Michael... you were right... the changes in virtual-template and xauth mode
brought the tunnel UP...
Thanks
But one think to ask... in the screen shot i sent you.... (yusuf's Book) he has
used tunnel source at server and no ip add at the client... Why?
Regards
From: [email protected]
To: [email protected]; [email protected]
Date: Tue, 11 May 2010 14:06:24 +0530
Subject: Re: [OSL | CCIE_Security] Fw: EZVPN
Still after reboot.... It says enter your username password manually... i
think xauth mode also needs to be changed.... let me try out this....
--More--*May 11 08:56:29.447: EZVPN(EZC) Server does not allow save password
option,enter your username and password manually*May 11 08:56:29.447:
EZVPN(EZC): *** Logic Error ****May 11 08:56:29.447: EZVPN(EZC): Current State:
SS_OPEN*May 11 08:56:29.447: EZVPN(EZC): Event: MODE_CONFIG_REPLY*May 11
08:56:29.447: EZVPN(EZC): Resetting the EZVPN state machine to recover
--More--*May 11 08:56:29.451: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=
Group=EZC Server_public_addr=192.1.22.1 --More--*May 11 08:56:31.543:
EZVPN(EZC) Server does not allow save password option,enter your username and
password manually*May 11 08:56:31.547: EZVPN(EZC): *** Logic Error ****May 11
08:56:31.547: EZVPN(EZC): Current State: SS_OPEN*May 11 08:56:31.547:
EZVPN(EZC): Event: MODE_CONFIG_REPLY*May 11 08:56:31.547: EZVPN(EZC): Resetting
the EZVPN state machine to recover --More--*May 11 08:56:31.547:
%CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZC
Server_public_addr=192.1.22.1 --More--*May 11 08:56:33.567: EZVPN(EZC) Server
does not allow save password option,enter your username and password
manually*May 11 08:56:33.567: EZVPN(EZC): *** Logic Error ****May 11
08:56:33.567: EZVPN(EZC): Current State: SS_OPEN*May 11 08:56:33.567:
EZVPN(EZC): Event: MODE_CONFIG_REPLY*May 11 08:56:33.567: EZVPN(EZC): Resetting
the EZVPN state machine to recover --More--*May 11 08:56:33.571:
%CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZC
Server_public_addr=192.1.22.1 --More--*May 11 08:56:36.207: EZVPN(EZC) Server
does not allow save password option,
From: [email protected]
To: [email protected]; [email protected]
Date: Tue, 11 May 2010 14:04:23 +0530
Subject: Re: [OSL | CCIE_Security] Fw: EZVPN
ASA
ciscoasa(config)# sh run access-listaccess-list OUT extended permit tcp
object-group OUTSIDE object-group SERVER-WEB-FTP object-group
TCP-WEB-FTPaccess-list OUT extended permit tcp object-group OUTSIDE
object-group SERVER-SMTP eq smtpaccess-list OUT extended permit udp
object-group OUTSIDE object-group SERVER-DNS-TFTP object-group
UDP-DNS-TFTPaccess-list OUT extended permit udp any host 192.1.22.1 eq
isakmpaccess-list OUT extended permit udp any any eq isakmpaccess-list OUT
extended permit esp any anyaccess-list OUT extended permit udp any any eq
4500access-list OUT extended permit tcp host 192.1.25.5 host 192.1.22.100 eq
tacacsaccess-list OUT extended permit icmp any anyaccess-list OUT extended
permit udp host 192.1.32.16 host 192.1.22.100 eq radiusaccess-list OUT extended
permit udp host 192.1.32.16 host 192.1.22.100 eq radius-acctciscoasa(config)#
From: [email protected]
To: [email protected]; [email protected]
Date: Tue, 11 May 2010 14:00:33 +0530
Subject: Re: [OSL | CCIE_Security] Fw: EZVPN
yes UDP 4500 is allowed.... that was a typing mistake... apologizes for that...
From: [email protected]
To: [email protected]; [email protected]
Date: Tue, 11 May 2010 18:28:30 +1000
Subject: Re: [OSL | CCIE_Security] Fw: EZVPN
Hi Sumit - nat-t is udp 4500. You must also allow esp. At the end of your acl
add a deny ip any any log statement. If you are on the console you will see
the packets being denied.
From: Sumit Mahla <[email protected]>
To: Michael Davis; [email protected]
<[email protected]>
Sent: Tue May 11 18:23:06 2010
Subject: RE: [OSL | CCIE_Security] Fw: EZVPN
udp any any eq 500udp any any eq 1500 are allowed through the firewall... esp
is not allowed as the server ip is natted...
From: [email protected]
To: [email protected]; [email protected]
Date: Tue, 11 May 2010 18:20:06 +1000
Subject: Re: [OSL | CCIE_Security] Fw: EZVPN
Also don't forget to let the source through in your acl
From: Sumit Mahla <[email protected]>
To: Michael Davis; [email protected]
<[email protected]>
Sent: Tue May 11 18:14:52 2010
Subject: RE: [OSL | CCIE_Security] Fw: EZVPN
Ip unnumbered on client for any loopback interface ? and this loopback
interface should be routable ? right ?
From: [email protected]
To: [email protected]
Date: Tue, 11 May 2010 18:08:07 +1000
Subject: [OSL | CCIE_Security] Fw: EZVPN
From: Michael Davis
To: '[email protected]' <[email protected]>
Sent: Tue May 11 18:04:52 2010
Subject: Re: [OSL | CCIE_Security] EZVPN
Your vti inte needs the ip unnumbered statement on the client and you do not
need to use the tunnel source on the server
From: Sumit Mahla <[email protected]>
To: Michael Davis; [email protected]
<[email protected]>
Sent: Tue May 11 17:52:43 2010
Subject: RE: [OSL | CCIE_Security] EZVPN
R1--SERVER
aaa new-model!!aaa authentication login EZ-AUTHEN localaaa authorization
network EZ-AUTHOR local
crypto isakmp policy 17 encr 3des authentication pre-share group 2!crypto
isakmp client configuration group EZC key cciesec pool EZPcrypto isakmp profile
MYPROF match identity group EZC client authentication list EZ-AUTHEN
isakmp authorization list EZ-AUTHOR client configuration address respond
virtual-template 1!!crypto ipsec transform-set EZ-SET esp-3des esp-md5-hmac
crypto ipsec profile DVTI set transform-set EZ-SET set isakmp-profile MYPROF
interface Virtual-Template1 type tunnel ip unnumbered FastEthernet0/0 tunnel
source FastEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile
DVTI
ip local pool EZP 192.168.55.201 192.168.55.225
R4--- CLIENT
crypto isakmp policy 17 encr 3des authentication pre-share group 2!!!!!crypto
ipsec client ezvpn EZC connect auto group EZC key cciesec mode client peer
192.1.22.1 virtual-interface 1 username R4 password T1MMY xauth userid mode
local
interface FastEthernet0/0 ip address 192.1.40.4 255.255.255.0 duplex auto speed
auto crypto ipsec client ezvpn EZC inside
interface Serial0/0/0 ip address 192.1.24.4 255.255.255.0 encapsulation
frame-relay ip ospf network point-to-point frame-relay map ip 192.1.24.2 401
broadcast no frame-relay inverse-arp crypto ipsec client ezvpn EZC!
interface Virtual-Template1 type tunnel no ip address tunnel mode ipsec ipv4
All possible debugging has been turned offR4#*May 11 08:12:52.131:
%CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZC
Server_public_addr=192.1.22.1R4#*May 11 08:12:54.231: EZVPN(EZC) Server does
not allow save password option,enter your username and password manually*May 11
08:12:54.231: EZVPN(EZC): *** Logic Error ****May 11 08:12:54.231: EZVPN(EZC):
Current State: SS_OPEN*May 11 08:12:54.231: EZVPN(EZC): Event:
MODE_CONFIG_REPLY*May 11 08:12:54.231: EZVPN(EZC): Resetting the EZVPN state
machine to recoverR4#*May 11 08:12:54.235: %CRYPTO-6-EZVPN_CONNECTION_DOWN:
(Client) User= Group=EZC Server_public_addr=192.1.22.1R4#*May 11
08:12:56.139: EZVPN(EZC) Server does not allow save password option,enter your
username and password manually*May 11 08:12:56.139: EZVPN(EZC): *** Logic Error
****May 11 08:12:56.139: EZVPN(EZC): Current State: SS_OPEN*May 11
08:12:56.139: EZVPN(EZC): Event: MODE_CONFIG_REPLY*May 11 08:12:56.143:
EZVPN(EZC): Resetting the EZVPN state machine to recoverR4#*May 11
08:12:56.143: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZC
Server_public_addr=192.1.22.1R4#*May 11 08:12:57.915: EZVPN(EZC) Server does
not allow save password option,enter your username and password manually*May 11
08:12:57.915: EZVPN(EZC): *** Logic Error ****May 11 08:12:57.915: EZVPN(EZC):
Current State: SS_OPEN*May 11 08:12:57.915: EZVPN(EZC): Event:
MODE_CONFIG_REPLY*May 11 08:12:57.915: EZVPN(EZC): Resetting the EZVPN state
machine to recoverR4#*May 11 08:12:57.919: %CRYPTO-6-EZVPN_CONNECTION_DOWN:
(Client) User= Group=EZC Server_public_addr=192.1.22.1R4#*May 11
08:13:00.535: EZVPN(EZC) Server does not allow save password option,enter your
username and password manually*May 11 08:13:00.535: EZVPN(EZC): *** Logic Error
****May 11 08:13:00.535: EZVPN(EZC): Current State: SS_OPEN*May 11
08:13:00.535: EZVPN(EZC): Event: MODE_CONFIG_REPLY*May 11 08:13:00.535:
EZVPN(EZC): Resetting the EZVPN state machine to recoverR4#*May 11
08:13:00.539: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZC
Server_public_addr=192.1.22.1R4#*May 11 08:13:02.419: EZVPN(EZC) Server does
not allow save password option,enter your username and password manually*May 11
08:13:02.419: EZVPN(EZC): *** Logic Error ****May 11 08:13:02.419: EZVPN(EZC):
Current State: SS_OPEN*May 11 08:13:02.419: EZVPN(EZC): Event:
MODE_CONFIG_REPLY*May 11 08:13:02.419: EZVPN(EZC): Resetting the EZVPN state
machine to recoverR4#*May 11 08:13:02.419: %CRYPTO-6-EZVPN_CONNECTION_DOWN:
(Client) User= Group=EZC Server_public_addr=192.1.22.1R4#
Please suggest...
From: [email protected]
To: [email protected]; [email protected]
Date: Tue, 11 May 2010 17:44:04 +1000
Subject: Re: [OSL | CCIE_Security] EZVPN
Do you have a static ipsec tunnel on the ez vpn server? Can you post both
configs?
From: [email protected]
<[email protected]>
To: [email protected] <[email protected]>
Sent: Tue May 11 17:15:45 2010
Subject: Re: [OSL | CCIE_Security] EZVPN
These are the debugs at the EAZY VPN Client
*May 11 07:35:06.563: ISAKMP:(0):Checking ISAKMP transform 1 against priority
65526 policy*May 11 07:35:06.563: ISAKMP: encryption 3DES-CBC*May 11
07:35:06.563: ISAKMP: hash SHA*May 11 07:35:06.563: ISAKMP: default
group 2*May 11 07:35:06.563: ISAKMP: auth XAUTHInitPreShared*May 11
07:35:06.563: ISAKMP: life type in seconds*May 11 07:35:06.563: ISAKMP:
life duration (VPI) of 0x0 0x20 0xC4 0x9B*May 11 07:35:06.563:
ISAKMP:(0):Encryption algorithm offered does not match policy!*May 11
07:35:06.563: ISAKMP:(0):atts are not acceptable. Next payload is 0*May 11
07:35:06.563: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65527
policy*May 11 07:35:06.563: ISAKMP: encryption 3DES-CBC*May 11
07:35:06.563: ISAKMP: hash SHA*May 11 07:35:06.563: ISAKMP: default
group 2*May 11 07:35:06.563: ISAKMP: auth XAUTHInitPreShared*May 11
07:35:06.563: ISAKMP: life type in seconds*May 11 07:35:06.563: ISAKMP:
life duration (VPI) of 0x0 0x20 0xC4 0x9B*May 11 07:35:06.563:
ISAKMP:(0):atts are acceptable. Next payload is 0*May 11 07:35:06.563:
ISAKMP:(0):Acceptable atts:actual life: 2147483*May 11 07:35:06.563:
ISAKMP:(0):Acceptable atts:life: 0*May 11 07:35:06.563: ISAKMP:(0):Fill atts in
sa vpi_length:4*May 11 07:35:06.563: ISAKMP:(0):Fill atts in sa
life_in_seconds:2147483*May 11 07:35:06.563: ISAKMP:(0):Returning Actual
lifetime: 2147483*May 11 07:35:06.563: ISAKMP:(0)::Started lifetime timer:
2147483.
*May 11 07:35:06.563: ISAKMP (0): vendor ID is NAT-T RFC 3947*May 11
07:35:06.567: ISAKMP:(0): processing KE payload. message ID = 0*May 11
07:35:06.615: ISAKMP:(0): processing NONCE payload. message ID = 0*May 11
07:35:06.615: ISAKMP: no pre-shared key based on address 10.22.22.1!*May 11
07:35:06.615: ISAKMP:(0):found peer pre-shared key matching 192.1.22.1*May 11
07:35:06.615: ISAKMP:(1013): processing HASH payload. message ID = 0*May 11
07:35:06.615: ISAKMP:received payload type 20*May 11 07:35:06.615: ISAKMP
(1013): His hash no match - this node outside NAT*May 11 07:35:06.615:
ISAKMP:received payload type 20*May 11 07:35:06.615: ISAKMP (1013): His hash no
match - this node outside NAT*May 11 07:35:06.615: ISAKMP:(1013):SA
authentication status: authenticated*May 11 07:35:06.619:
ISAKMP:(1013):SA has been authenticated with 192.1.22.1*May 11 07:35:06.619:
ISAKMP: Trying to insert a peer 192.1.24.4/192.1.22.1/4500/, and inserted
successfully 48D56FCC.*May 11 07:35:06.619: ISAKMP:(1013):Send initial
contact*May 11 07:35:06.619: ISAKMP:(1013): sending packet to 192.1.22.1
my_port 4500 peer_port 4500 (I) AG_INIT_EXCH*May 11 07:35:06.619:
ISAKMP:(1013):Sending an IKE IPv4 Packet.*May 11 07:35:06.619:
ISAKMP:(1013):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH*May 11 07:35:06.619:
ISAKMP:(1013):Old State = IKE_I_AM1 New State = IKE_P1_COMPLETE
*May 11 07:35:06.619: ISAKMP:(1013):Need XAUTH*May 11 07:35:06.619:
ISAKMP:(1013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE*May 11
07:35:06.619: ISAKMP:(1013):Old State = IKE_P1_COMPLETE New State =
IKE_P1_COMPLETE
*May 11 07:35:16.283: ISAKMP:(1013): no outgoing phase 1 packet to retransmit.
CONF_XAUTH*May 11 07:35:16.571: ISAKMP (1013): received packet from 192.1.22.1
dport 500 sport 500 Global (I) CONF_XAUTH*May 11 07:35:16.571: ISAKMP:(1013):
phase 1 packet is a duplicate of a previous packet.*May 11 07:35:16.571:
ISAKMP:(1013): retransmitting due to retransmit phase 1*May 11 07:35:16.571:
ISAKMP:(1013): no outgoing phase 1 packet to retransmit. CONF_XAUTHR4#R4#*May
11 07:35:26.567: ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport
500 Global (I) CONF_XAUTH*May 11 07:35:26.567: ISAKMP:(1013): phase 1 packet is
a duplicate of a previous packet.*May 11 07:35:26.567: ISAKMP:(1013):
retransmitting due to retransmit phase 1*May 11 07:35:26.567: ISAKMP:(1013): no
outgoing phase 1 packet to retransmit. CONF_XAUTHR4#*May 11 07:35:36.567:
ISAKMP (1013): received packet from 192.1.22.1 dport 500 sport 500 Global (I)
CONF_XAUTH*May 11 07:35:36.567: ISAKMP:(1013): phase 1 packet is a duplicate of
a previous packet.*May 11 07:35:36.567: ISAKMP:(1013): retransmitting due to
retransmit phase 1*May 11 07:35:36.567: ISAKMP:(1013): no outgoing phase 1
packet to retransmit. CONF_XAUTHR4#*May 11 07:35:46.567: ISAKMP (1013):
received packet from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH*May
11 07:35:46.571: ISAKMP:(1013): phase 1 packet is a duplicate of a previous
packet.*May 11 07:35:46.571: ISAKMP:(1013): retransmitting due to retransmit
phase 1*May 11 07:35:46.571: ISAKMP:(1013): no outgoing phase 1 packet to
retransmit. CONF_XAUTHR4#*May 11 07:35:56.571: ISAKMP (1013): received packet
from 192.1.22.1 dport 500 sport 500 Global (I) CONF_XAUTH*May 11 07:35:56.571:
ISAKMP:(1013): phase 1 packet is a duplicate of a previous packet.*May 11
07:35:56.571: ISAKMP:(1013): retransmitting due to retransmit phase 1*May 11
07:35:56.571: ISAKMP:(1013): no outgoing phase 1 packet to retransmit.
CONF_XAUTHR4#*May 11 07:36:04.311: ISAKMP:(1012):purging SA., sa=482E894C,
delme=482E894CR4#
From: [email protected]
To: [email protected]
Date: Tue, 11 May 2010 12:44:15 +0530
Subject: Re: [OSL | CCIE_Security] EZVPN
Hello All,
I often face difficulty in EAZY VPN....
is there a specific order in which we should apple the inside and outside
statement on the physical ineterfaces of eazy vpn client?
From: [email protected]
To: [email protected]
Subject: EZVPN
Date: Tue, 11 May 2010 12:31:14 +0530
Hello All,
Could any one please suggest that why do we get this error ?
R4#crypto ipsec client ezvpn xauth
EZVPN(EZC): There are no pending Xauth Requests
Catch the changing security environment Get it now.
The battle for the FIH Hockey World Cup Drag n' drop
Invest your money wisely post Budget Sign up now.
The latest auto launches and test drives Drag n' drop
The battle for the FIH Hockey World Cup Drag n' drop
The battle for the FIH Hockey World Cup Drag n' drop
All the post budget analysis and implications Sign up now.
All the post budget analysis and implications Sign up now.
All the post budget analysis and implications Sign up now.
_________________________________________________________________
The amazing world in sharp snaps
http://news.in.msn.com/gallery/archive.aspx_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
