EasyVPN IOS Error

Posted August 7th, 2008 by bcarroll and filed in CCIE Security
Add a Comment

I threw a quick blog up the other night when I was at my witts end.  Now today I’m trying to tackle it again.  Here is the detailed information.  Think you know whats wrong?

Topology:

This is the basic topology I’m working with.  There is a VPN 3000 acting as the EasyVPN server and a router (r3) acting as the EasyVPN remote.  The goal is the have r3 act as a VPN client, establishing a tunnel.  It should then get an IP address from an address pool configured on the concentrator.

The Concentrator Config:

First I made sure that the Public Interface had the Public Filter applied and it did…

The I made sure that the group EZVPN supported IPSec

There is an IPSec SA associated with the group.  No idea why the router wouldnt be able to do this…

Now here is the config on R3, the EasyVPN client:


r3#sh run
Building configuration...

Current configuration : 1215 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
crypto ipsec client ezvpn EZVPN
 connect manual
 group EZVPN key CISCO
 mode client
 peer 136.8.111.11
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Ethernet0/0
 ip address 136.8.113.3 255.255.255.0
 half-duplex
 crypto ipsec client ezvpn EZVPN
!
interface Ethernet0/1
 ip address 136.8.100.3 255.255.255.0
 half-duplex
 crypto ipsec client ezvpn EZVPN inside
!
interface Serial1/0
 no ip address
 encapsulation frame-relay IETF
 shutdown
 frame-relay lmi-type cisco
!
interface Serial1/1
 no ip address
 shutdown
!
interface Serial1/2
 no ip address
 shutdown
!
interface Serial1/3
 ip address 136.8.23.3 255.255.255.0
 clockrate 64000
!
router rip
 version 2
 network 136.8.0.0
 no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

And Finally the error:

You can find the video of the live event log here:  I cant get the video to embed.  I’m still a rookie.

So anyhow, after becoming really mad and figuring the concentrator wasn’t the problem I reloaded the router and rebuild the config.  Guess what?  It worked.  Here is the final commands, verification, and show run output.  I still dont see my error.



r3(config)#do sh ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                136.8.113.3     YES NVRAM  up                    up
Ethernet0/1                136.8.100.3     YES NVRAM  up                    up
Serial1/0                  unassigned      YES NVRAM  administratively down down
Serial1/1                  unassigned      YES NVRAM  administratively down down
Serial1/2                  unassigned      YES NVRAM  administratively down down
Serial1/3                  136.8.23.3      YES NVRAM  up                    up
Virtual-Access1            unassigned      YES unset  up                    up
r3(config)#cry ipsec
r3(config)#cry ipsec c
r3(config)#cry ipsec client e
r3(config)#cry ipsec client ezvpn EZVPN
r3(config-crypto-ezvpn)#connect ma
r3(config-crypto-ezvpn)#connect manual
r3(config-crypto-ezvpn)#gr
r3(config-crypto-ezvpn)#group EZVPN key CISCO
r3(config-crypto-ezvpn)#mode c
r3(config-crypto-ezvpn)#mode client
r3(config-crypto-ezvpn)#peer 136.8.113.11
r3(config-crypto-ezvpn)#int e0/0
r3(config-if)#cry ip
r3(config-if)#cry ipsec e
r3(config-if)#cry ipsec c
r3(config-if)#cry ipsec client e
r3(config-if)#cry ipsec client ezvpn EZVPN ou
r3(config-if)#cry ipsec client ezvpn EZVPN outside
r3(config-if)#int e0/1
r3(config-if)#cry ipsec client ezvpn EZVPN inside
r3(config-if)#end
r3#cry
*Mar  1 00:36:27.893: %SYS-5-CONFIG_I: Configured from console by consolecl
r3#cry ip
r3#cry ipsec e
r3#cry ipsec c
r3#cry ipsec client e
r3#cry ipsec client ezvpn ?
connect  Connect
xauth    Extended Authentication

r3#cry ipsec client ezvpn c
r3#cry ipsec client ezvpn connect
r3#
*Mar  1 00:36:57.838: EZVPN(EZVPN): Pending XAuth Request, Please enter the following command:
*Mar  1 00:36:57.838: EZVPN: crypto ipsec client ezvpn xauth
conf t
*Mar  1 00:37:07.839: EZVPN(EZVPN): Pending XAuth Request, Please enter the following command:
*Mar  1 00:37:07.839: EZVPN: crypto ipsec client ezvpn xauth
cry ipsec client ezvpn
*Mar  1 00:37:17.839: EZVPN(EZVPN): Pending XAuth Request, Please enter the following command:
*Mar  1 00:37:17.839: EZVPN: crypto ipsec client ezvpn xauth
x
r3#cry ipsec client ezvpn xauth
Enter Username and Password.: CISCO
Password: : CISCO1234
r3#show c
r3#show cy
r3#show cry
r3#show crypto ip
r3#show crypto ipsec e
r3#show crypto ipsec c
r3#show crypto ipsec client ?
ezvpn  Show EzVPN Status

r3#show crypto ipsec client e
r3#show crypto ipsec client ezvpn ?
|  Output modifiers

r3#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 2

Tunnel name : EZVPN
Inside interface list: Ethernet0/1,
Outside interface: Ethernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 20.0.0.1
Mask: 255.255.255.255
Split Tunnel List: 1
Address    : 136.8.111.0
Mask       : 255.255.255.0
Protocol   : 0x0
Source Port: 0
Dest Port  : 0
r3#ping 136.8.111.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.8.111.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

And it worked! Here is the running configuration now on R3:



r3#sh run
Building configuration...

Current configuration : 1224 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r3
!
logging queue-limit 100
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
!
!
!
crypto ipsec client ezvpn EZVPN
connect manual
group EZVPN key CISCO
mode client
peer 136.8.113.11
!
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Ethernet0/0
ip address 136.8.113.3 255.255.255.0
half-duplex
crypto ipsec client ezvpn EZVPN
!
interface Ethernet0/1
ip address 136.8.100.3 255.255.255.0
half-duplex
crypto ipsec client ezvpn EZVPN inside
!
interface Serial1/0
no ip address
encapsulation frame-relay IETF
shutdown
frame-relay lmi-type cisco
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
ip address 136.8.23.3 255.255.255.0
clockrate 64000
!
router rip
version 2
network 136.8.0.0
no auto-summary
!
ip http server
no ip http secure-server
ip classless
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

Hmm! Oh well, time to move on.

Leave a Reply