>From the following debug, you can see that, the IOS (EzVPN server) is not trying to communicate with the dhcp server
*Sep 12 08:55:24.783: ISAKMP: Config payload REQUEST *Sep 12 08:55:24.783: ISAKMP:(4006):checking request: *Sep 12 08:55:24.783: ISAKMP: IP4_ADDRESS *Sep 12 08:55:24.783: ISAKMP: IP4_NETMASK *Sep 12 08:55:24.783: ISAKMP: MODECFG_CONFIG_URL *Sep 12 08:55:24.783: ISAKMP: MODECFG_CONFIG_VERSION *Sep 12 08:55:24.783: ISAKMP: IP4_DNS *Sep 12 08:55:24.783: ISAKMP: IP4_DNS *Sep 12 08:55:24.783: ISAKMP: IP4_NBNS *Sep 12 08:55:24.783: ISAKMP: IP4_NBNS *Sep 12 08:55:24.783: ISAKMP: SPLIT_INCLUDE *Sep 12 08:55:24.783: ISAKMP: SPLIT_DNS *Sep 12 08:55:24.783: ISAKMP: DEFAULT_DOMAIN *Sep 12 08:55:24.783: ISAKMP: MODECFG_SAVEPWD *Sep 12 08:55:24.783: ISAKMP: INCLUDE_LOCAL_LAN *Sep 12 08:55:24.783: ISAKMP: PFS *Sep 12 08:55:24.783: ISAKMP: BACKUP_SERVER *Sep 12 08:55:24.783: ISAKMP: APPLICATION_VERSION *Sep 12 08:55:24.783: ISAKMP: MODECFG_BANNER *Sep 12 08:55:24.783: ISAKMP: MODECFG_IPSEC_INT_CONF *Sep 12 08:55:24.783: ISAKMP: MODECFG_HOSTNAME *Sep 12 08:55:24.783: ISAKMP/author: Author request for group kingsuccessfully s ent to AAA *Sep 12 08:55:24.783: ISAKMP:(4006):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST *Sep 12 08:55:24.783: ISAKMP:(4006):Old State = IKE_P1_COMPLETE New State = IKE _CONFIG_AUTHOR_AAA_AWAIT *Sep 12 08:55:24.783: ISAKMP:(4006):attributes sent in message: *Sep 12 08:55:24.783: Address: 0.2.0.0 *Sep 12 08:55:24.783: ISAKMP:(4006):Could not get address from pool! *Sep 12 08:55:24.783: ISAKMP:(4006):peer does not do paranoid keepalives. *Sep 12 08:55:24.783: ISAKMP:(4006):peer does not do paranoid keepalives. *Sep 12 08:55:24.783: ISAKMP:(4006):deleting SA reason "Fail to allocate ip addr ess" state (R) CONF_ADDR With regards Kings On Mon, Sep 12, 2011 at 4:43 PM, Kingsley Charles < [email protected]> wrote: > It's very simple topology. > > > 20.10.30.43 20.10.30.42 10.20.30.42 10.20.30.41 > R3 (client) ------------------- R2(Server)--------------R1(DNS Server) > > > When I enable debug ip packets, I don't see any packets being sent > 10.20.30.41, after entering the Xauth credentials. > > With regards > Kings > > > On Mon, Sep 12, 2011 at 1:33 PM, Piotr Matusiak <[email protected]> wrote: > >> 1. delete 'pool addr' from group config >> 2. enable 'deb dhcp det' on EzVPN server >> 3. try to connect >> >> The EzVPN must rely DHCPDISCOVER. If you see DHCP debug it works. You may >> have routing issues - try to run 'deb ip pac det' to see if it works. >> >> Can you please draw the topology real quick? >> >> Regards, >> Piotr >> >> >> >> 2011/9/12 Kingsley Charles <[email protected]> >> >>> Hi Piotr >>> >>> The DHCP server 10.20.30.42 is directly connected to the EzVPN. I am >>> using an IOS router as the DHCP server. The issue is that the EzVPN server >>> doesn't seem to be sending a DHCP request message at all. >>> >>> >>> With regards >>> Kings >>> >>> >>> On Sun, Sep 11, 2011 at 10:42 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> This works only because you used loopback interface and RIP inside your >>>> network. >>>> >>>> Let me describe how it works to understand what's the issue with Kings' >>>> config. >>>> The EzVPN Server work as a DHCP client (relay) once you configure 'dhcp >>>> server' command under the group. You can troubleshoot it using 'debug dhcp >>>> packet' command. >>>> >>>> When client connects, the EzVPN server uses IP address configured in >>>> 'dhcp server' command and sends relayed information. Relayed, so that they >>>> must have GIADDR (Gateway IP Address) configured in the packet so that the >>>> DHCP server knows from what pool assign IP address to the client. >>>> If nothing is configured using 'dhcp giaddr' command, the IP address in >>>> the DHCPDISCOVER will be outgoing interface's IP address towards DHCP >>>> server. >>>> If configured, this will be the IP address where the DHCP server sends >>>> the DHCPOFFER to. This is very important! If you don't have route back to >>>> that IP address on DHCP server it will fail (I guess this could be an issue >>>> in Kings' example). >>>> >>>> The best solution heret is to configure loopback with IP address space >>>> of your EzVPN Client's pool. Once this is advertised using some dynamic >>>> routing protocol the server knows where to send the returning packet to. It >>>> must be also specified as 'dhcp giaddr' command. Of course, best way to do >>>> that is using DVTI. >>>> >>>> Hope it helps. >>>> >>>> Regards, >>>> Piotr >>>> >>>> >>>> >>>> 2011/9/11 Andrey <[email protected]> >>>> >>>>> Kingsley, >>>>> >>>>> I labbed your case and it worked, my scheme: >>>>> >>>>> ACS--10.0.0.0/24---R2---136.1.23.0/24----R3---136.1.100.0----PC >>>>> >>>>> Configs: >>>>> >>>>> RIP between R2&R3 >>>>> Default route on ACS to R2 >>>>> Default route on PC to R3 >>>>> >>>>> R3 config: >>>>> >>>>> Rack1R3(config)#do sh run | s aaa|crypto >>>>> aaa new-model >>>>> aaa authentication login con none >>>>> aaa authentication login vty line >>>>> aaa authentication login ezvpn local >>>>> aaa authorization network ezvpn local >>>>> aaa session-id common >>>>> crypto isakmp policy 10 >>>>> encr 3des >>>>> hash md5 >>>>> authentication pre-share >>>>> group 2 >>>>> crypto isakmp client configuration group DHCP >>>>> key cisco >>>>> dns 10.0.0.100 >>>>> domain INE.com >>>>> acl ezacl >>>>> dhcp server 10.0.0.100 >>>>> dhcp giaddr 20.0.0.10 >>>>> crypto isakmp profile isapro1 >>>>> match identity group DHCP >>>>> client authentication list ezvpn >>>>> isakmp authorization list ezvpn >>>>> client configuration address respond >>>>> client configuration group DHCP >>>>> virtual-template 1 >>>>> crypto ipsec transform-set ezset esp-3des esp-md5-hmac >>>>> crypto ipsec profile ipspro1 >>>>> set transform-set ezset >>>>> set reverse-route tag 100 >>>>> set isakmp-profile isapro1 >>>>> ! >>>>> interface Loopback1 >>>>> ip address 20.0.0.10 255.255.255.0 >>>>> ! >>>>> router rip >>>>> redistribute connected >>>>> ! >>>>> ip access-list extended ezacl >>>>> permit ip 10.0.0.0 0.0.0.255 any >>>>> ! >>>>> interface Virtual-Template1 type tunnel >>>>> ip unnumbered FastEthernet0/1 >>>>> tunnel mode ipsec ipv4 >>>>> tunnel protection ipsec profile ipspro1 >>>>> >>>>> ACS's ip 10.0.0.100, dhcp zone configured on it 20.0.0.1-20.0.0.254, >>>>> excluded addresses 20.0.0.1-20.0.0.10 >>>>> >>>>> PC client received IP 20.0.0.11 & i see it allocated in dhcp console. >>>>> >>>>> -- >>>>> Best regards, >>>>> Andrey >>>>> >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
