Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2134
Views
0
Helpful
5
Replies

crypto ipsec client ezvpn - connect auto command Question

glenthms
Level 1
Level 1

‎08-28-2007 09:58 AM - edited ‎02-21-2020 03:14 PM

here are my configs

crypto ipsec client ezvpn ezvpn

connect auto

group ezvpn key xxxxxxxx

mode network-extension

peer xxxxxxxxxxxx

acl 101

username xxxxxxxxx password xxxxxxxxxxxxxx

xauth userid mode local

Now, I am a little confused about the "connect auto" command. We have a server built behind this router SiteA that our middleware server at Site B communicates with at night over the VPN tunnel. We have been having problems where at night when the Middleware server tries to communicate with the server it is unable too intiate the ezvpn tunnel on the router and build the vpn tunnel. What we find is in the morning we have to logon to the server and ping out from Site A to intiate the VPN tunnel. Does this seem right? My thought was the connect auto command specifies the VPN tunnel to automatically connect?

As a test we build a ping request on the Server at Site A towards Site B to create interesting traffic and let it run. We did not experience the VPN tunnel drops as before.

So my question is, isn't "connect auto" supposed to prevent this from happening by always keeping the VPN tunnel up?

Second queston is, "crypto isakmp keepalive 30 20 periodic" required to prevent this instead vs the connect auto?

I read the cisco documenation and it makes sense to me, but I wanted someone else's viewpoint or explanation to this.

Labels:
0 Helpful
5 Replies 5

jbayuka
Level 5
Level 5

‎09-03-2007 09:06 AM

The connect auto command has to be given under the crypto ipsec client ezvpn. For example look at the configuration in the link

crypto ipsec client ezvpn china

connect auto

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml

0 Helpful

glenthms
Level 1
Level 1
In response to jbayuka

‎09-05-2007 06:13 AM

Thank you for your response, however it already is under the crypto ipsec client ezvpn. Thanks for you reply.

0 Helpful

hacronin
Level 1
Level 1

‎09-13-2007 05:53 PM

I believe with connect auto and the username/password specified you should not be specifying "xauth userid mode..." at all. Do a no on that command and try it again.

0 Helpful

glenthms
Level 1
Level 1
In response to hacronin

‎09-13-2007 05:57 PM

Thank you for responding but from reading cisco's documentation, if I remove this then I have to manually enter in a username password which I don't want. It should use the stored username password in the crypto ezvpn client configs

interactive <---this is the default

To authenticate, the user must use the command-line interface (CLI) prompts on the console. Interactive is the default behavior

0 Helpful

a.alekseev
Level 7
Level 7

‎09-13-2007 08:25 PM

I think you should look at your ezvpn server.

Do you have on ezvpn server an option that permits users in group "ezvpn" to store their passwords?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents