Sumit,
Just wanted to add something here. I noticed your debug mentioned that the
server did not allow the password to be saved. If you add the following to the
ASA (I believe the ASA is your server correct?):
hostname(config-group-policy)# password-storage {enable | disable}
Then the connection should work as configured.
Regards,
Brandon Carroll - CCIE #23837
Senior Technical Instructor - IPexpert
Mailto: [email protected]
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
Platinum Solutions Group (PSG) provides high-end consulting services with a
primary emphasis on Cisco's Data Center Solutions, Service Provider Solutions,
Unified Communications and Security-enabled infrastructures. Be sure to visit
www.platinumsolutionsgroup.com.
On May 11, 2010, at 10:46 AM, Sumit Mahla wrote:
> ok... Will keep this as a note....
>
> Thanks
>
>
>
> From: [email protected]
> To: [email protected]; [email protected]
> Date: Tue, 11 May 2010 18:42:43 +1000
> Subject: Re: [OSL | CCIE_Security] Fw: EZVPN
>
> Must be a mistake. Remember to always trust the documentation. I can't stress
> that enough. Yusuf really is great but when you write 700 page books you are
> bound to make mistakes. He is only human after all. In the lab the docs is
> all you have.
>
> From: Sumit Mahla <[email protected]>
> To: Michael Davis; [email protected]
> <[email protected]>
> Sent: Tue May 11 18:38:37 2010
> Subject: RE: [OSL | CCIE_Security] Fw: EZVPN
>
> Michael... you were right... the changes in virtual-template and xauth mode
> brought the tunnel UP...
>
> Thanks
>
>
> But one think to ask... in the screen shot i sent you.... (yusuf's Book) he
> has used tunnel source at server and no ip add at the client... Why?
>
>
> Regards
>
>
> From: [email protected]
> To: [email protected]; [email protected]
> Date: Tue, 11 May 2010 14:06:24 +0530
> Subject: Re: [OSL | CCIE_Security] Fw: EZVPN
>
> Still after reboot.... It says enter your username password manually... i
> think xauth mode also needs to be changed.... let me try out this....
>
> --More--
> *May 11 08:56:29.447: EZVPN(EZC) Server does not allow save password option,
> enter your username and password manually
> *May 11 08:56:29.447: EZVPN(EZC): *** Logic Error ***
> *May 11 08:56:29.447: EZVPN(EZC): Current State: SS_OPEN
> *May 11 08:56:29.447: EZVPN(EZC): Event: MODE_CONFIG_REPLY
> *May 11 08:56:29.447: EZVPN(EZC): Resetting the EZVPN state machine to recover
> --More--
> *May 11 08:56:29.451: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=
> Group=EZC Server_public_addr=192.1.22.1
> --More--
> *May 11 08:56:31.543: EZVPN(EZC) Server does not allow save password option,
> enter your username and password manually
> *May 11 08:56:31.547: EZVPN(EZC): *** Logic Error ***
> *May 11 08:56:31.547: EZVPN(EZC): Current State: SS_OPEN
> *May 11 08:56:31.547: EZVPN(EZC): Event: MODE_CONFIG_REPLY
> *May 11 08:56:31.547: EZVPN(EZC): Resetting the EZVPN state machine to recover
> --More--
> *May 11 08:56:31.547: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=
> Group=EZC Server_public_addr=192.1.22.1
> --More--
> *May 11 08:56:33.567: EZVPN(EZC) Server does not allow save password option,
> enter your username and password manually
> *May 11 08:56:33.567: EZVPN(EZC): *** Logic Error ***
> *May 11 08:56:33.567: EZVPN(EZC): Current State: SS_OPEN
> *May 11 08:56:33.567: EZVPN(EZC): Event: MODE_CONFIG_REPLY
> *May 11 08:56:33.567: EZVPN(EZC): Resetting the EZVPN state machine to recover
> --More--
> *May 11 08:56:33.571: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=
> Group=EZC Server_public_addr=192.1.22.1
> --More--
> *May 11 08:56:36.207: EZVPN(EZC) Server does not allow save password option,
>
>
>
>
>
> From: [email protected]
> To: [email protected]; [email protected]
> Date: Tue, 11 May 2010 14:04:23 +0530
> Subject: Re: [OSL | CCIE_Security] Fw: EZVPN
>
>
>
>
> ASA
>
> ciscoasa(config)# sh run access-list
> access-list OUT extended permit tcp object-group OUTSIDE object-group
> SERVER-WEB-FTP object-group TCP-WEB-FTP
> access-list OUT extended permit tcp object-group OUTSIDE object-group
> SERVER-SMTP eq smtp
> access-list OUT extended permit udp object-group OUTSIDE object-group
> SERVER-DNS-TFTP object-group UDP-DNS-TFTP
> access-list OUT extended permit udp any host 192.1.22.1 eq isakmp
> access-list OUT extended permit udp any any eq isakmp
> access-list OUT extended permit esp any any
> access-list OUT extended permit udp any any eq 4500
> access-list OUT extended permit tcp host 192.1.25.5 host 192.1.22.100 eq
> tacacs
> access-list OUT extended permit icmp any any
> access-list OUT extended permit udp host 192.1.32.16 host 192.1.22.100 eq
> radius
> access-list OUT extended permit udp host 192.1.32.16 host 192.1.22.100 eq
> radius-acct
> ciscoasa(config)#
>
>
> From: [email protected]
> To: [email protected]; [email protected]
> Date: Tue, 11 May 2010 14:00:33 +0530
> Subject: Re: [OSL | CCIE_Security] Fw: EZVPN
>
> yes UDP 4500 is allowed.... that was a typing mistake... apologizes for
> that...
>
> From: [email protected]
> To: [email protected]; [email protected]
> Date: Tue, 11 May 2010 18:28:30 +1000
> Subject: Re: [OSL | CCIE_Security] Fw: EZVPN
>
> Hi Sumit - nat-t is udp 4500. You must also allow esp. At the end of your acl
> add a deny ip any any log statement. If you are on the console you will see
> the packets being denied.
>
> From: Sumit Mahla <[email protected]>
> To: Michael Davis; [email protected]
> <[email protected]>
> Sent: Tue May 11 18:23:06 2010
> Subject: RE: [OSL | CCIE_Security] Fw: EZVPN
>
> udp any any eq 500
> udp any any eq 1500 are allowed through the firewall... esp is not allowed as
> the server ip is natted...
>
>
>
> From: [email protected]
> To: [email protected]; [email protected]
> Date: Tue, 11 May 2010 18:20:06 +1000
> Subject: Re: [OSL | CCIE_Security] Fw: EZVPN
>
> Also don't forget to let the source through in your acl
>
> From: Sumit Mahla <[email protected]>
> To: Michael Davis; [email protected]
> <[email protected]>
> Sent: Tue May 11 18:14:52 2010
> Subject: RE: [OSL | CCIE_Security] Fw: EZVPN
>
> Ip unnumbered on client for any loopback interface ? and this loopback
> interface should be routable ? right ?
>
> From: [email protected]
> To: [email protected]
> Date: Tue, 11 May 2010 18:08:07 +1000
> Subject: [OSL | CCIE_Security] Fw: EZVPN
>
>
> From: Michael Davis
> To: '[email protected]' <[email protected]>
> Sent: Tue May 11 18:04:52 2010
> Subject: Re: [OSL | CCIE_Security] EZVPN
>
> Your vti inte needs the ip unnumbered statement on the client and you do not
> need to use the tunnel source on the server
>
> From: Sumit Mahla <[email protected]>
> To: Michael Davis; [email protected]
> <[email protected]>
> Sent: Tue May 11 17:52:43 2010
> Subject: RE: [OSL | CCIE_Security] EZVPN
>
>
>
> R1--SERVER
>
> aaa new-model
> !
> !
> aaa authentication login EZ-AUTHEN local
> aaa authorization network EZ-AUTHOR local
>
> crypto isakmp policy 17
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group EZC
> key cciesec
> pool EZP
> crypto isakmp profile MYPROF
> match identity group EZC
> client authentication list EZ-AUTHEN
> isakmp authorization list EZ-AUTHOR
> client configuration address respond
> virtual-template 1
> !
> !
> crypto ipsec transform-set EZ-SET esp-3des esp-md5-hmac
>
> crypto ipsec profile DVTI
> set transform-set EZ-SET
> set isakmp-profile MYPROF
>
> interface Virtual-Template1 type tunnel
> ip unnumbered FastEthernet0/0
> tunnel source FastEthernet0/0
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile DVTI
>
> ip local pool EZP 192.168.55.201 192.168.55.225
>
>
>
>
>
> R4--- CLIENT
>
>
> crypto isakmp policy 17
> encr 3des
> authentication pre-share
> group 2
> !
> !
> !
> !
> !
> crypto ipsec client ezvpn EZC
> connect auto
> group EZC key cciesec
> mode client
> peer 192.1.22.1
> virtual-interface 1
> username R4 password T1MMY
> xauth userid mode local
>
> interface FastEthernet0/0
> ip address 192.1.40.4 255.255.255.0
> duplex auto
> speed auto
> crypto ipsec client ezvpn EZC inside
>
> interface Serial0/0/0
> ip address 192.1.24.4 255.255.255.0
> encapsulation frame-relay
> ip ospf network point-to-point
> frame-relay map ip 192.1.24.2 401 broadcast
> no frame-relay inverse-arp
> crypto ipsec client ezvpn EZC
> !
>
> interface Virtual-Template1 type tunnel
> no ip address
> tunnel mode ipsec ipv4
>
>
>
> All possible debugging has been turned off
> R4#
> *May 11 08:12:52.131: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=
> Group=EZC Server_public_addr=192.1.22.1
> R4#
> *May 11 08:12:54.231: EZVPN(EZC) Server does not allow save password option,
> enter your username and password manually
> *May 11 08:12:54.231: EZVPN(EZC): *** Logic Error ***
> *May 11 08:12:54.231: EZVPN(EZC): Current State: SS_OPEN
> *May 11 08:12:54.231: EZVPN(EZC): Event: MODE_CONFIG_REPLY
> *May 11 08:12:54.231: EZVPN(EZC): Resetting the EZVPN state machine to recover
> R4#
> *May 11 08:12:54.235: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=
> Group=EZC Server_public_addr=192.1.22.1
> R4#
> *May 11 08:12:56.139: EZVPN(EZC) Server does not allow save password option,
> enter your username and password manually
> *May 11 08:12:56.139: EZVPN(EZC): *** Logic Error ***
> *May 11 08:12:56.139: EZVPN(EZC): Current State: SS_OPEN
> *May 11 08:12:56.139: EZVPN(EZC): Event: MODE_CONFIG_REPLY
> *May 11 08:12:56.143: EZVPN(EZC): Resetting the EZVPN state machine to recover
> R4#
> *May 11 08:12:56.143: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=
> Group=EZC Server_public_addr=192.1.22.1
> R4#
> *May 11 08:12:57.915: EZVPN(EZC) Server does not allow save password option,
> enter your username and password manually
> *May 11 08:12:57.915: EZVPN(EZC): *** Logic Error ***
> *May 11 08:12:57.915: EZVPN(EZC): Current State: SS_OPEN
> *May 11 08:12:57.915: EZVPN(EZC): Event: MODE_CONFIG_REPLY
> *May 11 08:12:57.915: EZVPN(EZC): Resetting the EZVPN state machine to recover
> R4#
> *May 11 08:12:57.919: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=
> Group=EZC Server_public_addr=192.1.22.1
> R4#
> *May 11 08:13:00.535: EZVPN(EZC) Server does not allow save password option,
> enter your username and password manually
> *May 11 08:13:00.535: EZVPN(EZC): *** Logic Error ***
> *May 11 08:13:00.535: EZVPN(EZC): Current State: SS_OPEN
> *May 11 08:13:00.535: EZVPN(EZC): Event: MODE_CONFIG_REPLY
> *May 11 08:13:00.535: EZVPN(EZC): Resetting the EZVPN state machine to recover
> R4#
> *May 11 08:13:00.539: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=
> Group=EZC Server_public_addr=192.1.22.1
> R4#
> *May 11 08:13:02.419: EZVPN(EZC) Server does not allow save password option,
> enter your username and password manually
> *May 11 08:13:02.419: EZVPN(EZC): *** Logic Error ***
> *May 11 08:13:02.419: EZVPN(EZC): Current State: SS_OPEN
> *May 11 08:13:02.419: EZVPN(EZC): Event: MODE_CONFIG_REPLY
> *May 11 08:13:02.419: EZVPN(EZC): Resetting the EZVPN state machine to recover
> R4#
> *May 11 08:13:02.419: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=
> Group=EZC Server_public_addr=192.1.22.1
> R4#
>
>
>
>
>
>
>
> Please suggest...
>
>
>
>
>
>
> From: [email protected]
> To: [email protected]; [email protected]
> Date: Tue, 11 May 2010 17:44:04 +1000
> Subject: Re: [OSL | CCIE_Security] EZVPN
>
> Do you have a static ipsec tunnel on the ez vpn server? Can you post both
> configs?
>
> From: [email protected]
> <[email protected]>
> To: [email protected] <[email protected]>
> Sent: Tue May 11 17:15:45 2010
> Subject: Re: [OSL | CCIE_Security] EZVPN
>
> These are the debugs at the EAZY VPN Client
>
>
> *May 11 07:35:06.563: ISAKMP:(0):Checking ISAKMP transform 1 against priority
> 65526 policy
> *May 11 07:35:06.563: ISAKMP: encryption 3DES-CBC
> *May 11 07:35:06.563: ISAKMP: hash SHA
> *May 11 07:35:06.563: ISAKMP: default group 2
> *May 11 07:35:06.563: ISAKMP: auth XAUTHInitPreShared
> *May 11 07:35:06.563: ISAKMP: life type in seconds
> *May 11 07:35:06.563: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
> *May 11 07:35:06.563: ISAKMP:(0):Encryption algorithm offered does not match
> policy!
> *May 11 07:35:06.563: ISAKMP:(0):atts are not acceptable. Next payload is 0
> *May 11 07:35:06.563: ISAKMP:(0):Checking ISAKMP transform 1 against priority
> 65527 policy
> *May 11 07:35:06.563: ISAKMP: encryption 3DES-CBC
> *May 11 07:35:06.563: ISAKMP: hash SHA
> *May 11 07:35:06.563: ISAKMP: default group 2
> *May 11 07:35:06.563: ISAKMP: auth XAUTHInitPreShared
> *May 11 07:35:06.563: ISAKMP: life type in seconds
> *May 11 07:35:06.563: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
> *May 11 07:35:06.563: ISAKMP:(0):atts are acceptable. Next payload is 0
> *May 11 07:35:06.563: ISAKMP:(0):Acceptable atts:actual life: 2147483
> *May 11 07:35:06.563: ISAKMP:(0):Acceptable atts:life: 0
> *May 11 07:35:06.563: ISAKMP:(0):Fill atts in sa vpi_length:4
> *May 11 07:35:06.563: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
> *May 11 07:35:06.563: ISAKMP:(0):Returning Actual lifetime: 2147483
> *May 11 07:35:06.563: ISAKMP:(0)::Started lifetime timer: 2147483.
>
> *May 11 07:35:06.563: ISAKMP (0): vendor ID is NAT-T RFC 3947
> *May 11 07:35:06.567: ISAKMP:(0): processing KE payload. message ID = 0
> *May 11 07:35:06.615: ISAKMP:(0): processing NONCE payload. message ID = 0
> *May 11 07:35:06.615: ISAKMP: no pre-shared key based on address 10.22.22.1!
> *May 11 07:35:06.615: ISAKMP:(0):found peer pre-shared key matching 192.1.22.1
> *May 11 07:35:06.615: ISAKMP:(1013): processing HASH payload. message ID = 0
> *May 11 07:35:06.615: ISAKMP:received payload type 20
> *May 11 07:35:06.615: ISAKMP (1013): His hash no match - this node outside NAT
> *May 11 07:35:06.615: ISAKMP:received payload type 20
> *May 11 07:35:06.615: ISAKMP (1013): His hash no match - this node outside NAT
> *May 11 07:35:06.615: ISAKMP:(1013):SA authentication status:
> authenticated
> *May 11 07:35:06.619: ISAKMP:(1013):SA has been authenticated with 192.1.22.1
> *May 11 07:35:06.619: ISAKMP: Trying to insert a peer
> 192.1.24.4/192.1.22.1/4500/, and inserted successfully 48D56FCC.
> *May 11 07:35:06.619: ISAKMP:(1013):Send initial contact
> *May 11 07:35:06.619: ISAKMP:(1013): sending packet to 192.1.22.1 my_port
> 4500 peer_port 4500 (I) AG_INIT_EXCH
> *May 11 07:35:06.619: ISAKMP:(1013):Sending an IKE IPv4 Packet.
> *May 11 07:35:06.619: ISAKMP:(1013):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
> *May 11 07:35:06.619: ISAKMP:(1013):Old State = IKE_I_AM1 New State =
> IKE_P1_COMPLETE
>
> *May 11 07:35:06.619: ISAKMP:(1013):Need XAUTH
> *May 11 07:35:06.619: ISAKMP:(1013):Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_COMPLETE
> *May 11 07:35:06.619: ISAKMP:(1013):Old State = IKE_P1_COMPLETE New State =
> IKE_P1_COMPLETE
>
> *May 11 07:35:16.283: ISAKMP:(1013): no outgoing phase 1 packet to
> retransmit. CONF_XAUTH
> *May 11 07:35:16.571: ISAKMP (1013): received packet from 192.1.22.1 dport
> 500 sport 500 Global (I) CONF_XAUTH
> *May 11 07:35:16.571: ISAKMP:(1013): phase 1 packet is a duplicate of a
> previous packet.
> *May 11 07:35:16.571: ISAKMP:(1013): retransmitting due to retransmit phase 1
> *May 11 07:35:16.571: ISAKMP:(1013): no outgoing phase 1 packet to
> retransmit. CONF_XAUTH
> R4#
> R4#
> *May 11 07:35:26.567: ISAKMP (1013): received packet from 192.1.22.1 dport
> 500 sport 500 Global (I) CONF_XAUTH
> *May 11 07:35:26.567: ISAKMP:(1013): phase 1 packet is a duplicate of a
> previous packet.
> *May 11 07:35:26.567: ISAKMP:(1013): retransmitting due to retransmit phase 1
> *May 11 07:35:26.567: ISAKMP:(1013): no outgoing phase 1 packet to
> retransmit. CONF_XAUTH
> R4#
> *May 11 07:35:36.567: ISAKMP (1013): received packet from 192.1.22.1 dport
> 500 sport 500 Global (I) CONF_XAUTH
> *May 11 07:35:36.567: ISAKMP:(1013): phase 1 packet is a duplicate of a
> previous packet.
> *May 11 07:35:36.567: ISAKMP:(1013): retransmitting due to retransmit phase 1
> *May 11 07:35:36.567: ISAKMP:(1013): no outgoing phase 1 packet to
> retransmit. CONF_XAUTH
> R4#
> *May 11 07:35:46.567: ISAKMP (1013): received packet from 192.1.22.1 dport
> 500 sport 500 Global (I) CONF_XAUTH
> *May 11 07:35:46.571: ISAKMP:(1013): phase 1 packet is a duplicate of a
> previous packet.
> *May 11 07:35:46.571: ISAKMP:(1013): retransmitting due to retransmit phase 1
> *May 11 07:35:46.571: ISAKMP:(1013): no outgoing phase 1 packet to
> retransmit. CONF_XAUTH
> R4#
> *May 11 07:35:56.571: ISAKMP (1013): received packet from 192.1.22.1 dport
> 500 sport 500 Global (I) CONF_XAUTH
> *May 11 07:35:56.571: ISAKMP:(1013): phase 1 packet is a duplicate of a
> previous packet.
> *May 11 07:35:56.571: ISAKMP:(1013): retransmitting due to retransmit phase 1
> *May 11 07:35:56.571: ISAKMP:(1013): no outgoing phase 1 packet to
> retransmit. CONF_XAUTH
> R4#
> *May 11 07:36:04.311: ISAKMP:(1012):purging SA., sa=482E894C, delme=482E894C
> R4#
>
>
>
>
>
>
>
> From: [email protected]
> To: [email protected]
> Date: Tue, 11 May 2010 12:44:15 +0530
> Subject: Re: [OSL | CCIE_Security] EZVPN
>
> Hello All,
>
>
> I often face difficulty in EAZY VPN....
>
> is there a specific order in which we should apple the inside and outside
> statement on the physical ineterfaces of eazy vpn client?
>
>
>
>
>
>
>
>
> From: [email protected]
> To: [email protected]
> Subject: EZVPN
> Date: Tue, 11 May 2010 12:31:14 +0530
>
> Hello All,
>
>
>
> Could any one please suggest that why do we get this error ?
>
>
> R4#crypto ipsec client ezvpn xauth
> EZVPN(EZC): There are no pending Xauth Requests
>
>
>
>
>
>
> Catch the changing security environment Get it now.
> The battle for the FIH Hockey World Cup Drag n' drop
>
> Invest your money wisely post Budget Sign up now.
>
> The latest auto launches and test drives Drag n' drop
> The battle for the FIH Hockey World Cup Drag n' drop
>
> The battle for the FIH Hockey World Cup Drag n' drop
>
> All the post budget analysis and implications Sign up now.
>
> All the post budget analysis and implications Sign up now.
> All the post budget analysis and implications Sign up now.
>
> Catch the changing security environment Get it now.
>
> All the post budget analysis and implications Sign up now.
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
