From: Sam Lai (sam@ccnpro.net)
Date: Fri Oct 06 2006 - 01:06:30 ART
if you look closer to the debug message:
ISAKMP (0:1): peer matches *none* of the profiles
which indicates phase1 problem.
The reminder message "crypto ipsec client ezvpn xauth" either does not show up or even it does, the symptom is that, it will keep prompting you after you type the username/password (correctly).
HTH,
Sam
Sam Lai
CCIE#12812
CISSP#90903
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Edouard Zorrilla
Sent: Thursday, October 05, 2006 10:38 PM
To: Kal Han; Cisco certification; ccielab@groupstudy.com
Subject: Re: easy vpn - XAUTH issue
Sir,
For HW xauth you have to enter the user and password manually as soon as you
get :
EZVPN: Pending XAuth Request, Please enter the following command:
EZVPN: crypto ipsec client ezvpn xauth
Besides, you are using a "crypto isakmp key cciesec address 0.0.0.0 0.0.0.0"
and also "crypto isakmp client configuration group ezvpn" if this is a EZVPN
the first one is not necessary, take a look at this:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftezvpcm.htm#1116046,
for a sample config.
Regarding the pool, it has no relation with any interface, remember that
this net is being routed thru the network, as a matter of fact you can put
it inside a routing protocol so that i can be learned by someone else.
Finally, in your debug you are not using "debug crypto ipsec client ezvpn",
try this one, it can help a lot,
HTH,
Regards
----- Original Message -----
From: "Kal Han" <calikali2006@gmail.com>
To: "Cisco certification" <security@groupstudy.com>;
<ccielab@groupstudy.com>
Sent: Thursday, October 05, 2006 2:09 PM
Subject: easy vpn - XAUTH issue
>I am trying to configure router - to - router easy vpn.
> One router is the client and other is the server.
> Things are working fine without XAUTH.
> When I enable XAUTH, its not working.
> The same config on the server is working fine with a software client.
> ( with out any change, I get the username/password dialog and after I
> enter,
> I get connected )
> BUT NOT FOR hardware clients. What is the difference, in terms of config.
> There shouldnt be anything on the server.. is that right ?
> What are the commong reasons for XAUTH failures ?
> Is there any requirement for the ip local pool ? ( like should it be part
> of
> any directly connected
> subnets to the server ? )
>
> Server is getting stuck here:
> *R1#sh cry isa sa
> dst src state conn-id slot
> 195.1.123.1 195.1.123.3 CONF_XAUTH 1 0*
> **
> Client is getting stuck here:
> *R3#sh cry isa sa
> dst src state conn-id slot
> 195.1.123.1 195.1.123.3 CONF_ADDR 1 0*
>
> *Related Server Config:*
> ---------------------------------
> username admin priv 15 pass admin
> ip local pool ippool 195.145.1.200 195.145.1.250
>
> aaa new-model
> !
> !
> aaa authentication login hw local
> aaa authorization network hw local
> aaa session-id common
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cciesec address 0.0.0.0 0.0.0.0
> crypto isakmp client configuration address-pool local ippool
> crypto isakmp xauth timeout 90
>
> !
> crypto isakmp client configuration group ezvpn
> key cciesec
> dns 1.1.1.10
> wins 1.1.1.11
> pool ippool
> !
> !
> crypto ipsec transform-set ts esp-3des esp-md5-hmac
> !
> crypto dynamic-map dmap 10
> set transform-set ts
> reverse-route
> !
> !
> crypto map cm client authentication list hw
> crypto map cm isakmp authorization list hw
> crypto map cm client configuration address respond
> crypto map cm 10 ipsec-isakmp dynamic dmap
>
> *Client Config:
> *-------------------
>
> crypto ipsec client ezvpn easyvpn
> connect manual
> group ezvpn key cciesec
> mode client
> peer 195.1.123.1
>
> *Debug Output On Server ( after "crypto ipsec client ezvpn connect
> easyvpn"
> on client )
> *
> ----------------------------------------------------------------------------------------------------------------------------------------
>
> *Mar 1 14:30:52.660: ISAKMP (0:0): received packet from 195.1.123.3 dport
> 500 sport 500 Global (N) NEW SA
> *Mar 1 14:30:52.660: ISAKMP: Created a peer struct for 195.1.123.3, peer
> port 500
> *Mar 1 14:30:52.664: ISAKMP: Locking peer struct 0x8256E600, IKE refcount
> 1
> for crypto_ikmp_config_initialize_sa
> *Mar 1 14:30:52.664: ISAKMP (0:0): Setting client config settings
> 82E58AC4
> *Mar 1 14:30:52.664: ISAKMP (0:0): (Re)Setting client xauth list and
> state
> *Mar 1 14:30:52.664: ISAKMP: local port 500, remote port 500
> *Mar 1 14:30:52.668: ISAKMP: insert sa successfully sa = 82BE1684
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing SA payload. message ID = 0
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing ID payload. message ID = 0
> *Mar 1 14:30:52.668: ISAKMP (0:1): peer matches *none* of the profiles
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.668: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 157
> mismatch
> *Mar 1 14:30:52.668: ISAKMP
> R1#(0:1): vendor ID is NAT-T v3
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.672: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 123
> mismatch
> *Mar 1 14:30:52.672: ISAKMP (0:1): vendor ID is NAT-T v2
> *Mar 1 14:30:52.672: ISAKMP (0:1) Authentication by xauth preshared
> *Mar 1 14:30:52.672: ISAKMP (0:1): Checking ISAKMP transform 1 against
> priority 10 policy
> *Mar 1 14:30:52.672: ISAKMP: encryption DES-CBC
> *Mar 1 14:30:52.672: ISAKMP: hash MD5
> *Mar 1 14:30:52.672: ISAKMP: default group 2
> *Mar 1 14:30:52.672: ISAKMP: auth pre-share
> *Mar 1 14:30:52.672: ISAKMP: life type in seconds
> *Mar 1 14:30:52.672: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
> 0x80
>
> *Mar 1 14:30:52.676: ISAKMP (0:1): atts are acceptable. Next payload is 3
> *Mar 1 14:30:52.892: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.892: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 157
> mismatch
> *Mar 1 14:30:52.892: ISAKMP (0:1): vendor ID is NAT-T v3
> *Mar 1 14:30:52.896: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.896: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 123
> mismatch
> *Mar 1 14:30:52.896: ISAKMP (0:1): vendor ID is NAT-T v2
> *Mar 1 14:30:52.896: ISAKMP (0:1): processing KE payload. message ID = 0
> *Mar 1 14:30:53.172: ISAKMP (0:1): processing NONCE payload. message ID =
> 0
> *Mar 1 14:30:53.172: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.172: ISAKMP (0:1): vendor ID is DPD
> *Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID seems Unity/DPD but major 36
> mismatch
> *Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID is XAUTH
> *Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.176: ISAKMP (0:1): claimed IOS but failed authentication
> *Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID is Unity
> *Mar 1 14:30:53.180: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_AM_EXCH
> *Mar 1 14:30:53.180: ISAKMP (0:1): Old State = IKE_READY New State =
> IKE_R_AM_AAA_AWAIT
>
> *Mar 1 14:30:53.184: ISAKMP: got callback 1
> *Mar 1 14:30:53.188: ISAKMP (0:1): SKEYID state generated
> *Mar 1 14:30:53.188: ISAKMP (0:1): constructed NAT-T vendor-03 ID
> *Mar 1 14:30:53.188: ISAKMP (0:1): SA is doing pre-shared key
> authentication using id type ID_IPV4_ADDR
> *Mar 1 14:30:53.188: ISAKMP (1): ID payload
> next-payload : 10
> type : 1
> addr : 195.1.123.1
> protocol : 17
> port : 0
> length : 8
> *Mar 1 14:30:53.192: ISAKMP (1): Total payload length: 12
> *Mar 1 14:30:53.192: ISAKMP (0:1): constructed HIS NAT-D
> *Mar 1 14:30:53.192: ISAKMP (0:1): constructed MINE NAT-D
> *Mar 1 14:30:53.192: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
> 500 peer_port 500 (R) AG_INIT_EXCH
> *Mar 1 14:30:53.192: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA,
> PRESHARED_KEY_REPLY
> *Mar 1 14:30:53.192: ISAKMP (0:1): Old State = IKE_R_AM_AAA_AWAIT New
> State = IKE_R_AM2
>
> *Mar 1 14:30:53.480: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) AG_INIT_EXCH
> *Mar 1 14:30:53.484: ISAKMP (0:1): processing HASH payload. message ID =
> 0
> *Mar 1 14:30:53.484: ISAKMP:received payload type 17
> *Mar 1 14:30:53.484: ISAKMP (0:1): Detected NAT-D payload
> *Mar 1 14:30:53.484: ISAKMP (0:1): recalc my hash for NAT-D
> *Mar 1 14:30:53.484: ISAKMP (0:1): NAT match MINE hash
> *Mar 1 14:30:53.488: ISAKMP:received payload type 17
> *Mar 1 14:30:53.488: ISAKMP (0:1): Detected NAT-D payload
> *Mar 1 14:30:53.488: ISAKMP (0:1): recalc his hash for NAT-D
> *Mar 1 14:30:53.488: ISAKMP (0:1): NAT match HIS hash
> *Mar 1 14:30:53.488: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT
> protocol 1
> spi 0, message ID = 0, sa = 82BE1684
> *Mar 1 14:30:53.488: ISAKMP (0:1): Process initial contact,
> bring down existing phase 1 and 2 SA's with local 195.1.123.1 remote
> 195.1.123.3 remote port 500
> *Mar 1 14:30:53.488: ISAKMP (0:1): returning IP addr to the address pool
> *Mar 1 14:30:53.492: ISAKMP (0:1): SA has been authenticated with
> 195.1.123.3
> *Mar 1 14:30:53.492: ISAKMP: Trying to insert a peer 195.1.123.3/500/,
> and
> inserted successfully.
