I'm trying to create a VPN between a remote 857 and a UC520 using EZVPN. UC520 is set up just fine and tested OK using the VPN client. However the 857 always fails asking for Xauth credentials stating they are incorrect. Have tried completely wiping the config and starting again, to no success. IOS is AdvSec 124-15.T8.
Must be something simple, but I cannot see it.
thanks in advance
Thanks for your help.
The UC520 is the Easy VPN server, and the 857 is the Easy VPN client. The UC520 has a 2621XM acting as it's ADSL modem, but it it set to pass everything through to the UC520 WAN port. It has been tested OK using the VPN client on a PC.
I've attached the configs for each box, and also a sample of the debug from the 857. Assume the public addresses xxx.xxx.xxx.xxx are correct ;-)
Hopefully I'm doing something simple and silly.
*Jun 3 05:59:30.242: EZVPN(ez): Pending XAuth Request, Please enter the
*Jun 3 05:59:30.242: EZVPN: crypto ipsec client ezvpn xauth
!--- Enter the crypto ipsec client ezvpn xauth command.
3-03-06-871W#crypto ipsec client ezvpn xauth
*Jun 3 06:02:46.498: username: cisco
*Jun 3 06:02:46.498: password:
You see that "error message" means that you have to manually put in the username / password like in your pc vpn client.
So I guess in the first vpn dialin from the client to the server you have to put that maunualy in the router. That the
server can validate it and than the client can store it when you allow it on the server.
Step 14 save-password
Example: Router (config-isakmp-group)# save-password
Give it a try.
Or you can try:
xauth userid mode interactive
what is the default instead of
xauth userid mode local
The saved username or password is used in the configuration.
So it needs the save password and doesn't use the configured one.
Therfore you must first authenticate over the cli (refer to my last post) than it should work if the easyvpn server allows to save the password.
But I personally never configured that option. Usually the interactive was ok and it uses the local configured username / password.
Please send a feedback if it works now.
Many thanks for your time looking at this for me.
I'll try inputting the username and password from the CLI as you suggest. All previous attempts have been via SDM where it continually asked me to input the username and password.
I'll give it a go this evening and let you know.
I've tried entering the credientials at the CLI prompt, however it does not accept them and continues to request that I put them in.
The same credentials work fine on the VPN client from a PC on the same network.
I've tried that one, still no change. It seems like whatever hash is being used for the password does not match at either end.
Can't work it out.