Tried on a different IOS version and it worked. Seems to be an issue with 12.4(15)13.
With regards Kings On Mon, Sep 12, 2011 at 5:00 PM, Kingsley Charles < [email protected]> wrote: > From the following debug, you can see that, the IOS (EzVPN server) is not > trying to communicate with the dhcp server > > *Sep 12 08:55:24.783: ISAKMP: Config payload REQUEST > *Sep 12 08:55:24.783: ISAKMP:(4006):checking request: > *Sep 12 08:55:24.783: ISAKMP: IP4_ADDRESS > *Sep 12 08:55:24.783: ISAKMP: IP4_NETMASK > *Sep 12 08:55:24.783: ISAKMP: MODECFG_CONFIG_URL > *Sep 12 08:55:24.783: ISAKMP: MODECFG_CONFIG_VERSION > *Sep 12 08:55:24.783: ISAKMP: IP4_DNS > *Sep 12 08:55:24.783: ISAKMP: IP4_DNS > *Sep 12 08:55:24.783: ISAKMP: IP4_NBNS > *Sep 12 08:55:24.783: ISAKMP: IP4_NBNS > *Sep 12 08:55:24.783: ISAKMP: SPLIT_INCLUDE > *Sep 12 08:55:24.783: ISAKMP: SPLIT_DNS > *Sep 12 08:55:24.783: ISAKMP: DEFAULT_DOMAIN > *Sep 12 08:55:24.783: ISAKMP: MODECFG_SAVEPWD > *Sep 12 08:55:24.783: ISAKMP: INCLUDE_LOCAL_LAN > *Sep 12 08:55:24.783: ISAKMP: PFS > *Sep 12 08:55:24.783: ISAKMP: BACKUP_SERVER > *Sep 12 08:55:24.783: ISAKMP: APPLICATION_VERSION > *Sep 12 08:55:24.783: ISAKMP: MODECFG_BANNER > *Sep 12 08:55:24.783: ISAKMP: MODECFG_IPSEC_INT_CONF > *Sep 12 08:55:24.783: ISAKMP: MODECFG_HOSTNAME > *Sep 12 08:55:24.783: ISAKMP/author: Author request for group > kingsuccessfully s > ent to AAA > *Sep 12 08:55:24.783: ISAKMP:(4006):Input = IKE_MESG_FROM_PEER, > IKE_CFG_REQUEST > *Sep 12 08:55:24.783: ISAKMP:(4006):Old State = IKE_P1_COMPLETE New State > = IKE > _CONFIG_AUTHOR_AAA_AWAIT > > *Sep 12 08:55:24.783: ISAKMP:(4006):attributes sent in message: > *Sep 12 08:55:24.783: Address: 0.2.0.0 > *Sep 12 08:55:24.783: ISAKMP:(4006):Could not get address from pool! > *Sep 12 08:55:24.783: ISAKMP:(4006):peer does not do paranoid keepalives. > > *Sep 12 08:55:24.783: ISAKMP:(4006):peer does not do paranoid keepalives. > > *Sep 12 08:55:24.783: ISAKMP:(4006):deleting SA reason "Fail to allocate ip > addr > > ess" state (R) CONF_ADDR > > With regards > Kings > > > On Mon, Sep 12, 2011 at 4:43 PM, Kingsley Charles < > [email protected]> wrote: > >> It's very simple topology. >> >> >> 20.10.30.43 20.10.30.42 10.20.30.42 10.20.30.41 >> R3 (client) ------------------- R2(Server)--------------R1(DNS Server) >> >> >> When I enable debug ip packets, I don't see any packets being sent >> 10.20.30.41, after entering the Xauth credentials. >> >> With regards >> Kings >> >> >> On Mon, Sep 12, 2011 at 1:33 PM, Piotr Matusiak <[email protected]> wrote: >> >>> 1. delete 'pool addr' from group config >>> 2. enable 'deb dhcp det' on EzVPN server >>> 3. try to connect >>> >>> The EzVPN must rely DHCPDISCOVER. If you see DHCP debug it works. You may >>> have routing issues - try to run 'deb ip pac det' to see if it works. >>> >>> Can you please draw the topology real quick? >>> >>> Regards, >>> Piotr >>> >>> >>> >>> 2011/9/12 Kingsley Charles <[email protected]> >>> >>>> Hi Piotr >>>> >>>> The DHCP server 10.20.30.42 is directly connected to the EzVPN. I am >>>> using an IOS router as the DHCP server. The issue is that the EzVPN server >>>> doesn't seem to be sending a DHCP request message at all. >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> >>>> On Sun, Sep 11, 2011 at 10:42 PM, Piotr Matusiak <[email protected]>wrote: >>>> >>>>> This works only because you used loopback interface and RIP inside your >>>>> network. >>>>> >>>>> Let me describe how it works to understand what's the issue with Kings' >>>>> config. >>>>> The EzVPN Server work as a DHCP client (relay) once you configure 'dhcp >>>>> server' command under the group. You can troubleshoot it using 'debug dhcp >>>>> packet' command. >>>>> >>>>> When client connects, the EzVPN server uses IP address configured in >>>>> 'dhcp server' command and sends relayed information. Relayed, so that they >>>>> must have GIADDR (Gateway IP Address) configured in the packet so that the >>>>> DHCP server knows from what pool assign IP address to the client. >>>>> If nothing is configured using 'dhcp giaddr' command, the IP address in >>>>> the DHCPDISCOVER will be outgoing interface's IP address towards DHCP >>>>> server. >>>>> If configured, this will be the IP address where the DHCP server sends >>>>> the DHCPOFFER to. This is very important! If you don't have route back to >>>>> that IP address on DHCP server it will fail (I guess this could be an >>>>> issue >>>>> in Kings' example). >>>>> >>>>> The best solution heret is to configure loopback with IP address space >>>>> of your EzVPN Client's pool. Once this is advertised using some dynamic >>>>> routing protocol the server knows where to send the returning packet to. >>>>> It >>>>> must be also specified as 'dhcp giaddr' command. Of course, best way to do >>>>> that is using DVTI. >>>>> >>>>> Hope it helps. >>>>> >>>>> Regards, >>>>> Piotr >>>>> >>>>> >>>>> >>>>> 2011/9/11 Andrey <[email protected]> >>>>> >>>>>> Kingsley, >>>>>> >>>>>> I labbed your case and it worked, my scheme: >>>>>> >>>>>> ACS--10.0.0.0/24---R2---136.1.23.0/24----R3---136.1.100.0----PC >>>>>> >>>>>> Configs: >>>>>> >>>>>> RIP between R2&R3 >>>>>> Default route on ACS to R2 >>>>>> Default route on PC to R3 >>>>>> >>>>>> R3 config: >>>>>> >>>>>> Rack1R3(config)#do sh run | s aaa|crypto >>>>>> aaa new-model >>>>>> aaa authentication login con none >>>>>> aaa authentication login vty line >>>>>> aaa authentication login ezvpn local >>>>>> aaa authorization network ezvpn local >>>>>> aaa session-id common >>>>>> crypto isakmp policy 10 >>>>>> encr 3des >>>>>> hash md5 >>>>>> authentication pre-share >>>>>> group 2 >>>>>> crypto isakmp client configuration group DHCP >>>>>> key cisco >>>>>> dns 10.0.0.100 >>>>>> domain INE.com >>>>>> acl ezacl >>>>>> dhcp server 10.0.0.100 >>>>>> dhcp giaddr 20.0.0.10 >>>>>> crypto isakmp profile isapro1 >>>>>> match identity group DHCP >>>>>> client authentication list ezvpn >>>>>> isakmp authorization list ezvpn >>>>>> client configuration address respond >>>>>> client configuration group DHCP >>>>>> virtual-template 1 >>>>>> crypto ipsec transform-set ezset esp-3des esp-md5-hmac >>>>>> crypto ipsec profile ipspro1 >>>>>> set transform-set ezset >>>>>> set reverse-route tag 100 >>>>>> set isakmp-profile isapro1 >>>>>> ! >>>>>> interface Loopback1 >>>>>> ip address 20.0.0.10 255.255.255.0 >>>>>> ! >>>>>> router rip >>>>>> redistribute connected >>>>>> ! >>>>>> ip access-list extended ezacl >>>>>> permit ip 10.0.0.0 0.0.0.255 any >>>>>> ! >>>>>> interface Virtual-Template1 type tunnel >>>>>> ip unnumbered FastEthernet0/1 >>>>>> tunnel mode ipsec ipv4 >>>>>> tunnel protection ipsec profile ipspro1 >>>>>> >>>>>> ACS's ip 10.0.0.100, dhcp zone configured on it 20.0.0.1-20.0.0.254, >>>>>> excluded addresses 20.0.0.1-20.0.0.10 >>>>>> >>>>>> PC client received IP 20.0.0.11 & i see it allocated in dhcp console. >>>>>> >>>>>> -- >>>>>> Best regards, >>>>>> Andrey >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> For more information regarding industry leading CCIE Lab training, >>>>>> please visit www.ipexpert.com >>>>>> >>>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>>> www.PlatinumPlacement.com >>>>>> >>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
