11-15-2005 11:10 AM
Hi!
I'm trying to deploy an EzVPN VPN3005-to-CS837 NEM but it is not working. Here's what i have:
#### CS837 ####
crypto ipsec client ezvpn EZVPN-TO-3005
connect auto
group groupname key groupkey
local-address Ethernet0
mode network-extension
peer 10.10.10.10
!
interface e0
crypto ipsec client ezvpn EZVPN-TO-3005 inside
!
interface dialer 1
crypto ipsec client ezvpn EZVPN-TO-3005
########################################
The router debugs gives me this:
*Mar 1 08:23:10.165: ISAKMP:(0:88:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Mar 1 08:23:10.165: ISAKMP:(0:88:SW:1):incrementing error counter on sa: retransmit phase 1
*Mar 1 08:23:10.165: ISAKMP:(0:88:SW:1): retransmitting phase 1 AG_INIT_EXCH
*Mar 1 08:23:10.165: ISAKMP:(0:88:SW:1): sending packet to 10.10.10.10 my_port 500 peer_port 500 (I) AG_INIT_EXCH
I followed step-by-step as described in this link:
Regards.
11-21-2005 12:58 PM
an EZVPN Client does not properly disconnect its tunnel to a VPN3000 Concentrator, its IKE SA is not cleared from the Concentrator. The result is that each lingering IKE SA retains an address out of the address pool.
This occurs only if the Client connects without xauth authentication.
Many "IPSEC ESP bad pad length (8) >= buffer length (8)" messages were logged in a syslog.
Using VPN3000 and PIX EzVPN:
Phase 2 SA recreation after an expiration of a SA because of an idle timeout (30min)
35 sec after a creation of a new SA after an old SA lifetime Expiration
11-22-2005 03:14 AM
Hi!
Thanks for your answer. I solved this problem doing some lab tests. I think Cisco's doc. about EzVPN (VPN300-to-IOS) is not complete. I had to "Allow Network Extension Mode" and "Store password on HW Client" in order to make this solution to work. My idea from the beginning was to have a EzVPN like a LAN-to-LAN solution. Now i have it up and running.
Regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: