RE: proxy identities not supported

From: amin <amin_at_axizo.com>
Date: Tue, 3 Jan 2012 14:10:20 +0200

server side

 

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname test

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 local

!

!

aaa session-id common

!

!

dot11 syslog

ip source-route

!

!

ip dhcp excluded-address 192.168.0.1 192.168.0.80

!

ip dhcp pool POOL

   network 192.168.0.0 255.255.255.128

   dns-server 192.168.0.20 8.8.8.8

   default-router 192.168.0.1

!

!

ip cef

!

multilink bundle-name authenticated

!

!

!

username test privilege 15 password test

username test privilege 15 user-maxlinks 255 test

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key test address 0.0.0.0 0.0.0.0

!

crypto isakmp client configuration group test

 key test

 pool SDM_POOL_1

 acl 101

 save-password

 max-users 5000

crypto isakmp profile sdm-ike-profile-1

   match identity group test

   client authentication list sdm_vpn_xauth_ml_1

   isakmp authorization list sdm_vpn_group_ml_2

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

 mode transport

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

 set transform-set ESP-3DES-SHA

!

crypto ipsec profile SDM_Profile2

 set transform-set ESP-3DES-SHA1

 set isakmp-profile sdm-ike-profile-1

!

!

archive

 log config

  hidekeys

!

!

!

!

!

interface Tunnel1

 bandwidth 1000

 ip address 172.31.0.1 255.255.255.0

 no ip redirects

 ip mtu 1400

 no ip next-hop-self eigrp 1

 ip nat inside

 ip nhrp authentication DMVPN_NW

 ip nhrp map multicast dynamic

 ip nhrp network-id 100000

 ip nhrp holdtime 360

 ip virtual-reassembly

 ip tcp adjust-mss 1360

 no ip split-horizon eigrp 1

 delay 1000

 keepalive 3 3

 tunnel source FastEthernet0/0

 tunnel mode gre multipoint

 tunnel key 100000

 tunnel protection ipsec profile SDM_Profile1

!

interface FastEthernet0/0

 ip address 192.168.0.201 255.255.255.128

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 10.0.0.138 255.255.255.0 secondary

 ip address 192.168.0.1 255.255.255.128

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

!

interface ATM0/0/0

 no ip address

 no atm ilmi-keepalive

 pvc 8/35

  pppoe-client dial-pool-number 1

 !

!

interface Virtual-Template1 type tunnel

 ip unnumbered Dialer1

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile SDM_Profile2

!

interface Dialer1

 bandwidth 1000

 ip address negotiated

 ip mtu 1452

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 ppp authentication pap callin

 ppp pap sent-username 022955051_at_hadara password 0 022955051

!

router eigrp 1

 redistribute static metric 1 1 1 1 1

 network 172.31.0.0 0.0.0.255

 network 192.168.0.0 0.0.0.127

 no auto-summary

!

ip local pool SDM_POOL_1 10.1.2.1 10.1.2.100

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1 2

ip route 192.168.1.128 255.255.255.128 192.168.0.200

ip route 192.168.2.128 255.255.255.128 192.168.0.200

ip route 192.168.3.128 255.255.255.128 192.168.0.200

ip route 192.168.4.128 255.255.255.128 192.168.0.200

ip route 192.168.5.128 255.255.255.128 192.168.0.200

ip route 192.168.6.128 255.255.255.128 192.168.0.200

ip route 192.168.7.128 255.255.255.128 192.168.0.200

ip route 192.168.8.128 255.255.255.128 192.168.0.200

ip http server

ip http authentication local

no ip http secure-server

!

!

ip nat inside source list 100 interface Dialer1 overload

!

access-list 100 permit ip 192.168.0.0 0.0.255.255 any

access-list 100 permit ip 10.0.0.0 0.0.255.255 any

access-list 101 remark SDM_ACL Category=4

access-list 101 permit ip 192.168.0.0 0.0.255.255 any

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

!

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

!

scheduler allocate 20000 1000

end

 

 

Client side

 

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Aanata

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

no logging console

enable secret test

!

no aaa new-model

!

dot11 syslog

ip source-route

!

!

!

!

!

ip cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

!

!

license udi pid CISCO1841 sn FCZ113438W2

username test privilege 15 password test

!

redundancy

!

!

!

!

!

!

!

!

crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1

 connect auto

 group test key test

 mode network-extension

 peer 217.66.227.245

 username test password test

 xauth userid mode local

!

!

!

!

!

!

interface FastEthernet0/0

 ip address 172.17.50.50 255.255.0.0

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

 crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1

!

interface FastEthernet0/1

 ip address 172.16.2.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

 crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside

!

interface Virtual-Template1 type tunnel

 no ip address

 tunnel mode ipsec ipv4

!

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

!

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 172.16.1.1

ip route 0.0.0.0 0.0.0.0 172.17.0.1

!

access-list 1 permit 172.16.2.0 0.0.0.255

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

 no login

 transport input all

!

scheduler allocate 20000 1000

end

 

From: Sadiq Yakasai [mailto:sadiqtanko_at_gmail.com]
Sent: Tuesday, January 03, 2012 12:46 PM
To: amin
Cc: ccielab_at_groupstudy.com
Subject: Re: proxy identities not supported

 

Hi Amin,

Can you please debug the VPN connection attempt and attach?

show running-config on both ends would also be informative.

Thanks,
Sadiq

On Tue, Jan 3, 2012 at 10:34 AM, amin <amin_at_axizo.com> wrote:

Hi experts,

I am configuring easy VPN between two cisco router, on the server always I
got this error message "proxy identities not supported", cisco website says
that the two access list need to be mirror on each side, but in my case is
easy vpn, which mean no access list configuraiton on the client side.

Any hits about this issue?

Regards,

Amin

Blogs and organic groups at http://www.ccie.net
Received on Tue Jan 03 2012 - 14:10:20 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:51 ART