Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

EZ VPN with NAT-T

msalah_mds
Level 1
Level 1

‎03-14-2012 01:55 AM

hello Guys,

am facing problem with EZVPN with nat-t my tunnel not coming up  with the virtual IP and if configur it with the real ip it will work with same config kindly find the topology and the config file attached and the debug which is showin bellow from client router debug

thanks

client router debug

*Mar  1 01:00:44.915: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Mar  1 01:00:44.919: ISAKMP:(0): SA request profile is (NULL)

*Mar  1 01:00:44.919: ISAKMP: Created a peer struct for 40.40.4.2, peer port 500

*Mar  1 01:00:44.923: ISAKMP: New peer created peer = 0x65BFBE3C peer_handle = 0                         x80000004

*Mar  1 01:00:44.923: ISAKMP: Locking peer struct 0x65BFBE3C, refcount 1 for isa                         kmp_initiator

*Mar  1 01:00:44.923: ISAKMP:(0):Setting client config settings 6602FBB8

*Mar  1 01:00:44.923: ISAKMP: local port 500, remote port 500

*Mar  1 01:00:44.927: insert sa successfully sa = 65B31E38

*Mar  1 01:00:44.927: ISAKMP:(0): client mode configured.

*Mar  1 01:00:44.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar  1 01:00:44.939: ISAKMP:(0): constructed NAT-T vendor-07 ID

*Mar  1 01:00:44.939: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar  1 01:00:44.943: ISAKMP:(0): constructed NAT-T vendor-02 ID

*Mar  1 01:00:44.943: ISKAMP: growing send buffer from 1024 to 3072

*Mar  1 01:00:44.943: ISAKMP:(0):SA is doing pre-shared key authentication plus                          XAUTH using id type ID_KEY_ID

*Mar  1 01:00:44.947: ISAKMP (0:0): ID payload

        next-payload : 13

        type         : 11

        group id     : ezvpn

        protocol     : 17

        port         : 0

        length       : 13

*Mar  1 01:00:44.947: ISAKMP:(0):Total payload length: 13

*Mar  1 01:00:44.951: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM

*Mar  1 01:00:44.951: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_AM1

*Mar  1 01:00:44.951: ISAKMP:(0): beginning Aggressive Mode exchange

*Mar  1 01:00:44.955: ISAKMP:(0): sending packet to 40.40.4.2 my_port 500 peer_p                         ort 500 (I) AG_INIT_EXCH

*Mar  1 01:00:44.955: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  1 01:00:44.967: crypto_engine: Create DH

*Mar  1 01:00:54.955: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

*Mar  1 01:00:54.955: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Mar  1 01:00:54.955: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

*Mar  1 01:00:54.959: ISAKMP:(0): sending packet to 40.40.4.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar  1 01:00:54.959: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  1 01:01:04.959: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

*Mar  1 01:01:04.959: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Mar  1 01:01:04.959: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

*Mar  1 01:01:04.963: ISAKMP:(0): sending packet to 40.40.4.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar  1 01:01:04.963: ISAKMP:(0):Sending an IKE IPv4 Packet.

R4#

*Mar  1 01:01:14.963: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

*Mar  1 01:01:14.963: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Mar  1 01:01:14.963: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

*Mar  1 01:01:14.967: ISAKMP:(0): sending packet to 40.40.4.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar  1 01:01:14.967: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  1 01:01:24.967: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

*Mar  1 01:01:24.967: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

*Mar  1 01:01:24.967: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

*Mar  1 01:01:24.971: ISAKMP:(0): sending packet to 40.40.4.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar  1 01:01:24.971: ISAKMP:(0):Sending an IKE IPv4 Packet.

R4#

*Mar  1 01:01:34.971: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

*Mar  1 01:01:34.971: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1

*Mar  1 01:01:34.971: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH

*Mar  1 01:01:34.975: ISAKMP:(0): sending packet to 40.40.4.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH

*Mar  1 01:01:34.975: ISAKMP:(0):Sending an IKE IPv4 Packet.

EZVPN(CISCO): IPSec connection terminated

*Mar  1 01:01:44.975: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...

*Mar  1 01:01:44.975: ISAKMP:(0):peer does not do paranoid keepalives.

*Mar  1 01:01:44.975: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 40.40.4.2)

*Mar  1 01:01:44.983: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=ezvpn  Client_public_addr=40.40.6.4  Server_public_addr=40.40.4.2

*Mar  1 01:01:44.987: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 40.40.4.2)

*Mar  1 01:01:44.991: ISAKMP: Unlocking peer struct 0x65BFBE3C for isadb_mark_sa_deleted(), count 0

*Mar  1 01:01:44.991: ISAKMP: Deleting peer node by peer_reap for 40.40.4.2: 65BFBE3C

*Mar  1 01:01:44.991: crypto engine: deleting DH SW:3

*Mar  1 01:01:44.995: crypto_engine: Delete DH

*Mar  1 01:01:44.995: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar  1 01:01:44.995: ISAKMP:(0):Old State = IKE_I_AM1  New State = IKE_DEST_SA

*Mar  1 01:01:44.999: IPSEC(key_engine): got a queue event with 1 KMI message(s)

1 person had this problem
124403-total config.txt.zip
143 KB
0 Helpful
Who Me Too'd this topic