> *Mar 1 14:30:53.492: ISAKMP (0:1): peer matches *none* of the profiles
> *Mar 1 14:30:53.492: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_AM_EXCH
> *Mar 1 14:30:53.492: ISAKMP (0:1): Old State = IKE_R_AM2 New State =
> IKE_P1_COMPLETE
>
> *Mar 1 14:30:53.492: IPSEC(key_engine): got a queue event...
> *Mar 1 14:30:53.496: ISAKMP (0:1): Need XAUTH
> *Mar 1 14:30:53.496: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_COMPLETE
> *Mar 1 14:30:53.496: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State
> =
> IKE_XAUTH_AAA_START_LOGIN_AWAIT
>
> *Mar 1 14:30:53.496: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:30:53.500: ISAKMP: set new node 1695602336 to CONF_XAUTH
> *Mar 1 14:30:53.500: ISAKMP (0:1): processing transaction payload from
> 195.1.123.3. message ID = 1695602336
> *Mar 1 14:30:53.500: ISAKMP: Config payload REQUEST
> *Mar 1 14:30:53.504: ISAKMP (0:1): Unknown Input: state =
> IKE_XAUTH_AAA_START_LOGIN_AWAIT, major, minor = IKE_MESG_FROM_PEER,
> IKE_CFG_REQUEST
>
> *Mar 1 14:30:53.504: ISAKMP: got callback 1
> *Mar 1 14:30:53.504: ISAKMP: set new node -1928528013 to CONF_XAUTH
> *Mar 1 14:30:53.504: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
> *Mar 1 14:30:53.508: ISAKMP/xauth: request attribute
> XAUTH_USER_PASSWORD_V2
> *Mar 1 14:30:53.508: ISAKMP (0:1): initiating peer config to 195.1.123.3.
> ID = -1928528013
> *Mar 1 14:30:53.508: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
> 500 peer_port 500 (R) CONF_XAUTH
> *Mar 1 14:30:53.508: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA,
> IKE_AAA_START_LOGIN
> *Mar 1 14:30:53.508: ISAKMP (0:1): Old State =
> IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT
>
> *Mar 1 14:30:58.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:30:58.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
> previous packet.
> *Mar 1 14:30:58.484: ISAKMP (0:1): retransmitting due to retransmit phase
> 2
> *Mar 1 14:30:58.484: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:30:58.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:30:58.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:30:58.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:30:58.988: ISAKMP (0:1): no outgoing phase 2 packet to
> retransmit. 1695602336 CONF_XAUTH
> R1#
> R1#
> *Mar 1 14:31:03.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:31:03.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
> previous packet.
> *Mar 1 14:31:03.484: ISAKMP (0:1): retransmitting due to retransmit phase
> 2
> *Mar 1 14:31:03.484: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:03.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:03.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:31:03.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> R1#
> *Mar 1 14:31:03.988: ISAKMP (0:1): no outgoing phase 2 packet to
> retransmit. 1695602336 CONF_XAUTH
> R1#
> *Mar 1 14:31:08.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:31:08.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
> previous packet.
> *Mar 1 14:31:08.484: ISAKMP (0:1): retransmitting due to retransmit phase
> 2
> *Mar 1 14:31:08.488: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:08.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:08.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:31:08.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> R1#
> *Mar 1 14:31:08.988: ISAKMP (0:1): no outgoing phase 2 packet to
> retransmit. 1695602336 CONF_XAUTH
> R1#
> *Mar 1 14:31:13.488: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:31:13.488: ISAKMP: set new node 813951137 to CONF_XAUTH
> *Mar 1 14:31:13.492: ISAKMP (0:1): deleting SA reason "" state (R)
> CONF_XAUTH (peer 195.1.123.3) input queue 0
> *Mar 1 14:31:13.492: ISAKMP: set new node 236968093 to CONF_XAUTH
> *Mar 1 14:31:13.492: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
> 500 peer_port 500 (R) MM_NO_STATE
> *Mar 1 14:31:13.492: ISAKMP (0:1): purging node 236968093
> *Mar 1 14:31:13.496: ISAKMP (0:1): deleting node 1695602336 error FALSE
> reason ""
> R1#
> *Mar 1 14:31:13.496: ISAKMP (0:1): deleting node -1928528013 error FALSE
> reason ""
> *Mar 1 14:31:13.496: ISAKMP (0:1): deleting node 813951137 error FALSE
> reason ""
> *Mar 1 14:31:13.496: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_INFO_DELETE
> *Mar 1 14:31:13.496: ISAKMP (0:1): Old State = IKE_XAUTH_REQ_SENT New
> State = IKE_DEST_SA
>
> Thanks
> Kal
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
-- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.12.12/462 - Release Date: 10/3/2006-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.12.12/462 - Release Date: 10/3/2006
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART