easy vpn - XAUTH issue

From: Kal Han (calikali2006@gmail.com)
Date: Thu Oct 05 2006 - 16:09:09 ART

I am trying to configure router - to - router easy vpn.
One router is the client and other is the server.
Things are working fine without XAUTH.
When I enable XAUTH, its not working.
The same config on the server is working fine with a software client.
( with out any change, I get the username/password dialog and after I enter,
I get connected )
BUT NOT FOR hardware clients. What is the difference, in terms of config.
There shouldnt be anything on the server.. is that right ?
What are the commong reasons for XAUTH failures ?
Is there any requirement for the ip local pool ? ( like should it be part of
any directly connected
subnets to the server ? )

Server is getting stuck here:
*R1#sh cry isa sa
dst src state conn-id slot
195.1.123.1 195.1.123.3 CONF_XAUTH 1 0*
**
Client is getting stuck here:
*R3#sh cry isa sa
dst src state conn-id slot
195.1.123.1 195.1.123.3 CONF_ADDR 1 0*

*Related Server Config:*
---------------------------------
username admin priv 15 pass admin
ip local pool ippool 195.145.1.200 195.145.1.250

aaa new-model
!
!
aaa authentication login hw local
aaa authorization network hw local
aaa session-id common
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cciesec address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local ippool
crypto isakmp xauth timeout 90

!
crypto isakmp client configuration group ezvpn
 key cciesec
 dns 1.1.1.10
 wins 1.1.1.11
 pool ippool
!
!
crypto ipsec transform-set ts esp-3des esp-md5-hmac
!
crypto dynamic-map dmap 10
 set transform-set ts
 reverse-route
!
!
crypto map cm client authentication list hw
crypto map cm isakmp authorization list hw
crypto map cm client configuration address respond
crypto map cm 10 ipsec-isakmp dynamic dmap

*Client Config:
*-------------------

crypto ipsec client ezvpn easyvpn
 connect manual
 group ezvpn key cciesec
 mode client
 peer 195.1.123.1

*Debug Output On Server ( after "crypto ipsec client ezvpn connect easyvpn"
on client )
*
----------------------------------------------------------------------------------------------------------------------------------------

*Mar 1 14:30:52.660: ISAKMP (0:0): received packet from 195.1.123.3 dport
500 sport 500 Global (N) NEW SA
*Mar 1 14:30:52.660: ISAKMP: Created a peer struct for 195.1.123.3, peer
port 500
*Mar 1 14:30:52.664: ISAKMP: Locking peer struct 0x8256E600, IKE refcount 1
for crypto_ikmp_config_initialize_sa
*Mar 1 14:30:52.664: ISAKMP (0:0): Setting client config settings 82E58AC4
*Mar 1 14:30:52.664: ISAKMP (0:0): (Re)Setting client xauth list and state
*Mar 1 14:30:52.664: ISAKMP: local port 500, remote port 500
*Mar 1 14:30:52.668: ISAKMP: insert sa successfully sa = 82BE1684
*Mar 1 14:30:52.668: ISAKMP (0:1): processing SA payload. message ID = 0
*Mar 1 14:30:52.668: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar 1 14:30:52.668: ISAKMP (0:1): peer matches *none* of the profiles
*Mar 1 14:30:52.668: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:52.668: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157
mismatch
*Mar 1 14:30:52.668: ISAKMP
R1#(0:1): vendor ID is NAT-T v3
*Mar 1 14:30:52.668: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:52.672: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123
mismatch
*Mar 1 14:30:52.672: ISAKMP (0:1): vendor ID is NAT-T v2
*Mar 1 14:30:52.672: ISAKMP (0:1) Authentication by xauth preshared
*Mar 1 14:30:52.672: ISAKMP (0:1): Checking ISAKMP transform 1 against
priority 10 policy
*Mar 1 14:30:52.672: ISAKMP: encryption DES-CBC
*Mar 1 14:30:52.672: ISAKMP: hash MD5
*Mar 1 14:30:52.672: ISAKMP: default group 2
*Mar 1 14:30:52.672: ISAKMP: auth pre-share
*Mar 1 14:30:52.672: ISAKMP: life type in seconds
*Mar 1 14:30:52.672: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 14:30:52.676: ISAKMP (0:1): atts are acceptable. Next payload is 3
*Mar 1 14:30:52.892: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:52.892: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157
mismatch
*Mar 1 14:30:52.892: ISAKMP (0:1): vendor ID is NAT-T v3
*Mar 1 14:30:52.896: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:52.896: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123
mismatch
*Mar 1 14:30:52.896: ISAKMP (0:1): vendor ID is NAT-T v2
*Mar 1 14:30:52.896: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar 1 14:30:53.172: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar 1 14:30:53.172: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:53.172: ISAKMP (0:1): vendor ID is DPD
*Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID seems Unity/DPD but major 36
mismatch
*Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID is XAUTH
*Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:53.176: ISAKMP (0:1): claimed IOS but failed authentication
*Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID is Unity
*Mar 1 14:30:53.180: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar 1 14:30:53.180: ISAKMP (0:1): Old State = IKE_READY New State =
IKE_R_AM_AAA_AWAIT

*Mar 1 14:30:53.184: ISAKMP: got callback 1
*Mar 1 14:30:53.188: ISAKMP (0:1): SKEYID state generated
*Mar 1 14:30:53.188: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 1 14:30:53.188: ISAKMP (0:1): SA is doing pre-shared key
authentication using id type ID_IPV4_ADDR
*Mar 1 14:30:53.188: ISAKMP (1): ID payload
        next-payload : 10
        type : 1
        addr : 195.1.123.1
        protocol : 17
        port : 0
        length : 8
*Mar 1 14:30:53.192: ISAKMP (1): Total payload length: 12
*Mar 1 14:30:53.192: ISAKMP (0:1): constructed HIS NAT-D
*Mar 1 14:30:53.192: ISAKMP (0:1): constructed MINE NAT-D
*Mar 1 14:30:53.192: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
500 peer_port 500 (R) AG_INIT_EXCH
*Mar 1 14:30:53.192: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA,
PRESHARED_KEY_REPLY
*Mar 1 14:30:53.192: ISAKMP (0:1): Old State = IKE_R_AM_AAA_AWAIT New
State = IKE_R_AM2

*Mar 1 14:30:53.480: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) AG_INIT_EXCH
*Mar 1 14:30:53.484: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar 1 14:30:53.484: ISAKMP:received payload type 17
*Mar 1 14:30:53.484: ISAKMP (0:1): Detected NAT-D payload
*Mar 1 14:30:53.484: ISAKMP (0:1): recalc my hash for NAT-D
*Mar 1 14:30:53.484: ISAKMP (0:1): NAT match MINE hash
*Mar 1 14:30:53.488: ISAKMP:received payload type 17
*Mar 1 14:30:53.488: ISAKMP (0:1): Detected NAT-D payload
*Mar 1 14:30:53.488: ISAKMP (0:1): recalc his hash for NAT-D
*Mar 1 14:30:53.488: ISAKMP (0:1): NAT match HIS hash
*Mar 1 14:30:53.488: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT
protocol 1
        spi 0, message ID = 0, sa = 82BE1684
*Mar 1 14:30:53.488: ISAKMP (0:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 195.1.123.1 remote
195.1.123.3 remote port 500
*Mar 1 14:30:53.488: ISAKMP (0:1): returning IP addr to the address pool
*Mar 1 14:30:53.492: ISAKMP (0:1): SA has been authenticated with
195.1.123.3
*Mar 1 14:30:53.492: ISAKMP: Trying to insert a peer 195.1.123.3/500/, and
inserted successfully.
*Mar 1 14:30:53.492: ISAKMP (0:1): peer matches *none* of the profiles
*Mar 1 14:30:53.492: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar 1 14:30:53.492: ISAKMP (0:1): Old State = IKE_R_AM2 New State =
IKE_P1_COMPLETE

*Mar 1 14:30:53.492: IPSEC(key_engine): got a queue event...
*Mar 1 14:30:53.496: ISAKMP (0:1): Need XAUTH
*Mar 1 14:30:53.496: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
*Mar 1 14:30:53.496: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State =
IKE_XAUTH_AAA_START_LOGIN_AWAIT

*Mar 1 14:30:53.496: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) CONF_XAUTH
*Mar 1 14:30:53.500: ISAKMP: set new node 1695602336 to CONF_XAUTH
*Mar 1 14:30:53.500: ISAKMP (0:1): processing transaction payload from
195.1.123.3. message ID = 1695602336
*Mar 1 14:30:53.500: ISAKMP: Config payload REQUEST
*Mar 1 14:30:53.504: ISAKMP (0:1): Unknown Input: state =
IKE_XAUTH_AAA_START_LOGIN_AWAIT, major, minor = IKE_MESG_FROM_PEER,
IKE_CFG_REQUEST

*Mar 1 14:30:53.504: ISAKMP: got callback 1
*Mar 1 14:30:53.504: ISAKMP: set new node -1928528013 to CONF_XAUTH
*Mar 1 14:30:53.504: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Mar 1 14:30:53.508: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Mar 1 14:30:53.508: ISAKMP (0:1): initiating peer config to 195.1.123.3.
ID = -1928528013
*Mar 1 14:30:53.508: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
500 peer_port 500 (R) CONF_XAUTH
*Mar 1 14:30:53.508: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA,
IKE_AAA_START_LOGIN
*Mar 1 14:30:53.508: ISAKMP (0:1): Old State =
IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT

*Mar 1 14:30:58.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) CONF_XAUTH
*Mar 1 14:30:58.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
previous packet.
*Mar 1 14:30:58.484: ISAKMP (0:1): retransmitting due to retransmit phase 2
*Mar 1 14:30:58.484: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:30:58.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:30:58.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
*Mar 1 14:30:58.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
*Mar 1 14:30:58.988: ISAKMP (0:1): no outgoing phase 2 packet to
retransmit. 1695602336 CONF_XAUTH
R1#
R1#
*Mar 1 14:31:03.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) CONF_XAUTH
*Mar 1 14:31:03.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
previous packet.
*Mar 1 14:31:03.484: ISAKMP (0:1): retransmitting due to retransmit phase 2
*Mar 1 14:31:03.484: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:31:03.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:31:03.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
*Mar 1 14:31:03.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
R1#
*Mar 1 14:31:03.988: ISAKMP (0:1): no outgoing phase 2 packet to
retransmit. 1695602336 CONF_XAUTH
R1#
*Mar 1 14:31:08.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) CONF_XAUTH
*Mar 1 14:31:08.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
previous packet.
*Mar 1 14:31:08.484: ISAKMP (0:1): retransmitting due to retransmit phase 2
*Mar 1 14:31:08.488: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:31:08.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:31:08.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
*Mar 1 14:31:08.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
R1#
*Mar 1 14:31:08.988: ISAKMP (0:1): no outgoing phase 2 packet to
retransmit. 1695602336 CONF_XAUTH
R1#
*Mar 1 14:31:13.488: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) CONF_XAUTH
*Mar 1 14:31:13.488: ISAKMP: set new node 813951137 to CONF_XAUTH
*Mar 1 14:31:13.492: ISAKMP (0:1): deleting SA reason "" state (R)
CONF_XAUTH (peer 195.1.123.3) input queue 0
*Mar 1 14:31:13.492: ISAKMP: set new node 236968093 to CONF_XAUTH
*Mar 1 14:31:13.492: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
500 peer_port 500 (R) MM_NO_STATE
*Mar 1 14:31:13.492: ISAKMP (0:1): purging node 236968093
*Mar 1 14:31:13.496: ISAKMP (0:1): deleting node 1695602336 error FALSE
reason ""
R1#
*Mar 1 14:31:13.496: ISAKMP (0:1): deleting node -1928528013 error FALSE
reason ""
*Mar 1 14:31:13.496: ISAKMP (0:1): deleting node 813951137 error FALSE
reason ""
*Mar 1 14:31:13.496: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
IKE_INFO_DELETE
*Mar 1 14:31:13.496: ISAKMP (0:1): Old State = IKE_XAUTH_REQ_SENT New
State = IKE_DEST_SA

Thanks
Kal

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART