Problem with 871 EazyVPN client to UC520 EazyVPN Server
I have a scenario I hope someone can help me with-
Topology: UC 520 with data/voice subnets, wireless and CME running. Configured (I think) as an EazyVPN server for a remote location with an 871. The 871 had at least one PC and a single 7970 behind it, doing a VPN back to the office.
The end user had some problems with the 871, and reset it to factory defaults.
So now I have to rebuild the 871, guessing at what is needed based on what I see in the UC520 configuration.
NOTE - So far as I know, the UC520 config is COMPLETELY functional, so I really don't want to touch the config on it.
I was able to retrieve the crypto client group and key from the UC520, so I think I should be able to use those on the 871.
I do not have realtime access to the UC520 I was able to visit the office to get a copy of the config, but the device is not reachable from the outside on SSH or HTTP(s).
My current problem is that the IPSec tunnel shows absolutely NO signs of wanting to come up.
The output from the 871 'debug crypto isakmp' shows absolutely NOTHING.
I don't know where I'm going wrong with my attempt at an EazyVPN setup for the 871.
Details for the attempted 871 config are shown below Details of the UC520 (sanitized for group name/password, etc)
UC520 interface Loopback0 description $FW_INSIDE$ ip address 10.1.10.2 255.255.255.252 ip access-group 102 in ip nat inside ip virtual-reassembly ! interface FastEthernet0/0 description $FW_OUTSIDE$ bandwidth 2048 ip address <mypubIP> 255.255.255.252 ip access-group 106 in ip verify unicast reverse-path ip nat outside ip inspect SDM_LOW out ip virtual-reassembly duplex auto speed auto crypto map CIW_A5 service-policy output shape ! interface Integrated-Service-Engine0/0 description cue is initialized with default IMAP group$FW_INSIDE$ ip unnumbered Loopback0 ip access-group 101 in ip nat inside
interface BVI1 description $FW_INSIDE$ ip address 192.168.202.1 255.255.255.0 ip access-group 103 in ip nat inside ip virtual-reassembly ! interface BVI100 description $FW_INSIDE$ ip address 192.168.210.1 255.255.255.0 ip access-group 104 in ip nat inside ip virtual-reassembly ! ip local pool WICPOOL 192.168.202.131 192.168.202.135
crypto logging ezvpn group CIW_A5 ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp keepalive 20 10 ! crypto isakmp client configuration group CIW_A5 key CIW_A5abcd7 pool CIW_A5POOL acl 120 save-password max-logins 5 crypto isakmp profile CIW_A5 match identity group CIW_A5 client authentication list CIW_A5 isakmp authorization list CIW_A5 client configuration address respond ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map CIW_A5 1 set transform-set ESP-3DES-SHA set isakmp-profile CIW_A5 reverse-route ! ! crypto map CIW_A5 1 ipsec-isakmp dynamic CIW_A5
access-list 120 permit ip 192.168.202.0 0.0.0.255 any access-list 120 permit ip 192.168.210.0 0.0.0.255 any access-list 120 permit ip 10.1.10.0 0.0.0.255 any
crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 connect auto group CIW_A5 key CIW_A500007 mode network-extension peer <PubIP_of_UC520> xauth userid mode interactive
no ip dhcp excluded-address 192.168.202.1 ip dhcp excluded-address 10.10.10.1 ! ip dhcp pool ccp-pool1 import all network 10.10.10.0 255.255.255.0 dns-server 188.8.131.52 184.108.40.206 default-router 10.10.10.1 domain-name wesselinvesting.com option 150 ip 192.168.210.1
interface BVI1 description $ES_LAN$$FW_INSIDE$ ip address 10.10.10.1 255.255.255.0 ip nat inside ip virtual-reassembly zone-member security in-zone crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1 inside
interface FastEthernet4 description $FW_OUTSIDE$$ES_WAN$ ip address dhcp client-id FastEthernet4 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly zone-member security out-zone ip route-cache flow duplex auto speed auto crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
Message was edited by: Tim Reimers
Note that the preshared keys do match - the 871 is "CIW_A5abcd7"
It looks like they don't due to my find/replace of secure info
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...