.1 (I) AG_INIT_EXCH

5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH...

5d16h: ISAKMP (0:9): incrementing error counter on sa: retransmit phase 1

5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH

5d16h: ISAKMP (0:9): sending packet to 10.10.2.1 (I) AG_INIT_EXCH

5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH...

5d16h: ISAKMP (0:9): incrementing error counter on sa: retransmit phase 1

5d16h: ISAKMP (0:9): retransmitting phase 1 AG_INIT_EXCH

5d16h: ISAKMP (0:9): sending packet to 10.10.2.1 (I) AG_INIT_EXCH


What's wrong? What should I do?


TIA

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andrew100 Tue, 08/01/2006 - 08:38
User Badges:

Hi,


Just a couple of quick questions to see if i understand the topology. Is your VPN3K Public interface on a private address? Also, did you manually put the loopback address in to the remote router configuration? With EzVPN Client mode the router obtains it's address from the pool configured on the VPN3K, this is the loopback interface created dynamically when the tunnel is built. All traffic then NAT's out on this loopback address. Is this the case?


Thanks :-)


Andy

Actions

This Discussion