From: dip (diptanshu.singh@gmail.com)
Date: Wed Jul 11 2007 - 16:40:51 ART
Hi folks , i was trying to configure IOS easyvpn with vpn
concentrator. i am using an external group which is configured on acs
server.the configuration for ios eazyvpn is
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec client ezvpn ezvpn_cfg
connect manual
group ezvpn key ezvpn
mode network-extension
peer x.x.x.x
interface FastEthernet0/0
ip address x.x.x.x x.x.x.x
crypto ipsec client ezvpn ezvpn_cfg inside
interface Serial0/0
no ip address
encapsulation frame-relay
interface Serial0/0.1 point-to-point
ip address x.x.x.x x.x.x.x
frame-relay interface-dlci 100
crypto ipsec client ezvpn ezvpn_cfg
I had configured the vpn concentrator with an external group eazyvpn.
i had configured the acs server with a user eazyvpn password
eazyvpn.the radius attributes configured for this user are
[3076\012] CVPN3000-IPSec-Sec-Association
ESP-3DES-MD5
[3076\013] CVPN3000-IPSec-Authentication
RADIUS
[3076\016] CVPN3000-IPSec-Allow-Passwd-Store
Allow
[3076\027] CVPN3000-IPSec-Split-Tunnel-List
split_tunnel_list
[3076\030] CVPN3000-IPSec-Tunnel-Type
Remote-Access
[3076\031] CVPN3000-IPSec-Mode-Config
On
[3076\034] CVPN3000-IPSec-Over-UDP
On
[3076\055] CVPN3000-IPSec-Split-Tunneling-Policy
Only tunnel networks in the list
[3076\064] CVPN3000-Allow-Network-Extension-Mode
Yes
now whenever i try to connect it says phase 2 failed.my quick mode is
unsuccesfull.
the error which comes on the router is below
12:19:43: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer
at 172.31.9.2
ezvpn-router#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 2
Tunnel name : ezvpn_cfg
Inside interface list: FastEthernet0/0,
Outside interface: Serial0/0.1
Current State: SS_OPEN
Last Event: SOCKET_READY
Split Tunnel List: 1
Address : 10.1.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Logs for the vpn conc. is as
Group [ezvpn] User [cisco]
PHASE 1 COMPLETED
324 07/11/2007 22:36:23.980 SEV=5 IKE/35 RPT=6 x.x.x.x
Group [ezvpn] User [cisco]
Received remote IP Proxy Subnet data in ID Payload:
Address x.x.x.x, Mask x.x.x.x Protocol 0, Port 0
327 07/11/2007 22:36:23.980 SEV=5 IKE/34 RPT=10 x.x.x.x
Group [ezvpn] User [cisco]
Received local IP Proxy Subnet data in ID Payload:
Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
330 07/11/2007 22:36:23.980 SEV=5 IKE/66 RPT=10 172.31.235.93
Group [ezvpn] User [cisco]
IKE Remote Peer configured for SA: ESP-3DES-MD5
331 07/11/2007 22:36:23.990 SEV=5 IKE/75 RPT=10 x.x.x.x
Group [ezvpn] User [cisco]
Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
333 07/11/2007 22:36:41.650 SEV=4 IKEDBG/97 RPT=4 x.x.x.x
Group [ezvpn] User [cisco]
QM FSM error (P2 struct &0x35e5aa4, mess id 0x91292e44)!
NOTE: the configuration works fine when i use CLIENT mode. IT fails
when i change to NEM
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART