Cannot get 1801 to connect to 3015 with EZvpn

jason.scott · ‎03-23-2006

I cannot get a newly bought 1801 (adsl) to connect back to a 3015 via EZVPN. The irksome thing is the configuration is basically the same as I have for a 1701 router. The group and user configuration on the 3015 are the same too.

The error I am seeing in the debugs on the 1801 are as follows:

*Mar 23 16:54:21.858: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

*Mar 23 16:54:21.858: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Mar 23 16:54:21.858: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

*Mar 23 16:54:21.858: ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_port 500 (I) AG_INIT_EXCH

On the Concentrator the following message is seen:

47440 03/23/2006 16:55:31.020 SEV=4 IKE/14 RPT=1748 x.x.x.x

Unknown Domain of Interpretation (DOI): 0

47441 03/23/2006 16:55:31.020 SEV=4 IKE/48 RPT=2695 x.x.x.x

Error processing payload: Payload ID: 1

The 1800s seem to have a new xauth command under the crypto ipsec client ezvpn configuration that you cannot bypass.

This configuration should be so simple. The group I'm using for the 1800 uses the ESP-3DES-MD5 proposals, the very same that is used for the 1700 site.

Any help greatly appreciated. I'm tearing my hair out wondering what simple thing I could be doing wrong.

jason.scott · ‎03-24-2006

As a test I thought I'd verify my VPN 3015 group configuration by shutting down the 1801 router and reconfiguring my existing working 1701 router to use the new sites group and user details. It worked, thus I can only surmise that the 1801 and its configuration are at fault. The configuration for the 1801 is attached.

I have checked many times that the group is configured for Xauth.

armin.kraus · ‎06-13-2006

Hi Jason,

I have the same problem as you described above. But I have to use a Cisco 1812 Router running IOS 12.4.

Are you having a solution for this issue ? Thanks for reply.