Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EzVPN VPN3005-to-CS837 NEM

Hi!

I'm trying to deploy an EzVPN VPN3005-to-CS837 NEM but it is not working. Here's what i have:

#### CS837 ####

crypto ipsec client ezvpn EZVPN-TO-3005

connect auto

group groupname key groupkey

local-address Ethernet0

mode network-extension

peer 10.10.10.10

!

interface e0

crypto ipsec client ezvpn EZVPN-TO-3005 inside

!

interface dialer 1

crypto ipsec client ezvpn EZVPN-TO-3005

########################################

The router debugs gives me this:

*Mar 1 08:23:10.165: ISAKMP:(0:88:SW:1): retransmitting phase 1 AG_INIT_EXCH...

*Mar 1 08:23:10.165: ISAKMP:(0:88:SW:1):incrementing error counter on sa: retransmit phase 1

*Mar 1 08:23:10.165: ISAKMP:(0:88:SW:1): retransmitting phase 1 AG_INIT_EXCH

*Mar 1 08:23:10.165: ISAKMP:(0:88:SW:1): sending packet to 10.10.10.10 my_port 500 peer_port 500 (I) AG_INIT_EXCH

I followed step-by-step as described in this link:

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800945cf.shtml

Regards.

2 REPLIES
Silver

Re: EzVPN VPN3005-to-CS837 NEM

an EZVPN Client does not properly disconnect its tunnel to a VPN3000 Concentrator, its IKE SA is not cleared from the Concentrator. The result is that each lingering IKE SA retains an address out of the address pool.

This occurs only if the Client connects without xauth authentication.

Many "IPSEC ESP bad pad length (8) >= buffer length (8)" messages were logged in a syslog.

Using VPN3000 and PIX EzVPN:

Phase 2 SA recreation after an expiration of a SA because of an idle timeout (30min)

35 sec after a creation of a new SA after an old SA lifetime Expiration

New Member

Re: EzVPN VPN3005-to-CS837 NEM

Hi!

Thanks for your answer. I solved this problem doing some lab tests. I think Cisco's doc. about EzVPN (VPN300-to-IOS) is not complete. I had to "Allow Network Extension Mode" and "Store password on HW Client" in order to make this solution to work. My idea from the beginning was to have a EzVPN like a LAN-to-LAN solution. Now i have it up and running.

Regards.

164
Views
0
Helpful
2
Replies