Do you have a static ipsec tunnel on the ez vpn server? Can you post both configs?
________________________________ From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Tue May 11 17:15:45 2010 Subject: Re: [OSL | CCIE_Security] EZVPN These are the debugs at the EAZY VPN Client *May 11 07:35:06.563: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65526 policy *May 11 07:35:06.563: ISAKMP: encryption 3DES-CBC *May 11 07:35:06.563: ISAKMP: hash SHA *May 11 07:35:06.563: ISAKMP: default group 2 *May 11 07:35:06.563: ISAKMP: auth XAUTHInitPreShared *May 11 07:35:06.563: ISAKMP: life type in seconds *May 11 07:35:06.563: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 11 07:35:06.563: ISAKMP:(0):Encryption algorithm offered does not match policy! *May 11 07:35:06.563: ISAKMP:(0):atts are not acceptable. Next payload is 0 *May 11 07:35:06.563: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65527 policy *May 11 07:35:06.563: ISAKMP: encryption 3DES-CBC *May 11 07:35:06.563: ISAKMP: hash SHA *May 11 07:35:06.563: ISAKMP: default group 2 *May 11 07:35:06.563: ISAKMP: auth XAUTHInitPreShared *May 11 07:35:06.563: ISAKMP: life type in seconds *May 11 07:35:06.563: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 11 07:35:06.563: ISAKMP:(0):atts are acceptable. Next payload is 0 *May 11 07:35:06.563: ISAKMP:(0):Acceptable atts:actual life: 2147483 *May 11 07:35:06.563: ISAKMP:(0):Acceptable atts:life: 0 *May 11 07:35:06.563: ISAKMP:(0):Fill atts in sa vpi_length:4 *May 11 07:35:06.563: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483 *May 11 07:35:06.563: ISAKMP:(0):Returning Actual lifetime: 2147483 *May 11 07:35:06.563: ISAKMP:(0)::Started lifetime timer: 2147483. *May 11 07:35:06.563: ISAKMP (0): vendor ID is NAT-T RFC 3947 *May 11 07:35:06.567: ISAKMP:(0): processing KE payload. message ID = 0 *May 11 07:35:06.615: ISAKMP:(0): processing NONCE payload. message ID = 0 *May 11 07:35:06.615: ISAKMP: no pre-shared key based on address 10.22.22.1! *May 11 07:35:06.615: ISAKMP:(0):found peer pre-shared key matching 192.1.22.1 *May 11 07:35:06.615: ISAKMP:(1013): processing HASH payload. message ID = 0 *May 11 07:35:06.615: ISAKMP:received payload type 20 *May 11 07:35:06.615: ISAKMP (1013): His hash no match - this node outside NAT *May 11 07:35:06.615: ISAKMP:received payload type 20 *May 11 07:35:06.615: ISAKMP (1013): His hash no match - this node outside NAT *May 11 07:35:06.615: ISAKMP:(1013):SA authentication status: authenticated *May 11 07:35:06.619: ISAKMP:(1013):SA has been authenticated with 192.1.22.1 *May 11 07:35:06.619: ISAKMP: Trying to insert a peer 192.1.24.4/192.1.22.1/4500/, and inserted successfully 48D56FCC. *May 11 07:35:06.619: ISAKMP:(1013):Send initial contact *May 11 07:35:06.619: ISAKMP:(1013): sending packet to 192.1.22.1 my_port 4500 peer_port 4500 (I) AG_INIT_EXCH *May 11 07:35:06.619: ISAKMP:(1013):Sending an IKE IPv4 Packet. *May 11 07:35:06.619: ISAKMP:(1013):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *May 11 07:35:06.619: ISAKMP:(1013):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE *May 11 07:35:06.619: ISAKMP:(1013):Need XAUTH *May 11 07:35:06.619: ISAKMP:(1013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *May 11 07:35:06.619: ISAKMP:(1013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *May 11 07:35:16.283: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH *May 11 07:35:16.571: ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH *May 11 07:35:16.571: ISAKMP:(1013): phase 1 packet is a duplicate of a previous packet. *May 11 07:35:16.571: ISAKMP:(1013): retransmitting due to retransmit phase 1 *May 11 07:35:16.571: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH R4# R4# *May 11 07:35:26.567: ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH *May 11 07:35:26.567: ISAKMP:(1013): phase 1 packet is a duplicate of a previous packet. *May 11 07:35:26.567: ISAKMP:(1013): retransmitting due to retransmit phase 1 *May 11 07:35:26.567: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH R4# *May 11 07:35:36.567: ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH *May 11 07:35:36.567: ISAKMP:(1013): phase 1 packet is a duplicate of a previous packet. *May 11 07:35:36.567: ISAKMP:(1013): retransmitting due to retransmit phase 1 *May 11 07:35:36.567: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH R4# *May 11 07:35:46.567: ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH *May 11 07:35:46.571: ISAKMP:(1013): phase 1 packet is a duplicate of a previous packet. *May 11 07:35:46.571: ISAKMP:(1013): retransmitting due to retransmit phase 1 *May 11 07:35:46.571: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH R4# *May 11 07:35:56.571: ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH *May 11 07:35:56.571: ISAKMP:(1013): phase 1 packet is a duplicate of a previous packet. *May 11 07:35:56.571: ISAKMP:(1013): retransmitting due to retransmit phase 1 *May 11 07:35:56.571: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH R4# *May 11 07:36:04.311: ISAKMP:(1012):purging SA., sa=482E894C, delme=482E894C R4# ________________________________ From: [email protected] To: [email protected] Date: Tue, 11 May 2010 12:44:15 +0530 Subject: Re: [OSL | CCIE_Security] EZVPN Hello All, I often face difficulty in EAZY VPN.... is there a specific order in which we should apple the inside and outside statement on the physical ineterfaces of eazy vpn client? ________________________________ From: [email protected] To: [email protected] Subject: EZVPN Date: Tue, 11 May 2010 12:31:14 +0530 Hello All, Could any one please suggest that why do we get this error ? R4#crypto ipsec client ezvpn xauth EZVPN(EZC): There are no pending Xauth Requests ________________________________ Catch the changing security environment Get it now.<http://news.in.msn.com/internalsecurity/> ________________________________ The battle for the FIH Hockey World Cup Drag n' drop<http://specials.msn.co.in/sp10/hockey/index.aspx> ________________________________ Invest your money wisely post Budget Sign up now.<http://news.in.msn.com/moneyspecial/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
