RE: easy vpn - XAUTH issue

From: Sam Lai (sam@ccnpro.net)
Date: Fri Oct 06 2006 - 09:32:33 ART

• Next message: Naveed Khan: "Re: CCIE # 16999"
• Previous message: Noble, TN: "Re: OT : VTP problem"
• Maybe in reply to: Kal Han: "easy vpn - XAUTH issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I hear ya, Kal. As I said I have the exactly same issue. It works xauth with cisco software client to a router, vpn3k or pix acting as ezvpnserver. But it wouldnt work xauth with the cisco router as ezvpn client. When u take out xauth, it works.

The reason I am so sure about the IOS version is that I spent a good few days troubleshooting it and by looking closely into the debug crypto isakmp messages and I found that the ezvpn client DOES NOT used whatever the isakmp policies (phase1 proposal) you configured when it acts like as an ezvpn client. When your routers are IOS 12.2Yx up or 12.3, it is called ezvpn phase II feature. It fixed a lot of compatibility problem for routers. At least the isakmp polices #655xx are lined up compatible on both ends. So if you wanna keep trying, you can try matching the isakmp policies from the ezvpn server side only. I think I got it to work using des/md5/group1/preshare ot aes/group2/preshare. Just keep trying and dont give up if you choose this path..

Btw, I choose to upgrade from 12.2T to 12.3 on all my routers (2600/3600) in my lab not only because of these ezvpn issue, also for stability. 12.2T and 12.3 major-release are very close in feature wise. It is because the "T" train is what coming next for the next major release.

HTH,

Sam
Sam Lai
CCIE#12812
CISSP#90903

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Kal Han
Sent: Friday, October 06, 2006 1:05 AM
To: Sam Lai
Cc: Cisco certification; ccielab@groupstudy.com
Subject: Re: easy vpn - XAUTH issue

Hi Sam -
I tried it, but it didnt work !
The weired thing here is
VPN Server Router To software client "with xauth" is working good.
VPN Client to PIX or VPN3K "with xauth" is working good.
VPN Server Router to VPN Client Router "WITHOUT xauth" is also good.
only router - router + xauth is not working.
all this with the same ike phase 1 policy.
I tried rebooting, but it didnt work !. May be if I upgrade to 12.3 it will
work
but my router models doesnt have any 12.3 crypto image available.
Thanks
Kal

On 10/5/06, Sam Lai <sam@ccnpro.net> wrote:
>
> Hi Kal -
>
> I think you have the IKE proposal mismatch issue between the ezvpn server
> and client routers. I had the same exact problem. The conclusion is that the
> IOS version of the ezvpn server and client do not match.
>
> Why it matters? Because ezvpn (especially router as ezvpn client) phase I
> communication based on a set of isakmp policy #655xx and these proposals are
> preset and can not be modified.
>
> This problem happens, for example, when the ezvpn server supports
> pre-share/md5/group2 (12.3) while the ezvpn client supports only
> pre-share/md5/group1.
>
> This symptom is similar to cisco vpn software client prior to 3.x vs. 4.x- that's why you have to create two different vpngroups (aka their
> compatible isakmp proposals).
>
> I will suggest you to try changing the hash to sha or dh to group1 - it
> "might" work sometime from my experience. The long term fix is to
> standardize your routers' IOS version. It works for me like a charm when I
> upgraded both ends with 12.3.
>
> HTH,
>
> Sam
>
> Sam Lai
> CCIE#12812
> CISSP#90903
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Kal Han
> Sent: Thursday, October 05, 2006 3:09 PM
> To: Cisco certification; ccielab@groupstudy.com
> Subject: easy vpn - XAUTH issue
>
> I am trying to configure router - to - router easy vpn.
> One router is the client and other is the server.
> Things are working fine without XAUTH.
> When I enable XAUTH, its not working.
> The same config on the server is working fine with a software client.
> ( with out any change, I get the username/password dialog and after I
> enter,
> I get connected )
> BUT NOT FOR hardware clients. What is the difference, in terms of config.
> There shouldnt be anything on the server.. is that right ?
> What are the commong reasons for XAUTH failures ?
> Is there any requirement for the ip local pool ? ( like should it be part
> of
> any directly connected
> subnets to the server ? )
>
> Server is getting stuck here:
> *R1#sh cry isa sa
> dst src state conn-id slot
> 195.1.123.1 195.1.123.3 CONF_XAUTH 1 0*
> **
> Client is getting stuck here:
> *R3#sh cry isa sa
> dst src state conn-id slot
> 195.1.123.1 195.1.123.3 CONF_ADDR 1 0*
>
> *Related Server Config:*
> ---------------------------------
> username admin priv 15 pass admin
> ip local pool ippool 195.145.1.200 195.145.1.250
>
> aaa new-model
> !
> !
> aaa authentication login hw local
> aaa authorization network hw local
> aaa session-id common
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cciesec address 0.0.0.0 0.0.0.0
> crypto isakmp client configuration address-pool local ippool
> crypto isakmp xauth timeout 90
>
> !
> crypto isakmp client configuration group ezvpn
> key cciesec
> dns 1.1.1.10
> wins 1.1.1.11
> pool ippool
> !
> !
> crypto ipsec transform-set ts esp-3des esp-md5-hmac
> !
> crypto dynamic-map dmap 10
> set transform-set ts
> reverse-route
> !
> !
> crypto map cm client authentication list hw
> crypto map cm isakmp authorization list hw
> crypto map cm client configuration address respond
> crypto map cm 10 ipsec-isakmp dynamic dmap
>
> *Client Config:
> *-------------------
>
> crypto ipsec client ezvpn easyvpn
> connect manual
> group ezvpn key cciesec
> mode client
> peer 195.1.123.1
>
> *Debug Output On Server ( after "crypto ipsec client ezvpn connect
> easyvpn"
> on client )
> *
>
> ----------------------------------------------------------------------------------------------------------------------------------------
>
> *Mar 1 14:30:52.660: ISAKMP (0:0): received packet from 195.1.123.3 dport
> 500 sport 500 Global (N) NEW SA
> *Mar 1 14:30:52.660: ISAKMP: Created a peer struct for 195.1.123.3, peer
> port 500
> *Mar 1 14:30:52.664: ISAKMP: Locking peer struct 0x8256E600, IKE refcount
> 1
> for crypto_ikmp_config_initialize_sa
> *Mar 1 14:30:52.664: ISAKMP (0:0): Setting client config settings
> 82E58AC4
> *Mar 1 14:30:52.664: ISAKMP (0:0): (Re)Setting client xauth list and
> state
> *Mar 1 14:30:52.664: ISAKMP: local port 500, remote port 500
> *Mar 1 14:30:52.668: ISAKMP: insert sa successfully sa = 82BE1684
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing SA payload. message ID = 0
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing ID payload. message ID = 0
> *Mar 1 14:30:52.668: ISAKMP (0:1): peer matches *none* of the profiles
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.668: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 157
> mismatch
> *Mar 1 14:30:52.668: ISAKMP
> R1#(0:1): vendor ID is NAT-T v3
> *Mar 1 14:30:52.668: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.672: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 123
> mismatch
> *Mar 1 14:30:52.672: ISAKMP (0:1): vendor ID is NAT-T v2
> *Mar 1 14:30:52.672: ISAKMP (0:1) Authentication by xauth preshared
> *Mar 1 14:30:52.672: ISAKMP (0:1): Checking ISAKMP transform 1 against
> priority 10 policy
> *Mar 1 14:30:52.672: ISAKMP: encryption DES-CBC
> *Mar 1 14:30:52.672: ISAKMP: hash MD5
> *Mar 1 14:30:52.672: ISAKMP: default group 2
> *Mar 1 14:30:52.672: ISAKMP: auth pre-share
> *Mar 1 14:30:52.672: ISAKMP: life type in seconds
> *Mar 1 14:30:52.672: ISAKMP: life duration (VPI) of 0x0 0x1 0x51
> 0x80
>
> *Mar 1 14:30:52.676: ISAKMP (0:1): atts are acceptable. Next payload is 3
> *Mar 1 14:30:52.892: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.892: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 157
> mismatch
> *Mar 1 14:30:52.892: ISAKMP (0:1): vendor ID is NAT-T v3
> *Mar 1 14:30:52.896: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:52.896: ISAKMP (0:1): vendor ID seems Unity/DPD but major
> 123
> mismatch
> *Mar 1 14:30:52.896: ISAKMP (0:1): vendor ID is NAT-T v2
> *Mar 1 14:30:52.896: ISAKMP (0:1): processing KE payload. message ID = 0
> *Mar 1 14:30:53.172: ISAKMP (0:1): processing NONCE payload. message ID =
> 0
> *Mar 1 14:30:53.172: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.172: ISAKMP (0:1): vendor ID is DPD
> *Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID seems Unity/DPD but major 36
> mismatch
> *Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID is XAUTH
> *Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.176: ISAKMP (0:1): claimed IOS but failed authentication
> *Mar 1 14:30:53.176: ISAKMP (0:1): processing vendor id payload
> *Mar 1 14:30:53.176: ISAKMP (0:1): vendor ID is Unity
> *Mar 1 14:30:53.180: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_AM_EXCH
> *Mar 1 14:30:53.180: ISAKMP (0:1): Old State = IKE_READY New State =
> IKE_R_AM_AAA_AWAIT
>
> *Mar 1 14:30:53.184: ISAKMP: got callback 1
> *Mar 1 14:30:53.188: ISAKMP (0:1): SKEYID state generated
> *Mar 1 14:30:53.188: ISAKMP (0:1): constructed NAT-T vendor-03 ID
> *Mar 1 14:30:53.188: ISAKMP (0:1): SA is doing pre-shared key
> authentication using id type ID_IPV4_ADDR
> *Mar 1 14:30:53.188: ISAKMP (1): ID payload
> next-payload : 10
> type : 1
> addr : 195.1.123.1
> protocol : 17
> port : 0
> length : 8
> *Mar 1 14:30:53.192: ISAKMP (1): Total payload length: 12
> *Mar 1 14:30:53.192: ISAKMP (0:1): constructed HIS NAT-D
> *Mar 1 14:30:53.192: ISAKMP (0:1): constructed MINE NAT-D
> *Mar 1 14:30:53.192: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
> 500 peer_port 500 (R) AG_INIT_EXCH
> *Mar 1 14:30:53.192: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA,
> PRESHARED_KEY_REPLY
> *Mar 1 14:30:53.192: ISAKMP (0:1): Old State = IKE_R_AM_AAA_AWAIT New
> State = IKE_R_AM2
>
> *Mar 1 14:30:53.480: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) AG_INIT_EXCH
> *Mar 1 14:30:53.484: ISAKMP (0:1): processing HASH payload. message ID =
> 0
> *Mar 1 14:30:53.484: ISAKMP:received payload type 17
> *Mar 1 14:30:53.484: ISAKMP (0:1): Detected NAT-D payload
> *Mar 1 14:30:53.484: ISAKMP (0:1): recalc my hash for NAT-D
> *Mar 1 14:30:53.484: ISAKMP (0:1): NAT match MINE hash
> *Mar 1 14:30:53.488: ISAKMP:received payload type 17
> *Mar 1 14:30:53.488: ISAKMP (0:1): Detected NAT-D payload
> *Mar 1 14:30:53.488: ISAKMP (0:1): recalc his hash for NAT-D
> *Mar 1 14:30:53.488: ISAKMP (0:1): NAT match HIS hash
> *Mar 1 14:30:53.488: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT
> protocol 1
> spi 0, message ID = 0, sa = 82BE1684
> *Mar 1 14:30:53.488: ISAKMP (0:1): Process initial contact,
> bring down existing phase 1 and 2 SA's with local 195.1.123.1 remote
> 195.1.123.3 remote port 500
> *Mar 1 14:30:53.488: ISAKMP (0:1): returning IP addr to the address pool
> *Mar 1 14:30:53.492: ISAKMP (0:1): SA has been authenticated with
> 195.1.123.3
> *Mar 1 14:30:53.492: ISAKMP: Trying to insert a peer 195.1.123.3/500/
> , and
> inserted successfully.
> *Mar 1 14:30:53.492: ISAKMP (0:1): peer matches *none* of the profiles
> *Mar 1 14:30:53.492: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_AM_EXCH
> *Mar 1 14:30:53.492: ISAKMP (0:1): Old State = IKE_R_AM2 New State =
> IKE_P1_COMPLETE
>
> *Mar 1 14:30:53.492: IPSEC(key_engine): got a queue event...
> *Mar 1 14:30:53.496: ISAKMP (0:1): Need XAUTH
> *Mar 1 14:30:53.496: ISAKMP (0:1): Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_COMPLETE
> *Mar 1 14:30:53.496: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State
> =
> IKE_XAUTH_AAA_START_LOGIN_AWAIT
>
> *Mar 1 14:30:53.496: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:30:53.500: ISAKMP: set new node 1695602336 to CONF_XAUTH
> *Mar 1 14:30:53.500: ISAKMP (0:1): processing transaction payload from
> 195.1.123.3. message ID = 1695602336
> *Mar 1 14:30:53.500: ISAKMP: Config payload REQUEST
> *Mar 1 14:30:53.504: ISAKMP (0:1): Unknown Input: state =
> IKE_XAUTH_AAA_START_LOGIN_AWAIT, major, minor = IKE_MESG_FROM_PEER,
> IKE_CFG_REQUEST
>
> *Mar 1 14:30:53.504: ISAKMP: got callback 1
> *Mar 1 14:30:53.504: ISAKMP: set new node -1928528013 to CONF_XAUTH
> *Mar 1 14:30:53.504: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
> *Mar 1 14:30:53.508: ISAKMP/xauth: request attribute
> XAUTH_USER_PASSWORD_V2
> *Mar 1 14:30:53.508: ISAKMP (0:1): initiating peer config to 195.1.123.3.
> ID = -1928528013
> *Mar 1 14:30:53.508: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
> 500 peer_port 500 (R) CONF_XAUTH
> *Mar 1 14:30:53.508: ISAKMP (0:1): Input = IKE_MESG_FROM_AAA,
> IKE_AAA_START_LOGIN
> *Mar 1 14:30:53.508: ISAKMP (0:1): Old State =
> IKE_XAUTH_AAA_START_LOGIN_AWAIT New State = IKE_XAUTH_REQ_SENT
>
> *Mar 1 14:30:58.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:30:58.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
> previous packet.
> *Mar 1 14:30:58.484: ISAKMP (0:1): retransmitting due to retransmit phase
> 2
> *Mar 1 14:30:58.484: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:30:58.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:30:58.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:30:58.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:30:58.988: ISAKMP (0:1): no outgoing phase 2 packet to
> retransmit. 1695602336 CONF_XAUTH
> R1#
> R1#
> *Mar 1 14:31:03.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:31:03.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
> previous packet.
> *Mar 1 14:31:03.484: ISAKMP (0:1): retransmitting due to retransmit phase
> 2
> *Mar 1 14:31:03.484: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:03.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:03.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:31:03.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> R1#
> *Mar 1 14:31:03.988: ISAKMP (0:1): no outgoing phase 2 packet to
> retransmit. 1695602336 CONF_XAUTH
> R1#
> *Mar 1 14:31:08.484: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:31:08.484: ISAKMP (0:1): phase 2 packet is a duplicate of a
> previous packet.
> *Mar 1 14:31:08.484: ISAKMP (0:1): retransmitting due to retransmit phase
> 2
> *Mar 1 14:31:08.488: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:08.988: ISAKMP (0:1): retransmitting phase 2 CONF_XAUTH
> 1695602336 ...
> *Mar 1 14:31:08.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> *Mar 1 14:31:08.988: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 2
> R1#
> *Mar 1 14:31:08.988: ISAKMP (0:1): no outgoing phase 2 packet to
> retransmit. 1695602336 CONF_XAUTH
> R1#
> *Mar 1 14:31:13.488: ISAKMP (0:1): received packet from 195.1.123.3 dport
> 500 sport 500 Global (R) CONF_XAUTH
> *Mar 1 14:31:13.488: ISAKMP: set new node 813951137 to CONF_XAUTH
> *Mar 1 14:31:13.492: ISAKMP (0:1): deleting SA reason "" state (R)
> CONF_XAUTH (peer 195.1.123.3) input queue 0
> *Mar 1 14:31:13.492: ISAKMP: set new node 236968093 to CONF_XAUTH
> *Mar 1 14:31:13.492: ISAKMP (0:1): sending packet to 195.1.123.3 my_port
> 500 peer_port 500 (R) MM_NO_STATE
> *Mar 1 14:31:13.492: ISAKMP (0:1): purging node 236968093
> *Mar 1 14:31:13.496: ISAKMP (0:1): deleting node 1695602336 error FALSE
> reason ""
> R1#
> *Mar 1 14:31:13.496: ISAKMP (0:1): deleting node -1928528013 error FALSE
> reason ""
> *Mar 1 14:31:13.496: ISAKMP (0:1): deleting node 813951137 error FALSE
> reason ""
> *Mar 1 14:31:13.496: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER,
> IKE_INFO_DELETE
> *Mar 1 14:31:13.496: ISAKMP (0:1): Old State = IKE_XAUTH_REQ_SENT New
> State = IKE_DEST_SA
>
> Thanks
> Kal
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.407 / Virus Database: 268.12.12/462 - Release Date: 10/3/2006
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.407 / Virus Database: 268.12.12/462 - Release Date: 10/3/2006

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.407 / Virus Database: 268.12.12/462 - Release Date: 10/3/2006
 
-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.407 / Virus Database: 268.12.12/462 - Release Date: 10/3/2006

• Next message: Naveed Khan: "Re: CCIE # 16999"
• Previous message: Noble, TN: "Re: OT : VTP problem"
• Maybe in reply to: Kal Han: "easy vpn - XAUTH issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART