From: Israel Gonzalez (israelgq@gmail.com)
Date: Wed Jul 11 2007 - 19:03:32 ART
Hi Dip,
NOTE: the configuration works fine when i use CLIENT mode. IT fails
when i change to NEM
Is the NEM enabled in the concentrator? You can do it by configuration |
users | group | HW Client | NEM
Cheers.
On 7/11/07, dip <diptanshu.singh@gmail.com> wrote:
>
> Hi folks , i was trying to configure IOS easyvpn with vpn
> concentrator. i am using an external group which is configured on acs
> server.the configuration for ios eazyvpn is
>
> crypto isakmp policy 10
> encr 3des
> hash md5
> authentication pre-share
> group 2
>
> crypto ipsec client ezvpn ezvpn_cfg
> connect manual
> group ezvpn key ezvpn
> mode network-extension
> peer x.x.x.x
>
>
> interface FastEthernet0/0
> ip address x.x.x.x x.x.x.x
> crypto ipsec client ezvpn ezvpn_cfg inside
>
> interface Serial0/0
> no ip address
> encapsulation frame-relay
>
> interface Serial0/0.1 point-to-point
> ip address x.x.x.x x.x.x.x
> frame-relay interface-dlci 100
> crypto ipsec client ezvpn ezvpn_cfg
>
> I had configured the vpn concentrator with an external group eazyvpn.
> i had configured the acs server with a user eazyvpn password
> eazyvpn.the radius attributes configured for this user are
>
>
> [3076\012] CVPN3000-IPSec-Sec-Association
> ESP-3DES-MD5
> [3076\013] CVPN3000-IPSec-Authentication
> RADIUS
> [3076\016] CVPN3000-IPSec-Allow-Passwd-Store
> Allow
> [3076\027] CVPN3000-IPSec-Split-Tunnel-List
> split_tunnel_list
> [3076\030] CVPN3000-IPSec-Tunnel-Type
> Remote-Access
> [3076\031] CVPN3000-IPSec-Mode-Config
> On
> [3076\034] CVPN3000-IPSec-Over-UDP
> On
> [3076\055] CVPN3000-IPSec-Split-Tunneling-Policy
> Only tunnel networks in the list
> [3076\064] CVPN3000-Allow-Network-Extension-Mode
> Yes
>
> now whenever i try to connect it says phase 2 failed.my quick mode is
> unsuccesfull.
> the error which comes on the router is below
>
> 12:19:43: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed
> with peer
> at 172.31.9.2
> ezvpn-router#show crypto ipsec client ezvpn
> Easy VPN Remote Phase: 2
>
> Tunnel name : ezvpn_cfg
> Inside interface list: FastEthernet0/0,
> Outside interface: Serial0/0.1
> Current State: SS_OPEN
> Last Event: SOCKET_READY
> Split Tunnel List: 1
> Address : 10.1.1.0
> Mask : 255.255.255.0
> Protocol : 0x0
> Source Port: 0
> Dest Port : 0
>
> Logs for the vpn conc. is as
>
> Group [ezvpn] User [cisco]
> PHASE 1 COMPLETED
>
> 324 07/11/2007 22:36:23.980 SEV=5 IKE/35 RPT=6 x.x.x.x
> Group [ezvpn] User [cisco]
> Received remote IP Proxy Subnet data in ID Payload:
> Address x.x.x.x, Mask x.x.x.x Protocol 0, Port 0
>
> 327 07/11/2007 22:36:23.980 SEV=5 IKE/34 RPT=10 x.x.x.x
> Group [ezvpn] User [cisco]
> Received local IP Proxy Subnet data in ID Payload:
> Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
>
> 330 07/11/2007 22:36:23.980 SEV=5 IKE/66 RPT=10 172.31.235.93
> Group [ezvpn] User [cisco]
> IKE Remote Peer configured for SA: ESP-3DES-MD5
>
> 331 07/11/2007 22:36:23.990 SEV=5 IKE/75 RPT=10 x.x.x.x
> Group [ezvpn] User [cisco]
> Overriding Initiator's IPSec rekeying duration from 2147483 to 28800
> seconds
>
> 333 07/11/2007 22:36:41.650 SEV=4 IKEDBG/97 RPT=4 x.x.x.x
> Group [ezvpn] User [cisco]
> QM FSM error (P2 struct &0x35e5aa4, mess id 0x91292e44)!
>
> NOTE: the configuration works fine when i use CLIENT mode. IT fails
> when i change to NEM
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Aug 18 2007 - 08:17:40 ART