RE: easy vpn - XAUTH issue

From: Sam Lai (sam@ccnpro.net)
Date: Fri Oct 06 2006 - 00:55:09 ART

Hi Kal -

I think you have the IKE proposal mismatch issue between the ezvpn server and client routers. I had the same exact problem. The conclusion is that the IOS version of the ezvpn server and client do not match.

Why it matters? Because ezvpn (especially router as ezvpn client) phase I communication based on a set of isakmp policy #655xx and these proposals are preset and can not be modified.

This problem happens, for example, when the ezvpn server supports pre-share/md5/group2 (12.3) while the ezvpn client supports only pre-share/md5/group1.

This symptom is similar to cisco vpn software client prior to 3.x vs. 4.x - thats why you have to create two different vpngroups (aka their compatible isakmp proposals).

I will suggest you to try changing the hash to sha or dh to group1 - it "might" work sometime from my experience. The long term fix is to standardize your routers' IOS version. It works for me like a charm when I upgraded both ends with 12.3.

HTH,

Sam

Sam Lai
CCIE#12812
CISSP#90903

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Kal Han
Sent: Thursday, October 05, 2006 3:09 PM
To: Cisco certification; ccielab@groupstudy.com
Subject: easy vpn - XAUTH issue

I am trying to configure router - to - router easy vpn.
One router is the client and other is the server.
Things are working fine without XAUTH.
When I enable XAUTH, its not working.
The same config on the server is working fine with a software client.
( with out any change, I get the username/password dialog and after I enter,
I get connected )
BUT NOT FOR hardware clients. What is the difference, in terms of config.
There shouldnt be anything on the server.. is that right ?
What are the commong reasons for XAUTH failures ?
Is there any requirement for the ip local pool ? ( like should it be part of
any directly connected
subnets to the server ? )

Server is getting stuck here:
*R1#sh cry isa sa
dst src state conn-id slot
195.1.123.1 195.1.123.3 CONF_XAUTH 1 0*
**
Client is getting stuck here:
*R3#sh cry isa sa
dst src state conn-id slot
195.1.123.1 195.1.123.3 CONF_ADDR 1 0*

*Related Server Config:*
---------------------------------
username admin priv 15 pass admin
ip local pool ippool 195.145.1.200 195.145.1.250

aaa new-model
!
!
aaa authentication login hw local
aaa authorization network hw local
aaa session-id common
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cciesec address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local ippool
crypto isakmp xauth timeout 90

!
crypto isakmp client configuration group ezvpn
 key cciesec
 dns 1.1.1.10
 wins 1.1.1.11
 pool ippool
!
!
crypto ipsec transform-set ts esp-3des esp-md5-hmac
!
crypto dynamic-map dmap 10
 set transform-set ts
 reverse-route
!
!
crypto map cm client authentication list hw
crypto map cm isakmp authorization list hw
crypto map cm client configuration address respond
crypto map cm 10 ipsec-isakmp dynamic dmap

*Client Config:
*-------------------

crypto ipsec client ezvpn easyvpn
 connect manual
 group ezvpn key cciesec
 mode client
 peer 195.1.123.1

*Debug Output On Server ( after "crypto ipsec client ezvpn connect easyvpn"
on client )
*
----------------------------------------------------------------------------------------------------------------------------------------

*Mar 1 14:30:52.660: ISAKMP (0:0): received packet from 195.1.123.3 dport
500 sport 500 Global (N) NEW SA
*Mar 1 14:30:52.660: ISAKMP: Created a peer struct for 195.1.123.3, peer
port 500
*Mar 1 14:30:52.664: ISAKMP: Locking peer struct 0x8256E600, IKE refcount 1
for crypto_ikmp_config_initialize_sa
*Mar 1 14:30:52.664: ISAKMP (0:0): Setting client config settings 82E58AC4
*Mar 1 14:30:52.664: ISAKMP (0:0): (Re)Setting client xauth list and state
*Mar 1 14:30:52.664: ISAKMP: local port 500, remote port 500
*Mar 1 14:30:52.668: ISAKMP: insert sa successfully sa = 82BE1684
*Mar 1 14:30:52.668: ISAKMP (0:1): processing SA payload. message ID = 0
*Mar 1 14:30:52.668: ISAKMP (0:1): processing ID payload. message ID = 0
*Mar 1 14:30:52.668: ISAKMP (0:1): peer matches *none* of the profiles
*Mar 1 14:30:52.668: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:52.668: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157
mismatch
*Mar 1 14:30:52.668: ISAKMP
R1#(0:1): vendor ID is NAT-T v3
*Mar 1 14:30:52.668: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:52.672: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123
mismatch
*Mar 1 14:30:52.672: ISAKMP (0:1): vendor ID is NAT-T v2
*Mar 1 14:30:52.672: ISAKMP (0:1) Authentication by xauth preshared
*Mar 1 14:30:52.672: ISAKMP (0:1): Checking ISAKMP transform 1 against
priority 10 policy
*Mar 1 14:30:52.672: ISAKMP: encryption DES-CBC
*Mar 1 14:30:52.672: ISAKMP: hash MD5
*Mar 1 14:30:52.672: ISAKMP: default group 2
*Mar 1 14:30:52.672: ISAKMP: auth pre-share
*Mar 1 14:30:52.672: ISAKMP: life type in seconds
*Mar 1 14:30:52.672: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Mar 1 14:30:52.676: ISAKMP (0:1): atts are acceptable. Next payload is 3
*Mar 1 14:30:52.892: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:52.892: ISAKMP (0:1): vendor ID seems Unity/DPD but major 157
mismatch
*Mar 1 14:30:52.892: ISAKMP (0:1): vendor ID is NAT-T v3
*Mar 1 14:30:52.896: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:52.896: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123
mismatch
*Mar 1 14:30:52.896: ISAKMP (0:1): vendor ID is NAT-T v2
*Mar 1 14:30:52.896: ISAKMP (0:1): processing KE payload. message ID = 0
*Mar 1 14:30:53.172: ISAKMP (0:1): processing NONCE payload. message ID = 0
*Mar 1 14:30:53.172: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:53.172: ISAKMP (0:1): vendor ID is DPD
*Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID seems Unity/DPD but major 36
mismatch
*Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID is XAUTH
*Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:53.176: ISAKMP (0:1): claimed IOS but failed authentication
*Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
*Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID is Unity
*Mar 1 14:30:53.180: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar 1 14:30:53.180: ISAKMP (0:1): Old State = IKE_READY New State =
IKE_R_AM_AAA_AWAIT

*Mar 1 14:30:53.184: ISAKMP: got callback 1
*Mar 1 14:30:53.188: ISAKMP (0:1): SKEYID state generated
*Mar 1 14:30:53.188: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 1 14:30:53.188: ISAKMP (0:1): SA is doing pre-shared key
authentication using id type ID_IPV4_ADDR
*Mar 1 14:30:53.188: ISAKMP (1): ID payload
        next-payload : 10
        type : 1
        addr : 195.1.123.1
        protocol : 17
        port : 0
        length : 8
*Mar 1 14:30:53.192: ISAKMP (1): Total payload length: 12
*Mar 1 14:30:53.192: ISAKMP (0:1): constructed HIS NAT-D
*Mar 1 14:30:53.192: ISAKMP (0:1): constructed MINE NAT-D
*Mar 1 14:30:53.192: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
500 peer_port 500 (R) AG_INIT_EXCH
*Mar 1 14:30:53.192: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA,
PRESHARED_KEY_REPLY
*Mar 1 14:30:53.192: ISAKMP (0:1): Old State = IKE_R_AM_AAA_AWAIT New
State = IKE_R_AM2

*Mar 1 14:30:53.480: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) AG_INIT_EXCH
*Mar 1 14:30:53.484: ISAKMP (0:1): processing HASH payload. message ID = 0
*Mar 1 14:30:53.484: ISAKMP:received payload type 17
*Mar 1 14:30:53.484: ISAKMP (0:1): Detected NAT-D payload
*Mar 1 14:30:53.484: ISAKMP (0:1): recalc my hash for NAT-D
*Mar 1 14:30:53.484: ISAKMP (0:1): NAT match MINE hash
*Mar 1 14:30:53.488: ISAKMP:received payload type 17
*Mar 1 14:30:53.488: ISAKMP (0:1): Detected NAT-D payload
*Mar 1 14:30:53.488: ISAKMP (0:1): recalc his hash for NAT-D
*Mar 1 14:30:53.488: ISAKMP (0:1): NAT match HIS hash
*Mar 1 14:30:53.488: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT
protocol 1
        spi 0, message ID = 0, sa = 82BE1684
*Mar 1 14:30:53.488: ISAKMP (0:1): Process initial contact,
bring down existing phase 1 and 2 SA's with local 195.1.123.1 remote
195.1.123.3 remote port 500
*Mar 1 14:30:53.488: ISAKMP (0:1): returning IP addr to the address pool
*Mar 1 14:30:53.492: ISAKMP (0:1): SA has been authenticated with
195.1.123.3
*Mar 1 14:30:53.492: ISAKMP: Trying to insert a peer 195.1.123.3/500/, and
inserted successfully.
*Mar 1 14:30:53.492: ISAKMP (0:1): peer matches *none* of the profiles
*Mar 1 14:30:53.492: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Mar 1 14:30:53.492: ISAKMP (0:1): Old State = IKE_R_AM2 New State =
IKE_P1_COMPLETE

*Mar 1 14:30:53.492: IPSEC(key_engine): got a queue event...
*Mar 1 14:30:53.496: ISAKMP (0:1): Need XAUTH
*Mar 1 14:30:53.496: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
*Mar 1 14:30:53.496: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State =
IKE_XAUTH_AAA_START_LOGIN_AWAIT

*Mar 1 14:30:53.496: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) CONF_XAUTH
*Mar 1 14:30:53.500: ISAKMP: set new node 1695602336 to CONF_XAUTH
*Mar 1 14:30:53.500: ISAKMP (0:1): processing transaction payload from
195.1.123.3. message ID = 1695602336
*Mar 1 14:30:53.500: ISAKMP: Config payload REQUEST
*Mar 1 14:30:53.504: ISAKMP (0:1): Unknown Input: state =
IKE_XAUTH_AAA_START_LOGIN_AWAIT, major, minor = IKE_MESG_FROM_PEER,
IKE_CFG_REQUEST

*Mar 1 14:30:53.504: ISAKMP: got callback 1
*Mar 1 14:30:53.504: ISAKMP: set new node -1928528013 to CONF_XAUTH
*Mar 1 14:30:53.504: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Mar 1 14:30:53.508: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Mar 1 14:30:53.508: ISAKMP (0:1): initiating peer config to 195.1.123.3.
ID = -1928528013
*Mar 1 14:30:53.508: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
500 peer_port 500 (R) CONF_XAUTH
*Mar 1 14:30:53.508: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA,
IKE_AAA_START_LOGIN
*Mar 1 14:30:53.508: ISAKMP (0:1): Old State =
IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT

*Mar 1 14:30:58.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) CONF_XAUTH
*Mar 1 14:30:58.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
previous packet.
*Mar 1 14:30:58.484: ISAKMP (0:1): retransmitting due to retransmit phase 2
*Mar 1 14:30:58.484: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:30:58.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:30:58.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
*Mar 1 14:30:58.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
*Mar 1 14:30:58.988: ISAKMP (0:1): no outgoing phase 2 packet to
retransmit. 1695602336 CONF_XAUTH
R1#
R1#
*Mar 1 14:31:03.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) CONF_XAUTH
*Mar 1 14:31:03.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
previous packet.
*Mar 1 14:31:03.484: ISAKMP (0:1): retransmitting due to retransmit phase 2
*Mar 1 14:31:03.484: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:31:03.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:31:03.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
*Mar 1 14:31:03.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
R1#
*Mar 1 14:31:03.988: ISAKMP (0:1): no outgoing phase 2 packet to
retransmit. 1695602336 CONF_XAUTH
R1#
*Mar 1 14:31:08.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) CONF_XAUTH
*Mar 1 14:31:08.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
previous packet.
*Mar 1 14:31:08.484: ISAKMP (0:1): retransmitting due to retransmit phase 2
*Mar 1 14:31:08.488: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:31:08.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
1695602336 ...
*Mar 1 14:31:08.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
*Mar 1 14:31:08.988: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 2
R1#
*Mar 1 14:31:08.988: ISAKMP (0:1): no outgoing phase 2 packet to
retransmit. 1695602336 CONF_XAUTH
R1#
*Mar 1 14:31:13.488: ISAKMP (0:1): received packet from 195.1.123.3 dport
500 sport 500 Global (R) CONF_XAUTH
*Mar 1 14:31:13.488: ISAKMP: set new node 813951137 to CONF_XAUTH
*Mar 1 14:31:13.492: ISAKMP (0:1): deleting SA reason "" state (R)
CONF_XAUTH (peer 195.1.123.3) input queue 0
*Mar 1 14:31:13.492: ISAKMP: set new node 236968093 to CONF_XAUTH
*Mar 1 14:31:13.492: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
500 peer_port 500 (R) MM_NO_STATE
*Mar 1 14:31:13.492: ISAKMP (0:1): purging node 236968093
*Mar 1 14:31:13.496: ISAKMP (0:1): deleting node 1695602336 error FALSE
reason ""
R1#
*Mar 1 14:31:13.496: ISAKMP (0:1): deleting node -1928528013 error FALSE
reason ""
*Mar 1 14:31:13.496: ISAKMP (0:1): deleting node 813951137 error FALSE
reason ""
*Mar 1 14:31:13.496: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
IKE_INFO_DELETE
*Mar 1 14:31:13.496: ISAKMP (0:1): Old State = IKE_XAUTH_REQ_SENT New
State = IKE_DEST_SA

Thanks
Kal 

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.407 / Virus Database: 268.12.12/462 - Release Date: 10/3/2006
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.407 / Virus Database: 268.12.12/462 - Release Date: 10/3/2006

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART