Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Easy-vpn with certificates ; Xauth not complete

Hi,

I'm testing with  2 routers to implement Enhanced Easy-vpn with certificates.  I have a 3d router which acts as CA server and gives certificates to both routers.

I see that my isakmp session comes  and says completed but after 50 sec the isakmp goes down again with the error message :\

Mar  1 05:59:26.981: ISAKMP:(1015):deleting SA reason "XAUTH not complete 1" state (R) QM_IDLE       (peer 192.168.1.1)
Mar  1 05:59:26.981: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.

I can't find the reason why  and  actually I don't need the Xauth  :-(

I tried with disabling the xauth by removing the command  client authentication list  under the isakmp profile configuration but then he starts continuously trying to setup the VPN.

- How can I disable the Xauth ?

- or how can I resolve the error message

Mar  1 05:58:36.037: ISAKMP:(0):Checking ISAKMP transform 13 against priority 2 policy
Mar  1 05:58:36.037: ISAKMP:      encryption 3DES-CBC
Mar  1 05:58:36.037: ISAKMP:      hash SHA
Mar  1 05:58:36.037: ISAKMP:      default group 2
Mar  1 05:58:36.037: ISAKMP:      auth XAUTHInitRSA
Mar  1 05:58:36.037: ISAKMP:      life type in seconds
Mar  1 05:58:36.037: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Mar  1 05:58:36.037: ISAKMP:(0):atts are acceptable. Next payload is 3
Mar  1 05:58:36.037: ISAKMP:(0):Acceptable atts:actual life: 86400
Mar  1 05:58:36.037: ISAKMP:(0):Acceptable atts:life: 0
Mar  1 05:58:36.037: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar  1 05:58:36.037: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
Mar  1 05:58:36.037: ISAKMP:(0):Returning Actual lifetime: 86400
Mar  1 05:58:36.037: ISAKMP:(0)::Started lifetime timer: 86400.

Mar  1 05:58:36.041: ISAKMP:(0): processing vendor id payload
Mar  1 05:58:36.045: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Mar  1 05:58:36.045: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Mar  1 05:58:36.049: ISAKMP:(0): processing vendor id payload
Mar  1 05:58:36.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Mar  1 05:58:36.053: ISAKMP (0:0): vendor ID is NAT-T v7
Mar  1 05:58:36.053: ISAKMP:(0): processing vendor id payload
Mar  1 05:58:36.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Mar  1 05:58:36.053: ISAKMP:(0): vendor ID is NAT-T v3
Mar  1 05:58:36.053: ISAKMP:(0): processing vendor id payload
Mar  1 05:58:36.053: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar  1 05:58:36.053: ISAKMP:(0): vendor ID is NAT-T v2
Mar  1 05:58:36.053: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar  1 05:58:36.053: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Mar  1 05:58:36.053: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar  1 05:58:36.053: ISAKMP:(0): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
Mar  1 05:58:36.053: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar  1 05:58:36.053: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar  1 05:58:36.057: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

Mar  1 05:58:36.141: ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
Mar  1 05:58:36.145: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar  1 05:58:36.149: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

Mar  1 05:58:36.161: ISAKMP:(0): processing KE payload. message ID = 0
Mar  1 05:58:36.241: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar  1 05:58:36.241: ISAKMP:(1015): processing CERT_REQ payload. message ID = 0
Mar  1 05:58:36.241: ISAKMP:(1015): peer wants a CT_X509_SIGNATURE cert
Mar  1 05:58:36.241: ISAKMP:(1015): peer wants cert issued by cn=cs_server
Mar  1 05:58:36.241:  Choosing trustpoint cs_server as issuer
Mar  1 05:58:36.245: ISAKMP:(1015): processing vendor id payload
Mar  1 05:58:36.245: ISAKMP:(1015): vendor ID is Unity
Mar  1 05:58:36.249: ISAKMP:(1015): processing vendor id payload
Mar  1 05:58:36.253: ISAKMP:(1015): vendor ID is DPD
Mar  1 05:58:36.253: ISAKMP:(1015): processing vendor id payload
Mar  1 05:58:36.253: ISAKMP:(1015): speaking to another IOS box!
Mar  1 05:58:36.253: ISAKMP:received payload type 20
Mar  1 05:58:36.253: ISAKMP:received payload type 20
Mar  1 05:58:36.253: ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar  1 05:58:36.253: ISAKMP:(1015):Old State = IKE_R_MM3  New State = IKE_R_MM3

Mar  1 05:58:36.253: ISAKMP (0:1015): constructing CERT_REQ for issuer cn=cs_server
Mar  1 05:58:36.253: ISAKMP:(1015): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Mar  1 05:58:36.253: ISAKMP:(1015):Sending an IKE IPv4 Packet.
Mar  1 05:58:36.253: ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar  1 05:58:36.257: ISAKMP:(1015):Old State = IKE_R_MM3  New State = IKE_R_MM4

Mar  1 05:58:36.481: ISAKMP (0:1015): received packet from 192.168.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
Mar  1 05:58:36.493: ISAKMP:(1015):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar  1 05:58:36.493: ISAKMP:(1015):Old State = IKE_R_MM4  New State = IKE_R_MM5

Mar  1 05:58:36.505: ISAKMP:(1015): processing ID payload. message ID = 0
Mar  1 05:58:36.513: ISAKMP (0:1015): ID payload
        next-payload : 6
        type         : 9
        Dist. name   : hostname=R1_CL.argenta.be
        protocol     : 17
        port         : 500
        length       : 43
Mar  1 05:58:36.529: ISAKMP:(0):: UNITY's identity FQDN but no group info
Mar  1 05:58:36.533: ISAKMP:(0):: peer matches *none* of the profiles
Mar  1 05:58:36.537: ISAKMP:(1015): processing CERT payload. message ID = 0
Mar  1 05:58:36.537: ISAKMP:(1015): processing a CT_X509_SIGNATURE cert
Mar  1 05:58:36.553: ISAKMP:(1015): peer's pubkey is cached
Mar  1 05:58:36.565: ISAKMP:(1015): Unable to get DN from certificate!
Mar  1 05:58:36.565: ISAKMP:(1015): Cert presented by peer contains no OU field.
Mar  1 05:58:36.565: ISAKMP:(0):: UNITY's identity FQDN but no group info
Mar  1 05:58:36.565: ISAKMP:(0):: peer matches *none* of the profiles
Mar  1 05:58:36.565: ISAKMP:(1015): processing SIG payload. message ID = 0
Mar  1 05:58:36.565: ISAKMP:received payload type 17
Mar  1 05:58:36.565: ISAKMP:(1015): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 64E76170
Mar  1 05:58:36.565: ISAKMP:(1015):SA authentication status:
        authenticated
Mar  1 05:58:36.565: ISAKMP:(1015):SA has been authenticated with 192.168.1.1
Mar  1 05:58:36.565: ISAKMP:(1015):SA authentication status:
        authenticated
Mar  1 05:58:36.565: ISAKMP:(1015): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.1.2 remote 192.168.1.1 remote port 500
Mar  1 05:58:36.565: ISAKMP: Trying to insert a peer 192.168.1.2/192.168.1.1/500/,  and inserted successfully 65DBD204.
Mar  1 05:58:36.569: ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar  1 05:58:36.573: ISAKMP:(1015):Old State = IKE_R_MM5  New State = IKE_R_MM5

Mar  1 05:58:36.613: ISAKMP:(1015):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar  1 05:58:36.613: ISAKMP:(1015):Using FQDN as My ID
Mar  1 05:58:36.613: ISAKMP:(1015):SA is doing RSA signature authentication plus XAUTH using id type ID_FQDN
Mar  1 05:58:36.613: ISAKMP (0:1015): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : R2_SE.argenta.be
        protocol     : 17
        port         : 500
        length       : 24
Mar  1 05:58:36.613: ISAKMP:(1015):Total payload length: 24
Mar  1 05:58:36.613: ISAKMP (0:1015): constructing CERT payload for hostname=R2_SE.argenta.be
Mar  1 05:58:36.613: ISAKMP:(1015): using the cs_server trustpoint's keypair to sign
Mar  1 05:58:36.693: ISAKMP:(1015): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Mar  1 05:58:36.693: ISAKMP:(1015):Sending an IKE IPv4 Packet.
Mar  1 05:58:36.697: ISAKMP:(1015):Returning Actual lifetime: 86400
Mar  1 05:58:36.701: ISAKMP: set new node -1959077148 to QM_IDLE     
Mar  1 05:58:36.705: ISAKMP:(1015):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 1731544720, message ID = -1959077148
Mar  1 05:58:36.713: ISAKMP:(1015): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Mar  1 05:58:36.713: ISAKMP:(1015):Sending an IKE IPv4 Packet.
Mar  1 05:58:36.717: ISAKMP:(1015):purging node -1959077148
Mar  1 05:58:36.721: ISAKMP: Sending phase 1 responder lifetime 86400

Mar  1 05:58:36.721: ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar  1 05:58:36.721: ISAKMP:(1015):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

Mar  1 05:58:36.721: ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar  1 05:58:36.721: ISAKMP:(1015):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar  1 05:59:26.885: ISAKMP (0:1015): received packet from 192.168.1.1 dport 500 sport 500 Global (R) QM_IDLE     
Mar  1 05:59:26.889: ISAKMP: set new node -2063648953 to QM_IDLE     
Mar  1 05:59:26.897: ISAKMP:(1015): processing HASH payload. message ID = -2063648953
Mar  1 05:59:26.897: ISAKMP:received payload type 18
Mar  1 05:59:26.901: ISAKMP:(1015):Processing delete with reason payload
Mar  1 05:59:26.901: ISAKMP:(1015):delete doi = 1
Mar  1 05:59:26.905: ISAKMP:(1015):delete protocol id = 1
Mar  1 05:59:26.905: ISAKMP:(1015):delete spi_size =  16
Mar  1 05:59:26.909: ISAKMP:(1015):delete num spis = 1
Mar  1 05:59:26.909: ISAKMP:(1015):delete_reason = 16
Mar  1 05:59:26.913: ISAKMP:(1015): processing DELETE_WITH_REASON payload, message ID = -2063648953, reason: Unknown delete reason!
Mar  1 05:59:26.917: ISAKMP:(1015):peer does not do paranoid keepalives.

Mar  1 05:59:26.921: ISAKMP:(1015):deleting SA reason "XAUTH not complete 1" state (R) QM_IDLE       (peer 192.168.1.1)
Mar  1 05:59:26.925: ISAKMP:(1015):deleting node -2063648953 error FALSE reason "Informational (in) state 1"
Mar  1 05:59:26.953: ISAKMP: set new node -495900571 to QM_IDLE     
Mar  1 05:59:26.961: ISAKMP:(1015): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) QM_IDLE     
Mar  1 05:59:26.965: ISAKMP:(1015):Sending an IKE IPv4 Packet.
Mar  1 05:59:26.969: ISAKMP:(1015):purging node -495900571
Mar  1 05:59:26.973: ISAKMP:(1015):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar  1 05:59:26.977: ISAKMP:(1015):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Mar  1 05:59:26.981: ISAKMP:(1015):deleting SA reason "XAUTH not complete 1" state (R) QM_IDLE       (peer 192.168.1.1)
Mar  1 05:59:26.981: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
Mar  1 05:59:26.981: ISAKMP: Unlocking peer struct 0x65DBD204 for isadb_mark_sa_deleted(), count 0
Mar  1 05:59:26.981: ISAKMP: Deleting peer node by peer_reap for 192.168.1.1: 65DBD204
Mar  1 05:59:26.981: ISAKMP:(1015):deleting node -2063648953 error FALSE reason "IKE deleted"
Mar  1 05:59:26.981: ISAKMP:(1015):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar  1 05:59:26.985: ISAKMP:(1015):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Mar  1 05:59:26.989: IPSEC(key_engine): got a queue event with 1 KMI message(s)un all

VPN Server

--------------------

! Last configuration change at 05:58:24 UTC Fri Mar 1 2002
! NVRAM config last updated at 02:40:11 UTC Fri Mar 1 2002
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2_SE
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius EzVPN
!
aaa authentication login easyVPN local
aaa authorization network easyVPN local
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
ip domain name argenta.be
ip host cs_server 192.168.3.4
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!        
!
!
!
!
!
!
!
crypto pki trustpoint cs_server
enrollment url http://192.168.3.4:80
revocation-check crl
auto-enroll 70
!
!
crypto pki certificate chain cs_server
certificate 03
  308201FA 30820163 A0030201 02020103 300D0609 2A864886 F70D0101 04050030
  14311230 10060355 04030C09 63735F73 65727665 72301E17 0D303230 33303130
  32333933 385A170D 30323131 31303032 33393338 5A302131 1F301D06 092A8648
  86F70D01 09021610 52325F53 452E6172 67656E74 612E6265 30819F30 0D06092A
  864886F7 0D010101 05000381 8D003081 89028181 00CC69C8 59137FDF F387FF43
  E2C50AC7 69E6F6BA 1117AC21 E140473D ADBA80C2 D86D7911 B6E57532 EFADC644
  5589DDA2 BBFD6CF3 E3C8AA3D 99566618 3B645998 A29097B6 FD208737 18B77A01
  0AD08F8F F3DF291A 632DA7B0 12E601F4 2E20B323 AC65DEC5 3D23EC21 AC04A3DB
  4315C947 007A221F B6EB2278 5D10E3D1 036CCFFB EB020301 0001A34F 304D300B
  0603551D 0F040403 0205A030 1F060355 1D230418 30168014 4000E2F1 838730ED
  5C6DF3B8 86D21004 B3E8795B 301D0603 551D0E04 160414E7 596575B2 D730C29E
  C0DDE893 140C3CE4 73947930 0D06092A 864886F7 0D010104 05000381 81007E01
  8098AD73 97FDA941 EBF0A771 60324B96 11BB75EE BDCBA4FE FB20F839 87133168
  3D9E1244 52086D75 08522E62 8DA2904C 72286688 7C3C113B 86B6295A 7B7DCCAD
  48C7207C 2F2CDFF2 E7D12A1F DA1DAC9B 67DB082F 693FAEEC 0FBBA2D4 0C7087AD
  04D48A0F D17F7BF2 1CCC5858 46A7D399 6AEB9976 A4E59A18 679C3731 8184
        quit
certificate ca 01
  30820201 3082016A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  14311230 10060355 04030C09 63735F73 65727665 72301E17 0D303230 33303130
  32333333 345A170D 30333037 32323032 33333334 5A301431 12301006 03550403
  0C096373 5F736572 76657230 819F300D 06092A86 4886F70D 01010105 0003818D
  00308189 02818100 88FC78A6 B3552A1D F7320B3F FDF9DDC3 5C1CD6B6 F00BC582
  96C81854 BAC76E0D 95AEC9B5 6805228E 0BAB4839 7C1C31FC 9436F919 562D6942
  03F512BC 0BE329EC 1172E54B 2F947CF2 D4A9521C 12635578 DD273B6A 9019156D
  E45B4347 6A5E6BB5 805F69B1 B0E93003 4BEBFBCC 2E280AE5 980A7E55 E9612892
  9AB3E177 7C0D725F 02030100 01A36330 61300F06 03551D13 0101FF04 05300301
  01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 16801440
  00E2F183 8730ED5C 6DF3B886 D21004B3 E8795B30 1D060355 1D0E0416 04144000
  E2F18387 30ED5C6D F3B886D2 1004B3E8 795B300D 06092A86 4886F70D 01010405
  00038181 00473847 88C3EE28 E9590483 00934503 B9793BE7 3E95BB5F 6A16031E
  70BF4903 61EA059D 2F82881B CFB11CBF DB1D4064 2C0B7865 54971361 A6A6F396
  469662F7 D9344FA9 4B0BCF5A 596D4DC2 34BEEEA1 89A330DA BF996B7F 4F5F0E16
  3E44D17A D1C0BCC9 F4F63309 0344229C FE2FEDDD C21F27E7 839A378E 48051ABD
  B43286B5 D5
        quit
!
!
username cisco password 0 cisco
archive
log config
  hidekeys
!
crypto keyring ezvpn-spokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco
!
crypto isakmp policy 2
encr 3des
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2 
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp xauth timeout 5

!
crypto isakmp client configuration group easyvpn-group
dns 172.16.226.120 172.16.168.183
domain cisco.com
save-password
crypto isakmp profile vi
   ca trust-point cs_server
   match identity group easyvpn-group
   client authentication list easyVPN
   isakmp authorization list easyVPN
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac
!
crypto ipsec profile vi
set transform-set set
set isakmp-profile vi
!        
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.2 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
!
ip local pool easyvpn-pool 192.168.1.3 192.168.1.10
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!        
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
ntp clock-period 17179880
ntp server 192.168.3.4
!
end

R2_SE#

VPN client

------------------

R1_CL#sho run
Building configuration...

Current configuration : 3841 bytes
!
! Last configuration change at 05:16:22 UTC Fri Mar 1 2002
! NVRAM config last updated at 03:42:50 UTC Fri Mar 1 2002
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1_CL
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!        
ip domain name argenta.be
ip host cs_server 192.168.3.4
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint cs_server
enrollment url http://cs_server:80
revocation-check crl
!
!
crypto pki certificate chain cs_server
certificate 04
  308201FA 30820163 A0030201 02020104 300D0609 2A864886 F70D0101 04050030
  14311230 10060355 04030C09 63735F73 65727665 72301E17 0D303230 33303130
  33343230 335A170D 30323131 31303033 34323033 5A302131 1F301D06 092A8648
  86F70D01 09021610 52315F43 4C2E6172 67656E74 612E6265 30819F30 0D06092A
  864886F7 0D010101 05000381 8D003081 89028181 00B31FFA 10491D9F A0F08188
  435D5A75 FA8CDD92 0521E575 2007697F F30C1E75 D27127C2 F5659FBF 5CC2B3CF
  6EDE0484 3B012B34 EBACF83B C2DD5C5A 256C834C 6A8C69F5 1563DA6B AB656911
  4E9D48B3 C50DA4EF CF69B095 C0D323C3 5867E391 42295EE0 BEEDE99E E2BED6A7
  95296159 A803164A 1562356A DBE23D63 6D575FDA F9020301 0001A34F 304D300B
  0603551D 0F040403 0205A030 1F060355 1D230418 30168014 4000E2F1 838730ED
  5C6DF3B8 86D21004 B3E8795B 301D0603 551D0E04 160414DA 11B3A90A B83AAB69
  BD7FD211 6A347004 83CE5530 0D06092A 864886F7 0D010104 05000381 81000087
  FD497C54 A1CECB74 A0AC8250 52F8AB84 DEAE568B F37A25BC D4B168F3 0F62DBEE
  E64E9B02 23B9EC91 D381D0F4 2DE114E1 020B4D98 CE7D684F 4991C3D6 1751DDAE
  EE0F51C7 77942BF9 C36B7200 A0954913 C178A2B8 704CEAD0 17932431 B94DD6AF
  BCF3517E D16C13BA 3FD42065 FBF7AEC0 6838B01F 0BF74218 6611468F 1567
        quit
certificate ca 01
  30820201 3082016A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  14311230 10060355 04030C09 63735F73 65727665 72301E17 0D303230 33303130
  32333333 345A170D 30333037 32323032 33333334 5A301431 12301006 03550403
  0C096373 5F736572 76657230 819F300D 06092A86 4886F70D 01010105 0003818D
  00308189 02818100 88FC78A6 B3552A1D F7320B3F FDF9DDC3 5C1CD6B6 F00BC582
  96C81854 BAC76E0D 95AEC9B5 6805228E 0BAB4839 7C1C31FC 9436F919 562D6942
  03F512BC 0BE329EC 1172E54B 2F947CF2 D4A9521C 12635578 DD273B6A 9019156D
  E45B4347 6A5E6BB5 805F69B1 B0E93003 4BEBFBCC 2E280AE5 980A7E55 E9612892
  9AB3E177 7C0D725F 02030100 01A36330 61300F06 03551D13 0101FF04 05300301
  01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 16801440
  00E2F183 8730ED5C 6DF3B886 D21004B3 E8795B30 1D060355 1D0E0416 04144000
  E2F18387 30ED5C6D F3B886D2 1004B3E8 795B300D 06092A86 4886F70D 01010405
  00038181 00473847 88C3EE28 E9590483 00934503 B9793BE7 3E95BB5F 6A16031E
  70BF4903 61EA059D 2F82881B CFB11CBF DB1D4064 2C0B7865 54971361 A6A6F396
  469662F7 D9344FA9 4B0BCF5A 596D4DC2 34BEEEA1 89A330DA BF996B7F 4F5F0E16
  3E44D17A D1C0BCC9 F4F63309 0344229C FE2FEDDD C21F27E7 839A378E 48051ABD
  B43286B5 D5
        quit
!
!
archive
log config
  hidekeys
!
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec client ezvpn easyvpn-group
connect manual
mode network-extension
peer 192.168.1.2
username cisco password cisco
xauth userid mode local
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn easyvpn-group
!        
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn easyvpn-group inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!
control-plane
!
!
!        
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
ntp clock-period 17179936
ntp server 192.168.3.4
!
end

7 REPLIES
Cisco Employee

Re: Easy-vpn with certificates ; Xauth not complete

try the following

no crypto isakmp key cisco address 0.0.0.0 0.0.0.0

you dont need the wild card pre-shared key since you are using certificates

also remove this

client authentication list easyVPN

Community Member

Re: Easy-vpn with certificates ; Xauth not complete

Hi

I tried , now the xauth message is gone but I get another message :-(

Mar  1 08:47:28.873: ISAKMP:      encryption DES-CBC
Mar  1 08:47:28.873: ISAKMP:      hash MD5
Mar  1 08:47:28.873: ISAKMP:      default group 2
Mar  1 08:47:28.873: ISAKMP:      auth XAUTHInitRSA
Mar  1 08:47:28.873: ISAKMP:      life type in seconds
Mar  1 08:47:28.873: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Mar  1 08:47:28.873: ISAKMP:(0):Encryption algorithm offered does not match policy!
Mar  1 08:47:28.873: ISAKMP:(0):atts are not acceptable. Next payload is 3
Mar  1 08:47:28.873: ISAKMP:(0):Checking ISAKMP transform 17 against priority 2 policy
Mar  1 08:47:28.873: ISAKMP:      encryption 3DES-CBC
Mar  1 08:47:28.873: ISAKMP:      hash SHA
Mar  1 08:47:28.873: ISAKMP:      default group 2
Mar  1 08:47:28.873: ISAKMP:      auth RSA sig
Mar  1 08:47:28.873: ISAKMP:      life type in seconds
Mar  1 08:47:28.873: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Mar  1 08:47:28.873: ISAKMP:(0):atts are acceptable. Next payload is 3
Mar  1 08:47:28.873: ISAKMP:(0):Acceptable atts:actual life: 86400
Mar  1 08:47:28.873: ISAKMP:(0):Acceptable atts:life: 0
Mar  1 08:47:28.873: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar  1 08:47:28.873: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
Mar  1 08:47:28.873: ISAKMP:(0):Returning Actual lifetime: 86400
Mar  1 08:47:28.873: ISAKMP:(0)::Started lifetime timer: 86400.

Mar  1 08:47:28.873: ISAKMP:(0): processing vendor id payload
Mar  1 08:47:28.873: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Mar  1 08:47:28.873: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
Mar  1 08:47:28.873: ISAKMP:(0): processing vendor id payload
Mar  1 08:47:28.873: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
Mar  1 08:47:28.873: ISAKMP (0:0): vendor ID is NAT-T v7
Mar  1 08:47:28.873: ISAKMP:(0): processing vendor id payload
Mar  1 08:47:28.873: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Mar  1 08:47:28.873: ISAKMP:(0): vendor ID is NAT-T v3
Mar  1 08:47:28.873: ISAKMP:(0): processing vendor id payload
Mar  1 08:47:28.873: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar  1 08:47:28.873: ISAKMP:(0): vendor ID is NAT-T v2
Mar  1 08:47:28.873: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar  1 08:47:28.873: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Mar  1 08:47:28.873: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar  1 08:47:28.877: ISAKMP:(0): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
Mar  1 08:47:28.881: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar  1 08:47:28.885: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar  1 08:47:28.885: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

Mar  1 08:47:29.009: ISAKMP (0:0): received packet from 192.168.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
Mar  1 08:47:29.017: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar  1 08:47:29.021: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

Mar  1 08:47:29.029: ISAKMP:(0): processing KE payload. message ID = 0
Mar  1 08:47:29.077: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar  1 08:47:29.077: ISAKMP:(1055): processing CERT_REQ payload. message ID = 0
Mar  1 08:47:29.081: ISAKMP:(1055): peer wants a CT_X509_SIGNATURE cert
Mar  1 08:47:29.089: ISAKMP:(1055): peer wants cert issued by cn=cs_server OU \= easyvpn-group
Mar  1 08:47:29.093:  Choosing trustpoint cs_server as issuer
Mar  1 08:47:29.097: ISAKMP:(1055): processing vendor id payload
Mar  1 08:47:29.101: ISAKMP:(1055): vendor ID is Unity
Mar  1 08:47:29.105: ISAKMP:(1055): processing vendor id payload
Mar  1 08:47:29.109: ISAKMP:(1055): vendor ID is DPD
Mar  1 08:47:29.113: ISAKMP:(1055): processing vendor id payload
Mar  1 08:47:29.117: ISAKMP:(1055): speaking to another IOS box!
Mar  1 08:47:29.117: ISAKMP:received payload type 20
Mar  1 08:47:29.121: ISAKMP:received payload type 20
Mar  1 08:47:29.125: ISAKMP:(1055):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar  1 08:47:29.125: ISAKMP:(1055):Old State = IKE_R_MM3  New State = IKE_R_MM3

Mar  1 08:47:29.125: ISAKMP (0:1055): constructing CERT_REQ for issuer cn=cs_server OU \= easyvpn-group
Mar  1 08:47:29.125: ISAKMP:(1055): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Mar  1 08:47:29.125: ISAKMP:(1055):Sending an IKE IPv4 Packet.
Mar  1 08:47:29.125: ISAKMP:(1055):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar  1 08:47:29.125: ISAKMP:(1055):Old State = IKE_R_MM3  New State = IKE_R_MM4

Mar  1 08:47:29.325: ISAKMP (0:1055): received packet from 192.168.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
Mar  1 08:47:29.337: ISAKMP:(1055):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar  1 08:47:29.337: ISAKMP:(1055):Old State = IKE_R_MM4  New State = IKE_R_MM5

Mar  1 08:47:29.349: ISAKMP:(1055): processing ID payload. message ID = 0
Mar  1 08:47:29.357: ISAKMP (0:1055): ID payload
        next-payload : 6
        type         : 9
        Dist. name   : hostname=R1_CL.argenta.be
        protocol     : 17
        port         : 500
        length       : 43
Mar  1 08:47:29.373: ISAKMP:(0):: UNITY's identity FQDN but no group info
Mar  1 08:47:29.373: ISAKMP:(0):: peer matches *none* of the profiles
Mar  1 08:47:29.373: ISAKMP:(1055): processing CERT payload. message ID = 0
Mar  1 08:47:29.373: ISAKMP:(1055): processing a CT_X509_SIGNATURE cert
Mar  1 08:47:29.377: ISAKMP:(1055): peer's pubkey is cached
Mar  1 08:47:29.421: ISAKMP:(1055): Unable to get DN from certificate!
Mar  1 08:47:29.421: ISAKMP:(1055): Cert presented by peer contains no OU field.
Mar  1 08:47:29.421: ISAKMP:(0):: UNITY's identity FQDN but no group info
Mar  1 08:47:29.421: ISAKMP:(0):: peer matches *none* of the profiles
Mar  1 08:47:29.421: ISAKMP:(1055): processing SIG payload. message ID = 0
Mar  1 08:47:29.429: ISAKMP:received payload type 17
Mar  1 08:47:29.433: ISAKMP:(1055): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 65DD43CC
Mar  1 08:47:29.437: ISAKMP:(1055):SA authentication status:
        authenticated
Mar  1 08:47:29.441: ISAKMP:(1055):SA has been authenticated with 192.168.1.1
Mar  1 08:47:29.441: ISAKMP:(1055):SA authentication status:
        authenticated
Mar  1 08:47:29.449: ISAKMP:(1055): Process initial contact,
bring down existing phase 1 and 2 SA's with local 192.168.1.2 remote 192.168.1.1 remote port 500
Mar  1 08:47:29.453: ISAKMP: Trying to insert a peer 192.168.1.2/192.168.1.1/500/,  and inserted successfully 6746A6E0.
Mar  1 08:47:29.457: ISAKMP:(1055):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar  1 08:47:29.461: ISAKMP:(1055):Old State = IKE_R_MM5  New State = IKE_R_MM5

Mar  1 08:47:29.465: ISAKMP:(1055):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar  1 08:47:29.465: ISAKMP:(1055):Using FQDN as My ID
Mar  1 08:47:29.465: ISAKMP:(1055):SA is doing RSA signature authentication using id type ID_FQDN
Mar  1 08:47:29.465: ISAKMP (0:1055): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : R2_SE.argenta.be
        protocol     : 17
        port         : 500
        length       : 24
Mar  1 08:47:29.465: ISAKMP:(1055):Total payload length: 24
Mar  1 08:47:29.465: ISAKMP (0:1055): constructing CERT payload for hostname=R2_SE.argenta.be
Mar  1 08:47:29.465: ISAKMP:(1055): using the cs_server trustpoint's keypair to sign
Mar  1 08:47:29.561: ISAKMP:(1055): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Mar  1 08:47:29.561: ISAKMP:(1055):Sending an IKE IPv4 Packet.
Mar  1 08:47:29.561: ISAKMP:(1055):Returning Actual lifetime: 86400
Mar  1 08:47:29.561: ISAKMP: set new node -2032828572 to QM_IDLE     
Mar  1 08:47:29.565: ISAKMP:(1055):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 1731544720, message ID = -2032828572
Mar  1 08:47:29.569: ISAKMP:(1055): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Mar  1 08:47:29.573: ISAKMP:(1055):Sending an IKE IPv4 Packet.
Mar  1 08:47:29.577: ISAKMP:(1055):purging node -2032828572
Mar  1 08:47:29.581: ISAKMP: Sending phase 1 responder lifetime 86400

Mar  1 08:47:29.585: ISAKMP:(1055):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar  1 08:47:29.585: ISAKMP:(1055):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

Mar  1 08:47:29.609: ISAKMP:(1055):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar  1 08:47:29.609: ISAKMP:(1055):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar  1 08:47:29.729: ISAKMP (0:1055): received packet from 192.168.1.1 dport 500 sport 500 Global (R) QM_IDLE     
Mar  1 08:47:29.733: ISAKMP: set new node -566995488 to QM_IDLE     
Mar  1 08:47:29.741: ISAKMP:(1055):processing transaction payload from 192.168.1.1. message ID = -566995488
Mar  1 08:47:29.745: ISAKMP: Config payload REQUEST
Mar  1 08:47:29.749: ISAKMP:(1055): No provision for the request
Mar  1 08:47:29.749: ISAKMP: Invalid config REQUEST
Mar  1 08:47:29.753: ISAKMP (0:1055): FSM action returned error: 2
Mar  1 08:47:29.757: ISAKMP:(1055):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
Mar  1 08:47:29.757: ISAKMP:(1055):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar  1 08:47:29.761: ISAKMP:(1055):peer does not do paranoid keepalives.

Mar  1 08:47:29.765: ISAKMP:(1055):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) QM_IDLE       (peer 192.168.1.1)
Mar  1 08:47:29.809: ISAKMP: set new node 594109757 to QM_IDLE     
Mar  1 08:47:29.809: ISAKMP:(1055): sending packet to 192.168.1.1 my_port 500 peer_port 500 (R) QM_IDLE     
Mar  1 08:47:29.809: ISAKMP:(1055):Sending an IKE IPv4 Packet.
Mar  1 08:47:29.809: ISAKMP:(1055):purging node 594109757
Mar  1 08:47:29.809: ISAKMP:(1055):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar  1 08:47:29.809: ISAKMP:(1055):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Mar  1 08:47:29.809: ISAKMP:(1055):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) QM_IDLE       (peer 192.168.1.1)
Mar  1 08:47:29.809: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
Mar  1 08:47:29.809: ISAKMP: Unlocking peer struct 0x6746A6E0 for isadb_mark_sa_deleted(), count 0
Mar  1 08:47:29.809: ISAKMP: Deleting peer node by peer_reap for 192.168.1.1: 6746A6E0
Mar  1 08:47:29.813: ISAKMP:(1055):deleting node -566995488 error FALSE reason "IKE deleted"
Mar  1 08:47:29.821: ISAKMP:(1055):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar  1 08:47:29.821: ISAKMP:(1055):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Mar  1 08:47:29.869: ISAKMP (0:1055): received packet from 192.168.1.1 dport 500 sport 500 Global (R) MM_NO_STATE
Mar  1 08:48:19.817: ISAKMP:(1055):purging node -566995488
Mar  1 08:48:29.817: ISAKMP:(1055):purging SA., sa=65DD43CC, delme=65DD43CC

Cisco Employee

Re: Easy-vpn with certificates ; Xauth not complete

in the client

crypto ipsec client ezvpn easyvpn-group
connect manual
mode network-extension
peer 192.168.1.2
username cisco password cisco
xauth userid mode local

i dont htink you need "xauth userid mode local" since you do not want xauth anymore

try removing that

Community Member

Re: Easy-vpn with certificates ; Xauth not complete

Hi

I tried with removing the command but he falls back to interactive mode  and still the same error.

before the retransmission error  I see the following error message  , can this be a problem ?

Mar  1 10:48:49.057: ISAKMP: Config payload REQUEST
Mar  1 10:48:49.061: ISAKMP:(1062): No provision for the request
Mar  1 10:48:49.061: ISAKMP: Invalid config REQUEST
Mar  1 10:48:49.065: ISAKMP (0:1062): FSM action returned error: 2

What I find strange , I see that the isakmp comes to complete ( QM-idle)  for +/- 50 sec and then I get the error message.

Note that I had it working with preshared keys

Thx for the assistance until now

gr

wim

Cisco Employee

Re: Easy-vpn with certificates ; Xauth not complete

lets try removing everything related to xauth from server and client

lets remove save-password and xauth timeout from server

Community Member

Re: Easy-vpn with certificates ; Xauth not complete

still no success ,  I debugged on the client side  and I have the following output

Mar  1 11:39:19.439: ISAKMP (0:1065): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Mar  1 11:39:19.447: ISAKMP:(1065): processing ID payload. message ID = 0
Mar  1 11:39:19.451: ISAKMP (0:1065): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : R2_SE.argenta.be
        protocol     : 17
        port         : 500
        length       : 24
Mar  1 11:39:19.459: ISAKMP:(0):: peer matches *none* of the profiles
Mar  1 11:39:19.459: ISAKMP:(1065): processing CERT payload. message ID = 0
Mar  1 11:39:19.463: ISAKMP:(1065): processing a CT_X509_SIGNATURE cert
Mar  1 11:39:19.515: ISAKMP:(1065): peer's pubkey is cached
Mar  1 11:39:19.523: ISAKMP:(1065): Unable to get DN from certificate!
Mar  1 11:39:19.523: ISAKMP:(1065): Cert presented by peer contains no OU field.
Mar  1 11:39:19.523: ISAKMP:(0):: peer matches *none* of the profiles
Mar  1 11:39:19.523: ISAKMP:(1065): processing SIG payload. message ID = 0
Mar  1 11:39:19.551: ISAKMP:(1065):SA authentication status:
        authenticated
Mar  1 11:39:19.551: ISAKMP:(1065):SA has been authenticated with 192.168.1.2
Mar  1 11:39:19.551: ISAKMP: Trying to insert a peer 192.168.1.1/192.168.1.2/500/,  and inserted successfully 668923AC.
Mar  1 11:39:19.551: ISAKMP:(1065):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar  1 11:39:19.551: ISAKMP:(1065):Old State = IKE_I_MM5  New State = IKE_I_MM6

Mar  1 11:39:19.551: ISAKMP (0:1065): received packet from 192.168.1.2 dport 500 sport 500 Global (I) MM_KEY_EXCH
Mar  1 11:39:19.551: ISAKMP: set new node 83264589 to CONF_ADDR   
Mar  1 11:39:19.551: ISAKMP:(1065): processing HASH payload. message ID = 83264589
Mar  1 11:39:19.551: ISAKMP:(1065): processing NOTIFY RESPONDER_LIFETIME protocol 1
        spi 0, message ID = 83264589, sa = 66238010
Mar  1 11:39:19.551: ISAKMP:(1065):SA authentication status:
        authenticated
Mar  1 11:39:19.551: ISAKMP:(1065): processing responder lifetime
Mar  1 11:39:19.551: ISAKMP:(1065): start processing isakmp responder lifetime
Mar  1 11:39:19.551: ISAKMP:(1065):Returning Actual lifetime: 2147483
Mar  1 11:39:19.551: ISAKMP:(1065): restart ike sa timer to 86400 secs
Mar  1 11:39:19.551: ISAKMP:(1065):Started lifetime timer: 0.

Mar  1 11:39:19.551: ISAKMP:(1065):deleting node 83264589 error FALSE reason "Informational (in) state 1"
Mar  1 11:39:19.551: ISAKMP:(1065):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Mar  1 11:39:19.551: ISAKMP:(1065):Old State = IKE_I_MM6  New State = IKE_I_MM6

Mar  1 11:39:19.551: ISAKMP:(1065):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar  1 11:39:19.551: ISAKMP:(1065):Old State = IKE_I_MM6  New State = IKE_I_MM6

Mar  1 11:39:19.559: ISAKMP:(1065):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar  1 11:39:19.563: ISAKMP:(1065):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Mar  1 11:39:19.571: ISAKMP:(1065):Need config/address
Mar  1 11:39:19.571: ISAKMP: set new node -1998902008 to CONF_ADDR   
Mar  1 11:39:19.575: ISAKMP: Sending APPLICATION_VERSION string: Cisco IOS Software, 3700 Software (C3725-ADVIPSERVICESK9-M), Version 12.4(15)T13, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 07-Apr-10 12:44 by prod_rel_team
Mar  1 11:39:19.587: ISAKMP:(1065): initiating peer config to 192.168.1.2. ID = -1998902008
Mar  1 11:39:19.595: ISAKMP:(1065): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) CONF_ADDR   
Mar  1 11:39:19.595: ISAKMP:(1065):Sending an IKE IPv4 Packet.
Mar  1 11:39:19.599: ISAKMP:(1065):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar  1 11:39:19.603: ISAKMP:(1065):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_MODE_REQ_SENT

Mar  1 11:39:19.759: ISAKMP (0:1065): received packet from 192.168.1.2 dport 500 sport 500 Global (I) CONF_ADDR   
Mar  1 11:39:19.759: ISAKMP: set new node -995157286 to CONF_ADDR   
Mar  1 11:39:19.771: ISAKMP:(1065): processing HASH payload. message ID = -995157286
Mar  1 11:39:19.771: ISAKMP:received payload type 18
Mar  1 11:39:19.775: ISAKMP:(1065):Processing delete with reason payload
Mar  1 11:39:19.775: ISAKMP:(1065):delete doi = 1
Mar  1 11:39:19.779: ISAKMP:(1065):delete protocol id = 1
Mar  1 11:39:19.779: ISAKMP:(1065):delete spi_size =  16
Mar  1 11:39:19.783: ISAKMP:(1065):delete num spis = 1
Mar  1 11:39:19.787: ISAKMP:(1065):delete_reason = 28
Mar  1 11:39:19.787: ISAKMP:(1065): processing DELETE_WITH_REASON payload, message ID = -995157286, reason: Unknown delete reason!
Mar  1 11:39:19.787: ISAKMP:(1065):peer does not do paranoid keepalives.

Mar  1 11:39:19.787: ISAKMP:(1065):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) CONF_ADDR     (peer 192.168.1.2)
Mar  1 11:39:19.787: ISAKMP:(1065):deleting node -995157286 error FALSE reason "Informational (in) state 1"
Mar  1 11:39:19.787: ISAKMP: set new node -1331189747 to CONF_ADDR   
Mar  1 11:39:19.795: ISAKMP:(1065): sending packet to 192.168.1.2 my_port 500 peer_port 500 (I) CONF_ADDR   
Mar  1 11:39:19.795: ISAKMP:(1065):Sending an IKE IPv4 Packet.
Mar  1 11:39:19.799: ISAKMP:(1065):purging node -1331189747
Mar  1 11:39:19.803: ISAKMP:(1065):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Mar  1 11:39:19.807: ISAKMP:(1065):Old State = IKE_CONFIG_MODE_REQ_SENT  New State = IKE_DEST_SA

Mar  1 11:39:19.815: ISAKMP:(1065):deleting SA reason "IKMP_ERR_NO_RETRANS" state (I) CONF_ADDR     (peer 192.168.1.2)
Mar  1 11:39:19.819: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.
Mar  1 11:39:19.823: ISAKMP: Unlocking peer struct 0x668923AC for isadb_mark_sa_deleted(), count 0
Mar  1 11:39:19.827: ISAKMP: Deferring peer node 668923AC deletion, by peer_reap as there are other users 4
Mar  1 11:39:19.831: ISAKMP:(1065):deleting node 83264589 error FALSE reason "IKE deleted"
Mar  1 11:39:19.835: ISAKMP:(1065):deleting node -1998902008 error FALSE reason "IKE deleted"
Mar  1 11:39:19.835: ISAKMP:(1065):deleting node -995157286 error FALSE reason "IKE deleted"
Mar  1 11:39:19.835: ISAKMP:(1065):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar  1 11:39:19.839: ISAKMP:(1065):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Mar  1 11:39:19.847: ISAKMP: Deleting peer node by peer_reap for 192.168.1.2: 668923AC
Mar  1 11:39:19.851: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=  Client_public_addr=192.168.1.1  Server_public_addr=192.168.1.2 
Mar  1 11:39:19.863: ISAKMP:(1065):peer does not do paranoid keepalives.

R1_CL#un all
All possible debugging has been turned off
R1_CL#

Hereby the new config

R1_CL#sho run
Building configuration...

Current configuration : 3981 bytes
!
! Last configuration change at 11:25:14 UTC Fri Mar 1 2002
! NVRAM config last updated at 10:41:42 UTC Fri Mar 1 2002
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1_CL
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!        
ip domain name argenta.be
ip host cs_server 192.168.3.4
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint cs_server
enrollment url http://cs_server:80
revocation-check crl
!
!
crypto pki certificate chain cs_server
certificate 04
  3082020D 30820176 A0030201 02020104 300D0609 2A864886 F70D0101 04050030
  27312530 23060355 04030C1C 63735F73 65727665 72204F55 203D2065 61737976
  706E2D67 726F7570 301E170D 30323033 30313038 33343235 5A170D30 32313131
  30303833 3432355A 3021311F 301D0609 2A864886 F70D0109 02161052 315F434C
  2E617267 656E7461 2E626530 819F300D 06092A86 4886F70D 01010105 0003818D
  00308189 02818100 B31FFA10 491D9FA0 F0818843 5D5A75FA 8CDD9205 21E57520
  07697FF3 0C1E75D2 7127C2F5 659FBF5C C2B3CF6E DE04843B 012B34EB ACF83BC2
  DD5C5A25 6C834C6A 8C69F515 63DA6BAB 6569114E 9D48B3C5 0DA4EFCF 69B095C0
  D323C358 67E39142 295EE0BE EDE99EE2 BED6A795 296159A8 03164A15 62356ADB
  E23D636D 575FDAF9 02030100 01A34F30 4D300B06 03551D0F 04040302 05A0301F
  0603551D 23041830 16801418 1B8C81FA F11362C8 E7429C59 26EEA9BD C5FD8B30
  1D060355 1D0E0416 0414DA11 B3A90AB8 3AAB69BD 7FD2116A 34700483 CE55300D
  06092A86 4886F70D 01010405 00038181 008A1542 DCCB2DA5 DDE6872D E4FED20D
  F42C62DD 349354BF 91C4BCCC 44F3654F A355A99C 4C6B7271 A4DA6804 24FEEE70
  B0746465 929C8ABC 80CE3422 D61BE1D1 AA3F5F75 63D51EB1 FBED6713 E8D53FE3
  7CBC8B93 828AD44C 9BDB81B8 591F2CCB DE486DB8 F4D6B727 B28B6C6E 5DAEE515
  1F1E8C1C 2142EF9E 643F1402 5AF27895 56
        quit
certificate ca 01
  30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  27312530 23060355 04030C1C 63735F73 65727665 72204F55 203D2065 61737976
  706E2D67 726F7570 301E170D 30323033 30313038 32333437 5A170D30 33303732
  32303832 3334375A 30273125 30230603 5504030C 1C63735F 73657276 6572204F
  55203D20 65617379 76706E2D 67726F75 7030819F 300D0609 2A864886 F70D0101
  01050003 818D0030 81890281 8100C2A3 5DB4D2AC C9679378 2EF52ED7 CD46466F
  4146EBC0 F6C685EE 88585B25 4DF9608D 3E178BD7 CE8678FC 8DC94748 BA09AA54
  2810E5AD 11BD6DEA 98639B04 FDD0E5F9 384F21A1 7F2CFB2B 25DBE2BF FF769DB2
  98450281 B40FABC1 F63E68CA EF0D8083 574EFA81 AD953EBC D4CB2139 96272EBD
  9D6AEC48 E50C1759 C6488A46 2DDD0203 010001A3 63306130 0F060355 1D130101
  FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304
  18301680 14181B8C 81FAF113 62C8E742 9C5926EE A9BDC5FD 8B301D06 03551D0E
  04160414 181B8C81 FAF11362 C8E7429C 5926EEA9 BDC5FD8B 300D0609 2A864886
  F70D0101 04050003 8181006D BC60B452 F6EE73B1 9676547B 616F600F 3DAD4B28
  FAC1AF99 9F539049 D11CF69C 660D5CF5 F57A81CE ADA52F9E 1D4470E6 518B2BE6
  4D20F758 75A4F2D3 9BE86D7A 4F86E0ED 33A2120B 361465B1 D4516C2F 723B43AB
  43A2A016 0507A877 5B424F33 5247E77A B0A41703 FA77063E 311C217B 588F3DEE
  9F7457B1 F7B4F00E 9E3985
        quit
!
!
archive  
log config
  hidekeys
!
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec profile DMVPN
!
!
crypto ipsec client ezvpn easyvpn-group
connect manual
mode network-extension
peer 192.168.1.2
xauth userid mode interactive
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn easyvpn-group
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
crypto ipsec client ezvpn easyvpn-group inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
!
ip http server
no ip http secure-server
!
!
!
!
!
!
!        
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
ntp clock-period 17179904
ntp server 192.168.3.4
!
end

R2_server

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2_SE
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius EzVPN
!
aaa authentication login easyVPN none
aaa authorization network easyVPN none
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
ip domain name argenta.be
ip host cs_server 192.168.3.4
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!        
!
!
!
!
!
!
!
crypto pki trustpoint cs_server
enrollment url http://192.168.3.4:80
revocation-check crl
auto-enroll 70
!
!
crypto pki certificate chain cs_server
certificate 03
  3082020D 30820176 A0030201 02020103 300D0609 2A864886 F70D0101 04050030
  27312530 23060355 04030C1C 63735F73 65727665 72204F55 203D2065 61737976
  706E2D67 726F7570 301E170D 30323033 30313038 33323334 5A170D30 32313131
  30303833 3233345A 3021311F 301D0609 2A864886 F70D0109 02161052 325F5345
  2E617267 656E7461 2E626530 819F300D 06092A86 4886F70D 01010105 0003818D
  00308189 02818100 CC69C859 137FDFF3 87FF43E2 C50AC769 E6F6BA11 17AC21E1
  40473DAD BA80C2D8 6D7911B6 E57532EF ADC64455 89DDA2BB FD6CF3E3 C8AA3D99
  5666183B 645998A2 9097B6FD 20873718 B77A010A D08F8FF3 DF291A63 2DA7B012
  E601F42E 20B323AC 65DEC53D 23EC21AC 04A3DB43 15C94700 7A221FB6 EB22785D
  10E3D103 6CCFFBEB 02030100 01A34F30 4D300B06 03551D0F 04040302 05A0301F
  0603551D 23041830 16801418 1B8C81FA F11362C8 E7429C59 26EEA9BD C5FD8B30
  1D060355 1D0E0416 0414E759 6575B2D7 30C29EC0 DDE89314 0C3CE473 9479300D
  06092A86 4886F70D 01010405 00038181 0093F598 38C49C05 F5236811 6C6FFA5C
  6E65FADF FA0441B1 0763F5B2 679E00D1 06287BC2 53D04DCD 1F78529A 021895E8
  FFAA6E47 A9DF95A1 2DC2144B EAF6B6F9 A7AB0791 D5DB4409 220F0E4F 67C909AC
  5441D2ED D32C569E 35471469 FAC01118 2952492B 97A44AE7 35A321D4 D459AFD0
  09C82EE8 F925562E EA91C951 C3A5F855 6D
        quit
certificate ca 01
  30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  27312530 23060355 04030C1C 63735F73 65727665 72204F55 203D2065 61737976
  706E2D67 726F7570 301E170D 30323033 30313038 32333437 5A170D30 33303732
  32303832 3334375A 30273125 30230603 5504030C 1C63735F 73657276 6572204F
  55203D20 65617379 76706E2D 67726F75 7030819F 300D0609 2A864886 F70D0101
  01050003 818D0030 81890281 8100C2A3 5DB4D2AC C9679378 2EF52ED7 CD46466F
  4146EBC0 F6C685EE 88585B25 4DF9608D 3E178BD7 CE8678FC 8DC94748 BA09AA54
  2810E5AD 11BD6DEA 98639B04 FDD0E5F9 384F21A1 7F2CFB2B 25DBE2BF FF769DB2
  98450281 B40FABC1 F63E68CA EF0D8083 574EFA81 AD953EBC D4CB2139 96272EBD
  9D6AEC48 E50C1759 C6488A46 2DDD0203 010001A3 63306130 0F060355 1D130101
  FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304
  18301680 14181B8C 81FAF113 62C8E742 9C5926EE A9BDC5FD 8B301D06 03551D0E
  04160414 181B8C81 FAF11362 C8E7429C 5926EEA9 BDC5FD8B 300D0609 2A864886
  F70D0101 04050003 8181006D BC60B452 F6EE73B1 9676547B 616F600F 3DAD4B28
  FAC1AF99 9F539049 D11CF69C 660D5CF5 F57A81CE ADA52F9E 1D4470E6 518B2BE6
  4D20F758 75A4F2D3 9BE86D7A 4F86E0ED 33A2120B 361465B1 D4516C2F 723B43AB
  43A2A016 0507A877 5B424F33 5247E77A B0A41703 FA77063E 311C217B 588F3DEE
  9F7457B1 F7B4F00E 9E3985
        quit
!
!
username cisco password 0 cisco
archive
log config
  hidekeys
!
!
crypto isakmp policy 2
encr 3des
group 2
!
crypto isakmp client configuration group easyvpn-group
dns 172.16.226.120 172.16.168.183
domain cisco.com
crypto isakmp profile vi
   ca trust-point cs_server
   match identity group easyvpn-group
   virtual-template 1
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac
!
crypto ipsec profile vi
set transform-set set
set isakmp-profile vi
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
--More--
Mar  1 11:43:45.513: %SYS-5-CONFIG_I: Configured from console  ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.2 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
!
ip local pool easyvpn-pool 192.168.1.3 192.168.1.10
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
!
!        
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
ntp clock-period 17179855
ntp server 192.168.3.4
!
end

Community Member

Re: Easy-vpn with certificates ; Xauth not complete

Hi,

THe  problem is  resolved , the OU field in the certificate is mandatory and it needs to be the same name as the EZVPN group

thx for the help

gr

Wim

1835
Views
0
Helpful
7
Replies
CreatePlease to create content