13 Replies Latest reply: Sep 29, 2015 10:03 AM by suman RSS

    Cisco easy VPN

    suman

      Hi

       

      Can any one tell what's wrong in the configuration

      Isakmp is not getting on and no tunnel is getting created

      Please find the attachment

        • 1. Re: Cisco easy VPN
          Pavol Toman

          Hi, configuration looks good. Is the ISAKMP (UDP/500) and ESP (IP prot. 50) allowed?

          • 2. Re: Cisco easy VPN
            Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

            Hi Suman,

             

            The issue is the client connect mode, you specify it as manual, it should be in auto, so please try to apply the following configuration and let us if it works:

             

            On R3:

             

            crypto ipsec client ezvpn VPNCLIENT

            connect auto

             

            Regards | Aref.

            • 3. Re: Cisco easy VPN
              Pavol Toman

              Most likely, there is no matching ISAKMP Policy on the client side. There are only like 10 default ISAKMP policies so I recommend to add this also on clients, and then try again:

               

              crypto isakmp policy 10

              encr 3des

              hash md5

              authentication pre-share

              group 2

              • 4. Re: Cisco easy VPN
                Pavol Toman

                Hi Aref, Just want to add, manual connection is fine as long as you initiate connection manually using 'crypto ipsec client ezvpn connect' and afterwards authenticate user by 'crypto ipsec client ezvpn xauth'.

                • 5. Re: Cisco easy VPN
                  Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                  Hi Pavol,

                   

                  In order to accomplish the original poster task related to the issue of ping from R3 to R1 loopback interface as he stated "PING FROM R3 LAN TO R1 LAN - ping 1.1.1.1 source 3.3.3.3 ISAKMP IS NOT ON , TUNNEL IS NOT GETTING CREATED" automatically I would replace the manual connect mode with auto as I already mentioned.

                   

                  Regads | Aref.

                  • 6. Re: Cisco easy VPN
                    suman

                    Hi guys

                     

                    Thanks for the answers but I have tried all these but nothing worked

                     

                    Can any one please try at your end on routers and tell me

                    • 7. Re: Cisco easy VPN
                      Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                      Hi Suman,

                       

                      5 minutes ago I started setting up your scenario on my lab, will get back to you soon.

                       

                      Regards | Aref.

                      • 8. Re: Cisco easy VPN
                        Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                        Suman,

                         

                        First lab result:

                         

                        I applied same configuration as yours, the only one thing I changed is on R3, as I already mentioned in my earlier post, I changed the connect to auto instead of manual, after that I issued the command ping 1.1.1.1 sou 3.3.3.3 on R3, and finally I applied the command crypto ipsec client ezvpn xauth in privileged mode as it has been requested by the router itself and I typed the username cisco and password cisco. After that the tunnel has been brought up correctly.

                         

                        R1#sh crypto isakmp sa
                        IPv4 Crypto ISAKMP SA
                        dst            src            state          conn-id status
                        10.1.1.3        20.1.1.3        QM_IDLE          1002 ACTIVE

                        IPv6 Crypto ISAKMP SA

                         

                        R3#sh crypto isakmp sa

                        dst            src            state          conn-id slot status

                        10.1.1.3        20.1.1.3        QM_IDLE              1    0 ACTIVE

                         

                        R3#ping 1.1.1.1 sou 3.3.3.3

                        Type escape sequence to abort.
                        Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
                        Packet sent with a source address of 3.3.3.3
                        !!!!!
                        Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

                         

                        Btw, you don't need the two static routes towards the loopback interfaces on R2, I removed those as well.

                         

                        Now I'm going to try the lab with connect manual and will get back to you soon. In the meanwhile, please try to do what I just did and let me know if it works.

                         

                        Regards | Aref.

                        • 9. Re: Cisco easy VPN
                          Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                          It worked also with connect manual, here I issued the command crypto ipsec client ezvpn connect (as it has been already mentioned by Pavol) to connect manually in advance.

                           

                          R3#crypto ipsec client ezvpn connect
                          EZVPN(VPNCLIENT): Pending XAuth Request, Please enter the following command:
                          EZVPN: crypto ipsec client ezvpn xauth

                           

                          R3#crypto ipsec client ezvpn xauth
                          Username: cisco
                          Password:

                           

                          R3#ping 1.1.1.1 sou 3.3.3.3

                          Type escape sequence to abort.
                          Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
                          Packet sent with a source address of 3.3.3.3
                          !!!!!
                          Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

                           

                          R3#sh crypto isakmp sa
                          dst            src            state          conn-id slot status
                          10.1.1.3        20.1.1.3        QM_IDLE              1    0 ACTIVE


                          R1#sh crypto isakmp s
                          IPv4 Crypto ISAKMP SA
                          dst            src            state          conn-id status
                          10.1.1.3        20.1.1.3        QM_IDLE          1003 ACTIVE

                           

                          I'm going to post the configs I used on the three routers in few minutes.

                           

                          Regards | Aref

                          • 10. Re: Cisco easy VPN
                            Aref - CCIE #62163 (Security) / CCNPx2 (R&S - Security) / Network+ / Security+

                            Here are the configs I used:

                             

                            --------------------------------------------------------------

                            R1#sh run
                            !
                            hostname R1
                            !
                            aaa authentication login abc local
                            aaa authorization network wert local
                            !
                            username cisco password 0 cisco
                            !
                            crypto isakmp policy 10
                              encr 3des
                              hash md5
                              authentication pre-share
                              group 2
                            !
                            crypto isakmp client configuration group hr
                              key cisco
                              pool hwpool
                              acl 101
                            !
                            crypto ipsec transform-set ts esp-3des esp-sha-hmac
                            !
                            crypto dynamic-map dm 10
                              set transform-set ts
                              reverse-route
                            !
                            crypto map smap client authentication list abc
                            crypto map smap isakmp authorization list wert
                            crypto map smap client configuration address respond
                            crypto map smap 10 ipsec-isakmp dynamic dm
                            !
                            interface Loopback0
                              ip address 1.1.1.1 255.255.255.0
                            !
                            interface FastEthernet0/0
                              ip address 10.1.1.3 255.255.255.0
                              crypto map smap
                            !
                            ip route 0.0.0.0 0.0.0.0 10.1.1.1
                            !
                            access-list 101 permit ip 1.1.1.0 0.0.0.255 any

                             

                            --------------------------------------------------------------

                             

                            R2#sh run
                            Building configuration...
                            !
                            hostname R2
                            !
                            interface FastEthernet0/0
                              ip address 20.1.1.1 255.255.255.0
                            !
                            interface FastEthernet0/1
                              ip address 10.1.1.1 255.255.255.0

                             

                            --------------------------------------------------------------

                             

                            R3#sh run
                            Building configuration...
                            !
                            hostname R3
                            !
                            crypto ipsec client ezvpn VPNCLIENT
                              connect manual
                              group hr key cisco
                              mode client
                              peer 10.1.1.3
                              xauth userid mode interactive
                            !
                            interface Loopback0
                              ip address 3.3.3.3 255.255.255.0
                              crypto ipsec client ezvpn VPNCLIENT inside
                            !
                            interface FastEthernet0/0
                              ip address 20.1.1.3 255.255.255.0
                              crypto ipsec client ezvpn VPNCLIENT
                            !
                            ip route 0.0.0.0 0.0.0.0 20.1.1.1

                             

                            --------------------------------------------------------------

                             

                            Regards | Aref.

                            • 11. Re: Cisco easy VPN
                              suman

                              Hi

                               

                              I will try and let you know

                              Thanks

                              Suman

                              • 12. Re: Cisco easy VPN
                                suman

                                Hi

                                 

                                I tried with your configuration and its working, I removed the ipbroute in r2 and its working

                                 

                                Thank you

                                Suman

                                • 13. Re: Cisco easy VPN
                                  suman

                                  Hi thank you for your answers