08-24-2013 06:42 AM - edited 03-04-2019 08:51 PM
Dear Experts,
I have a strange issue ,, my configs were working perfect on 12.4 when i changed the router 887 VA with an IOS 15.1 the NAT doenst works for internet traffic.
I have confgured the EZVPN client on my new 887VA router connecting to HO,the vpn is established perfect but the traffic for internet stops, when i remove the crypto command from my outside interface it starts translating and the natting for internet traffic works fine.
08-25-2013 02:06 PM
Ok here are the HQ configs have a look on the group where the acl is used for the split tunnel
08-25-2013 02:13 PM
Clark,
I've got them downloaded and I am going to check the contents.
Best regards,
Peter
08-25-2013 02:20 PM
Peter thanks for all the replies and we are just to reach the success, please cooperate till we get the success.
How the other 9 location are running withour any issue with 870 router with 12.4 IOS i think there is something different to treat 15.0. IOS for the split tunnel.
Thanks
08-25-2013 02:32 PM
Hi Clark,
Hmmm... This is becoming convoluted.
Can you afford to run debugs on the 887VA? If yes please activate the debug crypto ipsec client ezvpn command followed by terminal monitor if you are working remotely, and then trigger the VPN reestablishment by issuing the clear crypto ipsec client ezvpn command. The debug output will be rather large but I will need it to be captured in its entirety and posted here.
Thank you!
Best regards,
Peter
08-25-2013 02:37 PM
ok i will do it
08-25-2013 02:41 PM
08-25-2013 03:56 PM
Clark,
I believe I have found the problem in the HQ's configuration. Your ISAKMP profile that defines how the IPsec clients are authenticated does not match the group name KK. Paste the following lines to the HQ's configuration:
crypto isakmp profile client
match identity group KK
end
This will add another identity to the ISAKMP profile. After this change on HQ, issue the clear crypto ipsec client ezvpn on the 887VA and test the behavior again.
Best regards,
Peter
08-25-2013 10:21 PM
08-26-2013 05:38 AM
Clark,
The HQ's configuration is quite messy - there are ISAKMP profiles and IPsec client configuration groups that do not seem to be used. Can we perhaps streamline its configuration? I guess the dynmap crypto dynamic-map is unused and can be removed, and I am not sure about the cana configuration group. Can you have a look and tell me what can be removed from the HQ's config?
Best regards,
Peter
08-26-2013 01:44 PM
Dear Peter
sure i will do that but want to know form you that can we add 2 no's of match identity in a profile client, It will not affect the client conenction.
crypto isakmp profile client
match identity group KK
match identity group abc
end
Thanks
08-26-2013 01:59 PM
Hi Clark,
To my best knowledge, a crypto isakmp profile can contain multiple match identity statements and they act like a logical OR - they simply map multiple identities to the ISAKMP profile. Also, adding an identity match statement into an ISAKMP profile should not affect any existing IPsec sessions.
By the way, the client is not stuck in Xauth. Quite the contrary, it expects you to enter the following command:
crypto ipsec client ezvpn xauth
and to enter the proper username and password. The reason it did not request the username and password up to now is because the KK clients were not mapped to the ISAKMP configuration that actually requests an Xauth. Let me rephrase that: because of this configuration error on HQ, your EzVPN clients in the KK configuration group were actually allowed to connect without user authentication - based only on the group authentication using a pre-shared key. Most certainly, that is not what you wanted. Please be aware that after you add the KK identity to your existing ISAKMP profile, all clients in the KK identity will be, sooner or later, required to authenticate using Xauth in the same way.
Is it required that you enter the username and password manually? Should this not be stored in the configuration of the clients?
Best regards,
Peter
08-26-2013 02:12 PM
Dear Peter,
i told you that i have a 10 sites but actually i have more than 10 sites and all will be affected once their VPN is disconnected becz they have to authenticate,
so how the alternate can be used rather than visiting each vpn client and confguring the username and password.
Is it required that you enter the username and password manually?
NO
Should this not be stored in the configuration of the clients?
NO
Thanks
08-26-2013 02:23 PM
Clark,
Well, if the KK clients are not supposed to be actually doing the Xauth authentication then we need to create a separate ISAKMP profile for them that does not require them to authenticate - something along the lines of:
client isakmp profile KKclients
match identity group KK
client configuration address respond
In this case, the match identity group KK must be present only in this ISAKMP profile and no other.
These configuration changes on HQ have to be performed carefully - you always need to have a backup of the original HQ's configuration handy in case a configuration change causes unforeseen issues.
Best regards,
Peter
08-29-2013 09:47 AM
Hello Peter,
I put only one match identity command and still it does'nt works agian it is asking me to put the below commands
Pending XAuth Request, Please enter the following command:
Aug 29 14:14:55.941: EZVPN: crypto ipsec client ezvpn xauth
Thanks
08-29-2013 11:08 AM
Hi Clark,
Would you perhaps be willing to post your HQ config once again after the changes? I would like to see the latest version and try it out on my topology. Has the client's configuration been changed in any significant way?
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: