Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
333
Views
0
Helpful
3
Replies

Easy VPN "Phase I" and 3030 - Compatible Transform Set?

mpervere
Level 1
Level 1

‎09-06-2002 09:02 AM - edited ‎02-21-2020 12:02 PM

Hi All -

I'm working with a 1710 EZVPN client, using the "Phase I" release 12.2(4)YA. (Unfortunately, the "Phase II" release 12.2(8)YJ is the first release that takes more RAM than the 1710's shipped with a mere 2 months ago).

The question is, is there a compatible set of transforms that will work between this "Phase I" EZVPN client and a 3030? All EZVPN documentation just talks to this magic set of transforms built into the client that will work with a 3030, but they don't, regardless of what I've tried on either end.

Has anybody out there successfully gotten this combination to work?

Thanks!

Mike

Labels:
0 Helpful
3 Replies 3

mpervere
Level 1
Level 1

‎09-06-2002 03:01 PM

Well, let me answer my own question...(and add a lesson learned or two).

The 12.2(4)YA2 version will indeed work with the 3030. Specifically, it works with 3.6.1, but probably would have worked with the older code too. In fact, the problem has nothing to do with the transforms at all -- once it worked, it worked with just about every transform I threw at it. I was getting faked out on the debugs, when in reality the problem was way back early in Phase I. The "public" side of the 3030 is behind a NAT'ing router, so the client was calling up with a pre-shared key to the public address, but then the 3030 was answering back with a a pre-shared key that appeared to come from the RFC address. Occasionally, the router would recognize that and flag it as "no pre-shared key for peer 192.168.x.x", but usually it would just press on and attempt to negotiate (and fail).

Though there has to be a better way to work around it, I just added a static "crypto isakmp key" for the RFC/private address, identical to the EZVPN group pre-shared key, and it works fine. I don't like revealing that correlation between public and private IP addresses in the router (the VPN Concentrator should be able to spoof it), but if it works I'm not arguing.

Thanks!

Mike

0 Helpful

jerry.roy
Level 1
Level 1
In response to mpervere

‎09-06-2002 04:58 PM

What version of code is Minumum requirement on the 1710?

I have the latest 3030 code. Can you send a 1710 Exmple config?

Thanks,

Jerry Roy

0 Helpful

mpervere
Level 1
Level 1
In response to jerry.roy

‎09-06-2002 07:24 PM

From everything I can find, there are only two versions that support EZVPN on the 1710. 12.2(4)YA2 supports the original "Phase I" version, and 12.2(8)YJ supports the new "Phase II" version. Supposedly it was going to mainline somewhere along the way, but it doesn't seem to have happened yet. Only problem with the 12.2(8) version is it requires 48MB RAM, while 12.2(4) only needs 32MB (which was the default shipping configuration on the 1710).

There's a pretty good sample configuration in the 12.2(4)YA release notes, as well as screen shots on how to set up the 3000. Otherwise, drop me a note off-line, and I'll see what I can pull together.

Mike

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents