Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Problem with no-xauth

Hi folks,

We have a number of VPN clients connecting in with no problems but in addition we have a site-to-site vpn connection that needs xauth turned off. The PIX config is as follows (no real IP's or key's included!) -

crypto ipsec transform-set test esp-des esp-md5-hmac

crypto dynamic-map testmap 10 set transform-set test

crypto map ourmap 10 ipsec-isakmp dynamic testmap

crypto map ourmap client authentication authinbound

crypto map ourmap interface outside

isakmp enable outside

isakmp key secretkey address xxx.1.1.1 netmask xxx.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp client configuration address-pool local ip_pool outside

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup testgroup address-pool ip_pool

vpngroup testgroup dns-server 2.2.2.2 2.2.2.3

vpngroup testgroup wins-server 3.3.3.3 3.3.3.4

vpngroup testgroup idle-time 1800

vpngroup testgroup password secretkey

and on the remote router (an 837)

crypto ipsec client ezvpn test

connect auto

group testgroup key 0 secretkey

mode network-extension

peer 5.5.5.5

The problem is that the console on the 837 still prompts for a userid/password even with the no-xauth statement on the PIX. (If I enter a valid userid/password then everything works perfectly).

If I look at the connection after putting in the userid/password with "sh cry eng con act" the IP address definitely matches the one entered in the PIX for no-xauth.

Have I got the syntax wrong somewhere?

many thanks,

Andrew Burns

2 REPLIES
Silver

Re: Problem with no-xauth

Hi Andrew,

Pls try issuing the following two commands:

crypto isakmp key test address 0.0.0.0 0.0.0.0 no-xauth

no crypto isakmp key test address 0.0.0.0 0.0.0.0 no-xauth

Community Member

Re: Problem with no-xauth

Hi Ursula,

I finally got a reply from Cisco about this issue, summarised as follows:

"It's not possible to use ezvpn without xauth if xauth is enabled for vpnclients - To do this you need to manually create the vpn, making sure the crypto map sequence number is less than the one assigned to the dynamic crypto map"

I did this and it now works fine.

thanks,

Andrew.

463
Views
0
Helpful
2
Replies
CreatePlease to create content