Hi Sumit - nat-t is udp 4500. You must also allow esp. At the end of your acl add a deny ip any any log statement. If you are on the console you will see the packets being denied.
________________________________ From: Sumit Mahla <[email protected]> To: Michael Davis; [email protected] <[email protected]> Sent: Tue May 11 18:23:06 2010 Subject: RE: [OSL | CCIE_Security] Fw: EZVPN udp any any eq 500 udp any any eq 1500 are allowed through the firewall... esp is not allowed as the server ip is natted... ________________________________ From: [email protected] To: [email protected]; [email protected] Date: Tue, 11 May 2010 18:20:06 +1000 Subject: Re: [OSL | CCIE_Security] Fw: EZVPN Also don't forget to let the source through in your acl ________________________________ From: Sumit Mahla <[email protected]> To: Michael Davis; [email protected] <[email protected]> Sent: Tue May 11 18:14:52 2010 Subject: RE: [OSL | CCIE_Security] Fw: EZVPN Ip unnumbered on client for any loopback interface ? and this loopback interface should be routable ? right ? ________________________________ From: [email protected] To: [email protected] Date: Tue, 11 May 2010 18:08:07 +1000 Subject: [OSL | CCIE_Security] Fw: EZVPN ________________________________ From: Michael Davis To: '[email protected]' <[email protected]> Sent: Tue May 11 18:04:52 2010 Subject: Re: [OSL | CCIE_Security] EZVPN Your vti inte needs the ip unnumbered statement on the client and you do not need to use the tunnel source on the server ________________________________ From: Sumit Mahla <[email protected]> To: Michael Davis; [email protected] <[email protected]> Sent: Tue May 11 17:52:43 2010 Subject: RE: [OSL | CCIE_Security] EZVPN R1--SERVER aaa new-model ! ! aaa authentication login EZ-AUTHEN local aaa authorization network EZ-AUTHOR local crypto isakmp policy 17 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group EZC key cciesec pool EZP crypto isakmp profile MYPROF match identity group EZC client authentication list EZ-AUTHEN isakmp authorization list EZ-AUTHOR client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set EZ-SET esp-3des esp-md5-hmac crypto ipsec profile DVTI set transform-set EZ-SET set isakmp-profile MYPROF interface Virtual-Template1 type tunnel ip unnumbered FastEthernet0/0 tunnel source FastEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile DVTI ip local pool EZP 192.168.55.201 192.168.55.225 R4--- CLIENT crypto isakmp policy 17 encr 3des authentication pre-share group 2 ! ! ! ! ! crypto ipsec client ezvpn EZC connect auto group EZC key cciesec mode client peer 192.1.22.1 virtual-interface 1 username R4 password T1MMY xauth userid mode local interface FastEthernet0/0 ip address 192.1.40.4 255.255.255.0 duplex auto speed auto crypto ipsec client ezvpn EZC inside interface Serial0/0/0 ip address 192.1.24.4 255.255.255.0 encapsulation frame-relay ip ospf network point-to-point frame-relay map ip 192.1.24.2 401 broadcast no frame-relay inverse-arp crypto ipsec client ezvpn EZC ! interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4 All possible debugging has been turned off R4# *May 11 08:12:52.131: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZC Server_public_addr=192.1.22.1 R4# *May 11 08:12:54.231: EZVPN(EZC) Server does not allow save password option, enter your username and password manually *May 11 08:12:54.231: EZVPN(EZC): *** Logic Error *** *May 11 08:12:54.231: EZVPN(EZC): Current State: SS_OPEN *May 11 08:12:54.231: EZVPN(EZC): Event: MODE_CONFIG_REPLY *May 11 08:12:54.231: EZVPN(EZC): Resetting the EZVPN state machine to recover R4# *May 11 08:12:54.235: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZC Server_public_addr=192.1.22.1 R4# *May 11 08:12:56.139: EZVPN(EZC) Server does not allow save password option, enter your username and password manually *May 11 08:12:56.139: EZVPN(EZC): *** Logic Error *** *May 11 08:12:56.139: EZVPN(EZC): Current State: SS_OPEN *May 11 08:12:56.139: EZVPN(EZC): Event: MODE_CONFIG_REPLY *May 11 08:12:56.143: EZVPN(EZC): Resetting the EZVPN state machine to recover R4# *May 11 08:12:56.143: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZC Server_public_addr=192.1.22.1 R4# *May 11 08:12:57.915: EZVPN(EZC) Server does not allow save password option, enter your username and password manually *May 11 08:12:57.915: EZVPN(EZC): *** Logic Error *** *May 11 08:12:57.915: EZVPN(EZC): Current State: SS_OPEN *May 11 08:12:57.915: EZVPN(EZC): Event: MODE_CONFIG_REPLY *May 11 08:12:57.915: EZVPN(EZC): Resetting the EZVPN state machine to recover R4# *May 11 08:12:57.919: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZC Server_public_addr=192.1.22.1 R4# *May 11 08:13:00.535: EZVPN(EZC) Server does not allow save password option, enter your username and password manually *May 11 08:13:00.535: EZVPN(EZC): *** Logic Error *** *May 11 08:13:00.535: EZVPN(EZC): Current State: SS_OPEN *May 11 08:13:00.535: EZVPN(EZC): Event: MODE_CONFIG_REPLY *May 11 08:13:00.535: EZVPN(EZC): Resetting the EZVPN state machine to recover R4# *May 11 08:13:00.539: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZC Server_public_addr=192.1.22.1 R4# *May 11 08:13:02.419: EZVPN(EZC) Server does not allow save password option, enter your username and password manually *May 11 08:13:02.419: EZVPN(EZC): *** Logic Error *** *May 11 08:13:02.419: EZVPN(EZC): Current State: SS_OPEN *May 11 08:13:02.419: EZVPN(EZC): Event: MODE_CONFIG_REPLY *May 11 08:13:02.419: EZVPN(EZC): Resetting the EZVPN state machine to recover R4# *May 11 08:13:02.419: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZC Server_public_addr=192.1.22.1 R4# Please suggest... ________________________________ From: [email protected] To: [email protected]; [email protected] Date: Tue, 11 May 2010 17:44:04 +1000 Subject: Re: [OSL | CCIE_Security] EZVPN Do you have a static ipsec tunnel on the ez vpn server? Can you post both configs? ________________________________ From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Tue May 11 17:15:45 2010 Subject: Re: [OSL | CCIE_Security] EZVPN These are the debugs at the EAZY VPN Client *May 11 07:35:06.563: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65526 policy *May 11 07:35:06.563: ISAKMP: encryption 3DES-CBC *May 11 07:35:06.563: ISAKMP: hash SHA *May 11 07:35:06.563: ISAKMP: default group 2 *May 11 07:35:06.563: ISAKMP: auth XAUTHInitPreShared *May 11 07:35:06.563: ISAKMP: life type in seconds *May 11 07:35:06.563: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 11 07:35:06.563: ISAKMP:(0):Encryption algorithm offered does not match policy! *May 11 07:35:06.563: ISAKMP:(0):atts are not acceptable. Next payload is 0 *May 11 07:35:06.563: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65527 policy *May 11 07:35:06.563: ISAKMP: encryption 3DES-CBC *May 11 07:35:06.563: ISAKMP: hash SHA *May 11 07:35:06.563: ISAKMP: default group 2 *May 11 07:35:06.563: ISAKMP: auth XAUTHInitPreShared *May 11 07:35:06.563: ISAKMP: life type in seconds *May 11 07:35:06.563: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B *May 11 07:35:06.563: ISAKMP:(0):atts are acceptable. Next payload is 0 *May 11 07:35:06.563: ISAKMP:(0):Acceptable atts:actual life: 2147483 *May 11 07:35:06.563: ISAKMP:(0):Acceptable atts:life: 0 *May 11 07:35:06.563: ISAKMP:(0):Fill atts in sa vpi_length:4 *May 11 07:35:06.563: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483 *May 11 07:35:06.563: ISAKMP:(0):Returning Actual lifetime: 2147483 *May 11 07:35:06.563: ISAKMP:(0)::Started lifetime timer: 2147483. *May 11 07:35:06.563: ISAKMP (0): vendor ID is NAT-T RFC 3947 *May 11 07:35:06.567: ISAKMP:(0): processing KE payload. message ID = 0 *May 11 07:35:06.615: ISAKMP:(0): processing NONCE payload. message ID = 0 *May 11 07:35:06.615: ISAKMP: no pre-shared key based on address 10.22.22.1! *May 11 07:35:06.615: ISAKMP:(0):found peer pre-shared key matching 192.1.22.1 *May 11 07:35:06.615: ISAKMP:(1013): processing HASH payload. message ID = 0 *May 11 07:35:06.615: ISAKMP:received payload type 20 *May 11 07:35:06.615: ISAKMP (1013): His hash no match - this node outside NAT *May 11 07:35:06.615: ISAKMP:received payload type 20 *May 11 07:35:06.615: ISAKMP (1013): His hash no match - this node outside NAT *May 11 07:35:06.615: ISAKMP:(1013):SA authentication status: authenticated *May 11 07:35:06.619: ISAKMP:(1013):SA has been authenticated with 192.1.22.1 *May 11 07:35:06.619: ISAKMP: Trying to insert a peer 192.1.24.4/192.1.22.1/4500/, and inserted successfully 48D56FCC. *May 11 07:35:06.619: ISAKMP:(1013):Send initial contact *May 11 07:35:06.619: ISAKMP:(1013): sending packet to 192.1.22.1 my_port 4500 peer_port 4500 (I) AG_INIT_EXCH *May 11 07:35:06.619: ISAKMP:(1013):Sending an IKE IPv4 Packet. *May 11 07:35:06.619: ISAKMP:(1013):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *May 11 07:35:06.619: ISAKMP:(1013):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE *May 11 07:35:06.619: ISAKMP:(1013):Need XAUTH *May 11 07:35:06.619: ISAKMP:(1013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE *May 11 07:35:06.619: ISAKMP:(1013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE *May 11 07:35:16.283: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH *May 11 07:35:16.571: ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH *May 11 07:35:16.571: ISAKMP:(1013): phase 1 packet is a duplicate of a previous packet. *May 11 07:35:16.571: ISAKMP:(1013): retransmitting due to retransmit phase 1 *May 11 07:35:16.571: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH R4# R4# *May 11 07:35:26.567: ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH *May 11 07:35:26.567: ISAKMP:(1013): phase 1 packet is a duplicate of a previous packet. *May 11 07:35:26.567: ISAKMP:(1013): retransmitting due to retransmit phase 1 *May 11 07:35:26.567: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH R4# *May 11 07:35:36.567: ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH *May 11 07:35:36.567: ISAKMP:(1013): phase 1 packet is a duplicate of a previous packet. *May 11 07:35:36.567: ISAKMP:(1013): retransmitting due to retransmit phase 1 *May 11 07:35:36.567: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH R4# *May 11 07:35:46.567: ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH *May 11 07:35:46.571: ISAKMP:(1013): phase 1 packet is a duplicate of a previous packet. *May 11 07:35:46.571: ISAKMP:(1013): retransmitting due to retransmit phase 1 *May 11 07:35:46.571: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH R4# *May 11 07:35:56.571: ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH *May 11 07:35:56.571: ISAKMP:(1013): phase 1 packet is a duplicate of a previous packet. *May 11 07:35:56.571: ISAKMP:(1013): retransmitting due to retransmit phase 1 *May 11 07:35:56.571: ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTH R4# *May 11 07:36:04.311: ISAKMP:(1012):purging SA., sa=482E894C, delme=482E894C R4# ________________________________ From: [email protected] To: [email protected] Date: Tue, 11 May 2010 12:44:15 +0530 Subject: Re: [OSL | CCIE_Security] EZVPN Hello All, I often face difficulty in EAZY VPN.... is there a specific order in which we should apple the inside and outside statement on the physical ineterfaces of eazy vpn client? ________________________________ From: [email protected] To: [email protected] Subject: EZVPN Date: Tue, 11 May 2010 12:31:14 +0530 Hello All, Could any one please suggest that why do we get this error ? R4#crypto ipsec client ezvpn xauth EZVPN(EZC): There are no pending Xauth Requests ________________________________ Catch the changing security environment Get it now.<http://news.in.msn.com/internalsecurity/> ________________________________ The battle for the FIH Hockey World Cup Drag n' drop<http://specials.msn.co.in/sp10/hockey/index.aspx> ________________________________ Invest your money wisely post Budget Sign up now.<http://news.in.msn.com/moneyspecial/> ________________________________ The latest auto launches and test drives Drag n' drop<http://autos.in.msn.com/> ________________________________ The battle for the FIH Hockey World Cup Drag n' drop<http://specials.msn.co.in/sp10/hockey/index.aspx> ________________________________ The battle for the FIH Hockey World Cup Drag n' drop<http://specials.msn.co.in/sp10/hockey/index.aspx>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
