08-28-2007 09:58 AM - edited 02-21-2020 03:14 PM
here are my configs
crypto ipsec client ezvpn ezvpn
connect auto
group ezvpn key xxxxxxxx
mode network-extension
peer xxxxxxxxxxxx
acl 101
username xxxxxxxxx password xxxxxxxxxxxxxx
xauth userid mode local
Now, I am a little confused about the "connect auto" command. We have a server built behind this router SiteA that our middleware server at Site B communicates with at night over the VPN tunnel. We have been having problems where at night when the Middleware server tries to communicate with the server it is unable too intiate the ezvpn tunnel on the router and build the vpn tunnel. What we find is in the morning we have to logon to the server and ping out from Site A to intiate the VPN tunnel. Does this seem right? My thought was the connect auto command specifies the VPN tunnel to automatically connect?
As a test we build a ping request on the Server at Site A towards Site B to create interesting traffic and let it run. We did not experience the VPN tunnel drops as before.
So my question is, isn't "connect auto" supposed to prevent this from happening by always keeping the VPN tunnel up?
Second queston is, "crypto isakmp keepalive 30 20 periodic" required to prevent this instead vs the connect auto?
I read the cisco documenation and it makes sense to me, but I wanted someone else's viewpoint or explanation to this.
09-03-2007 09:06 AM
The connect auto command has to be given under the crypto ipsec client ezvpn. For example look at the configuration in the link
crypto ipsec client ezvpn china
connect auto
09-05-2007 06:13 AM
Thank you for your response, however it already is under the crypto ipsec client ezvpn. Thanks for you reply.
09-13-2007 05:53 PM
I believe with connect auto and the username/password specified you should not be specifying "xauth userid mode..." at all. Do a no on that command and try it again.
09-13-2007 05:57 PM
Thank you for responding but from reading cisco's documentation, if I remove this then I have to manually enter in a username password which I don't want. It should use the stored username password in the crypto ezvpn client configs
interactive <---this is the default
To authenticate, the user must use the command-line interface (CLI) prompts on the console. Interactive is the default behavior
09-13-2007 08:25 PM
I think you should look at your ezvpn server.
Do you have on ezvpn server an option that permits users in group "ezvpn" to store their passwords?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: