Re: easy vpn - XAUTH issue

From: Edouard Zorrilla (ezorrilla@tsf.com.pe)
Date: Thu Oct 05 2006 - 23:38:24 ART

Sir,

For HW xauth you have to enter the user and password manually as soon as you
get :

EZVPN: Pending XAuth Request, Please enter the following command:
EZVPN: crypto ipsec client ezvpn xauth

Besides, you are using a "crypto isakmp key cciesec address 0.0.0.0 0.0.0.0"
and also "crypto isakmp client configuration group ezvpn" if this is a EZVPN
the first one is not necessary, take a look at this:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftezvpcm.htm#1116046,
for a sample config.

Regarding the pool, it has no relation with any interface, remember that
this net is being routed thru the network, as a matter of fact you can put
it inside a routing protocol so that i can be learned by someone else.

Finally, in your debug you are not using "debug crypto ipsec client ezvpn",
try this one, it can help a lot,

HTH,
Regards

----- Original Message -----
From: "Kal Han" <calikali2006@gmail.com>
To: "Cisco certification" <security@groupstudy.com>;
<ccielab@groupstudy.com>
Sent: Thursday, October 05, 2006 2:09 PM
Subject: easy vpn - XAUTH issue

>I am trying to configure router - to - router easy vpn.
> One router is the client and other is the server.
> Things are working fine without XAUTH.
> When I enable XAUTH, its not working.
> The same config on the server is working fine with a software client.
> ( with out any change, I get the username/password dialog and after I
> enter,
> I get connected )
> BUT NOT FOR hardware clients. What is the difference, in terms of config.
> There shouldnt be anything on the server.. is that right ?
> What are the commong reasons for XAUTH failures ?
> Is there any requirement for the ip local pool ? ( like should it be part
> of
> any directly connected
> subnets to the server ? )
>
> Server is getting stuck here:
> *R1#sh cry isa sa
> dst src state conn-id slot
> 195.1.123.1 195.1.123.3 CONF_XAUTH 1 0*
> **
> Client is getting stuck here:
> *R3#sh cry isa sa
> dst src state conn-id slot
> 195.1.123.1 195.1.123.3 CONF_ADDR 1 0*
>
> *Related Server Config:*
> ---------------------------------
> username admin priv 15 pass admin
> ip local pool ippool 195.145.1.200 195.145.1.250
>
> aaa new-model
> !
> !
> aaa authentication login hw local
> aaa authorization network hw local
> aaa session-id common
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cciesec address 0.0.0.0 0.0.0.0
> crypto isakmp client configuration address-pool local ippool
> crypto isakmp xauth timeout 90
>
> !
> crypto isakmp client configuration group ezvpn
> key cciesec
> dns 1.1.1.10
> wins 1.1.1.11
> pool ippool
> !
> !
> crypto ipsec transform-set ts esp-3des esp-md5-hmac
> !
> crypto dynamic-map dmap 10
> set transform-set ts
> reverse-route
> !
> !
> crypto map cm client authentication list hw
> crypto map cm isakmp authorization list hw
> crypto map cm client configuration address respond
> crypto map cm 10 ipsec-isakmp dynamic dmap
>
> *Client Config:
> *-------------------
>
> crypto ipsec client ezvpn easyvpn
> connect manual
> group ezvpn key cciesec
> mode client
> peer 195.1.123.1
>
> *Debug Output On Server ( after "crypto ipsec client ezvpn connect
> easyvpn"
> on client )
> *
> ----------------------------------------------------------------------------------------------------------------------------------------
>
> *Mar 1 14:30:52.660: ISAKMP (0:0): received packet from 195.1.123.3 dport
> 500 sport 500 Global (N) NEW SA
> *Mar 1 14:30:52.660: ISAKMP: Created a peer struct for 195.1.123.3, peer
> port 500
> *Mar 1 14:30:52.664: ISAKMP: Locking peer struct 0x8256E600, IKE refcount
> 1
> for crypto_ikmp_config_initialize_sa
> *Mar 1 14:30:52.664: ISAKMP (0:0): Setting client config settings
> 82E58AC4
> *Mar 1 14:30:52.664: ISAKMP (0:0): (Re)Setting client xauth list and
> state
> *Mar 1 14:30:52.664: ISAKMP: local port 500, remote port 500
> *Mar 1 14:30:52.668: ISAKMP: insert sa successfully sa = 82BE1684
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing SA payload. message ID = 0
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing ID payload. message ID = 0
> *Mar 1 14:30:52.668: ISAKMP (0:1): peer matches *none* of the profiles
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.668: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 157
> mismatch
> *Mar 1 14:30:52.668: ISAKMP
> R1#(0:1): vendor ID is NAT-T v3
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.672: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 123
> mismatch
> *Mar 1 14:30:52.672: ISAKMP (0:1): vendor ID is NAT-T v2
> *Mar 1 14:30:52.672: ISAKMP (0:1) Authentication by xauth preshared
> *Mar 1 14:30:52.672: ISAKMP (0:1): Checking ISAKMP transform 1 against
> priority 10 policy
> *Mar 1 14:30:52.672: ISAKMP: encryption DES-CBC
> *Mar 1 14:30:52.672: ISAKMP: hash MD5
> *Mar 1 14:30:52.672: ISAKMP: default group 2
> *Mar 1 14:30:52.672: ISAKMP: auth pre-share
> *Mar 1 14:30:52.672: ISAKMP: life type in seconds
> *Mar 1 14:30:52.672: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
> 0x80
>
> *Mar 1 14:30:52.676: ISAKMP (0:1): atts are acceptable. Next payload is 3
> *Mar 1 14:30:52.892: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.892: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 157
> mismatch
> *Mar 1 14:30:52.892: ISAKMP (0:1): vendor ID is NAT-T v3
> *Mar 1 14:30:52.896: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.896: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 123
> mismatch
> *Mar 1 14:30:52.896: ISAKMP (0:1): vendor ID is NAT-T v2
> *Mar 1 14:30:52.896: ISAKMP (0:1): processing KE payload. message ID = 0
> *Mar 1 14:30:53.172: ISAKMP (0:1): processing NONCE payload. message ID =
> 0
> *Mar 1 14:30:53.172: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.172: ISAKMP (0:1): vendor ID is DPD
> *Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID seems Unity/DPD but major 36
> mismatch
> *Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID is XAUTH
> *Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.176: ISAKMP (0:1): claimed IOS but failed authentication
> *Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID is Unity
> *Mar 1 14:30:53.180: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_AM_EXCH
> *Mar 1 14:30:53.180: ISAKMP (0:1): Old State = IKE_READY New State =
> IKE_R_AM_AAA_AWAIT
>
> *Mar 1 14:30:53.184: ISAKMP: got callback 1
> *Mar 1 14:30:53.188: ISAKMP (0:1): SKEYID state generated
> *Mar 1 14:30:53.188: ISAKMP (0:1): constructed NAT-T vendor-03 ID
> *Mar 1 14:30:53.188: ISAKMP (0:1): SA is doing pre-shared key
> authentication using id type ID_IPV4_ADDR
> *Mar 1 14:30:53.188: ISAKMP (1): ID payload
> next-payload : 10
> type : 1
> addr : 195.1.123.1
> protocol : 17
> port : 0
> length : 8
> *Mar 1 14:30:53.192: ISAKMP (1): Total payload length: 12
> *Mar 1 14:30:53.192: ISAKMP (0:1): constructed HIS NAT-D
> *Mar 1 14:30:53.192: ISAKMP (0:1): constructed MINE NAT-D
> *Mar 1 14:30:53.192: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
> 500 peer_port 500 (R) AG_INIT_EXCH
> *Mar 1 14:30:53.192: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA,
> PRESHARED_KEY_REPLY
> *Mar 1 14:30:53.192: ISAKMP (0:1): Old State = IKE_R_AM_AAA_AWAIT New
> State = IKE_R_AM2
>
> *Mar 1 14:30:53.480: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) AG_INIT_EXCH
> *Mar 1 14:30:53.484: ISAKMP (0:1): processing HASH payload. message ID =
> 0
> *Mar 1 14:30:53.484: ISAKMP:received payload type 17
> *Mar 1 14:30:53.484: ISAKMP (0:1): Detected NAT-D payload
> *Mar 1 14:30:53.484: ISAKMP (0:1): recalc my hash for NAT-D
> *Mar 1 14:30:53.484: ISAKMP (0:1): NAT match MINE hash
> *Mar 1 14:30:53.488: ISAKMP:received payload type 17
> *Mar 1 14:30:53.488: ISAKMP (0:1): Detected NAT-D payload
> *Mar 1 14:30:53.488: ISAKMP (0:1): recalc his hash for NAT-D
> *Mar 1 14:30:53.488: ISAKMP (0:1): NAT match HIS hash
> *Mar 1 14:30:53.488: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT
> protocol 1
> spi 0, message ID = 0, sa = 82BE1684
> *Mar 1 14:30:53.488: ISAKMP (0:1): Process initial contact,
> bring down existing phase 1 and 2 SA's with local 195.1.123.1 remote
> 195.1.123.3 remote port 500
> *Mar 1 14:30:53.488: ISAKMP (0:1): returning IP addr to the address pool
> *Mar 1 14:30:53.492: ISAKMP (0:1): SA has been authenticated with
> 195.1.123.3
> *Mar 1 14:30:53.492: ISAKMP: Trying to insert a peer 195.1.123.3/500/,
> and
> inserted successfully.
> *Mar 1 14:30:53.492: ISAKMP (0:1): peer matches *none* of the profiles
> *Mar 1 14:30:53.492: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_AM_EXCH
> *Mar 1 14:30:53.492: ISAKMP (0:1): Old State = IKE_R_AM2 New State =
> IKE_P1_COMPLETE
>
> *Mar 1 14:30:53.492: IPSEC(key_engine): got a queue event...
> *Mar 1 14:30:53.496: ISAKMP (0:1): Need XAUTH
> *Mar 1 14:30:53.496: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_COMPLETE
> *Mar 1 14:30:53.496: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State
> =
> IKE_XAUTH_AAA_START_LOGIN_AWAIT
>
> *Mar 1 14:30:53.496: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:30:53.500: ISAKMP: set new node 1695602336 to CONF_XAUTH
> *Mar 1 14:30:53.500: ISAKMP (0:1): processing transaction payload from
> 195.1.123.3. message ID = 1695602336
> *Mar 1 14:30:53.500: ISAKMP: Config payload REQUEST
> *Mar 1 14:30:53.504: ISAKMP (0:1): Unknown Input: state =
> IKE_XAUTH_AAA_START_LOGIN_AWAIT, major, minor = IKE_MESG_FROM_PEER,
> IKE_CFG_REQUEST
>
> *Mar 1 14:30:53.504: ISAKMP: got callback 1
> *Mar 1 14:30:53.504: ISAKMP: set new node -1928528013 to CONF_XAUTH
> *Mar 1 14:30:53.504: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
> *Mar 1 14:30:53.508: ISAKMP/xauth: request attribute
> XAUTH_USER_PASSWORD_V2
> *Mar 1 14:30:53.508: ISAKMP (0:1): initiating peer config to 195.1.123.3.
> ID = -1928528013
> *Mar 1 14:30:53.508: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
> 500 peer_port 500 (R) CONF_XAUTH
> *Mar 1 14:30:53.508: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA,
> IKE_AAA_START_LOGIN
> *Mar 1 14:30:53.508: ISAKMP (0:1): Old State =
> IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT
>
> *Mar 1 14:30:58.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:30:58.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
> previous packet.
> *Mar 1 14:30:58.484: ISAKMP (0:1): retransmitting due to retransmit phase
> 2
> *Mar 1 14:30:58.484: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:30:58.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:30:58.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:30:58.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:30:58.988: ISAKMP (0:1): no outgoing phase 2 packet to
> retransmit. 1695602336 CONF_XAUTH
> R1#
> R1#
> *Mar 1 14:31:03.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:31:03.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
> previous packet.
> *Mar 1 14:31:03.484: ISAKMP (0:1): retransmitting due to retransmit phase
> 2
> *Mar 1 14:31:03.484: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:03.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:03.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:31:03.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> R1#
> *Mar 1 14:31:03.988: ISAKMP (0:1): no outgoing phase 2 packet to
> retransmit. 1695602336 CONF_XAUTH
> R1#
> *Mar 1 14:31:08.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:31:08.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
> previous packet.
> *Mar 1 14:31:08.484: ISAKMP (0:1): retransmitting due to retransmit phase
> 2
> *Mar 1 14:31:08.488: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:08.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:08.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:31:08.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> R1#
> *Mar 1 14:31:08.988: ISAKMP (0:1): no outgoing phase 2 packet to
> retransmit. 1695602336 CONF_XAUTH
> R1#
> *Mar 1 14:31:13.488: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:31:13.488: ISAKMP: set new node 813951137 to CONF_XAUTH
> *Mar 1 14:31:13.492: ISAKMP (0:1): deleting SA reason "" state (R)
> CONF_XAUTH (peer 195.1.123.3) input queue 0
> *Mar 1 14:31:13.492: ISAKMP: set new node 236968093 to CONF_XAUTH
> *Mar 1 14:31:13.492: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
> 500 peer_port 500 (R) MM_NO_STATE
> *Mar 1 14:31:13.492: ISAKMP (0:1): purging node 236968093
> *Mar 1 14:31:13.496: ISAKMP (0:1): deleting node 1695602336 error FALSE
> reason ""
> R1#
> *Mar 1 14:31:13.496: ISAKMP (0:1): deleting node -1928528013 error FALSE
> reason ""
> *Mar 1 14:31:13.496: ISAKMP (0:1): deleting node 813951137 error FALSE
> reason ""
> *Mar 1 14:31:13.496: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_INFO_DELETE
> *Mar 1 14:31:13.496: ISAKMP (0:1): Old State = IKE_XAUTH_REQ_SENT New
> State = IKE_DEST_SA
>
> Thanks
> Kal
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART