ISR Computing -
Home 
Knowledge Base CCIE Security Pursuit CCIE Security - VPN Study Guide - EasyVPN Server and Remote
Knowledge Base CCIE Security Pursuit CCIE Security - VPN Study Guide - EasyVPN Server and RemoteCCIE Security - VPN Study Guide - EasyVPN Server and Remote
Initial Configuration
R2 Configuration:
en
conf t
hostname R2
no ip domain-lookup
interface F0/0
description Fa0/0 – SW1 Fa0/2
ip address 44.44.2.2 255.255.255.0
no shut
exit
interface Loopback2
ip address 2.2.2.2 255.255.255.0
exit
interface Loopback22
ip address 22.22.22.22 255.255.255.0
exit
ip route 0.0.0.0 0.0.0.0 44.44.2.10
end
wr mem
ASA1 Configuration:
en
conf t
hostname asa1
interface Ethernet0/0
no shutdown
nameif inside
ip address 44.44.2.10 255.255.255.0
exit
interface Ethernet0/2
no shutdown
nameif outside
ip address 44.44.3.10 255.255.255.0
exit
access-list OUTSIDE_IN extended permit icmp any any
access-group OUTSIDE_IN in interface outside
router ospf 2
network 44.44.2.0 255.255.255.0 area 0
network 44.44.3.0 255.255.255.0 area 0
log-adj-changes
exit
logging on
logging timestamp
logging buffered debugging
logging buffer-size 10000
end
wr mem
R5 Configuration:
en
conf t
hostname R5
no ip domain-lookup
interface F0/0
description SW1 Fa0/5
ip address 44.44.3.5 255.255.255.0
no shut
exit
interface F0/1
description SW2 Fa0/5
ip address 44.44.4.5 255.255.255.0
no shut
exit
interface Loopback5
ip address 5.5.5.5 255.255.255.0
exit
interface Loopback55
ip address 55.55.55.55 255.255.255.0
exit
router ospf 2
network 44.44.3.0 0.0.0.255 area 0
network 44.44.4.0 0.0.0.255 area 0
exit
end
wr mem
R3 Configuration:
en
conf t
hostname R3
no ip domain-lookup
interface F0/0
description SW1 Fa0/3
ip address 44.44.4.3 255.255.255.0
no shut
exit
interface F0/1
description SW2 Fa0/3
ip address 44.44.5.3 255.255.255.0
no shut
exit
interface Loopback3
ip address 3.3.3.3 255.255.255.0
exit
interface Loopback33
ip address 33.33.33.33 255.255.255.0
exit
router ospf 2
network 44.44.5.0 0.0.0.255 area 0
network 44.44.4.0 0.0.0.255 area 0
exit
end
wr mem
R4 Configuration:
en
conf t
hostname R4
no ip domain-lookup
interface F0/0
description SW1 Fa0/4
ip address 44.44.4.4 255.255.255.0
no shut
exit
interface Loopback4
ip address 4.4.4.4 255.255.255.0
exit
interface Loopback44
ip address 44.44.44.44 255.255.255.0
exit
router ospf 2
network 44.44.4.0 0.0.0.255 area 0
exit
end
wr mem
SW1 Configuration:
en
conf t
hostname SW1
no ip domain-lookup
vtp mode transparent
vlan 2
vlan 3
vlan 4
vlan 5
exit
int Fa0/2
switchport host
switchport access vlan 2
exit
int Fa0/5
switchport host
switchport access vlan 3
exit
int Fa0/4
switchport host
switchport access vlan 4
exit
int Fa0/3
switchport host
switchport access vlan 4
exit
end
wr mem
SW2 Configuration:
en
conf t
hostname SW2
no ip domain-lookup
vtp mode transparent
vlan 2
vlan 3
vlan 4
vlan 5
exit
int Fa0/12
switchport host
switchport access vlan 2
exit
int Fa0/13
switchport host
switchport access vlan 3
exit
int Fa0/5
switchport host
switchport access vlan 4
exit
int Fa0/3
switchport host
switchport access vlan 5
exit
int Fa0/20
switchport host
switchport access vlan 5
exit
end
wr mem
Configuration Tasks:
- Configure EasyVPN Server on R2. Make sure that:
- Cisco EasyVPN can function in 2 modes - client and network-extension
- Client mode provides an ability for you to specify what is your EzVPN "inside" interface, and those "inside" interfaces will be translated to the IP address received from server pool
- You will use client mode when you central site does not need to access resources at remote sites
- Network Extension mode you will use in case you'll need to access resources bi-directionally, meaning remote can access central site, and central site can access remote networks
Configuration Solution:
R2#
username example password 0 example
aaa new-model
aaa authentication login AUTH-NONE none
aaa authentication login AUTH-LOCAL local
aaa authorization network AUTHZ-NONE none
aaa authorization network AUTHZ-LOCAL local
crypto isakmp client configuration group PerUserAAA
key cisco
pool dpool
exit
crypto isakmp profile vi
match identity group PerUserAAA
isakmp authorization list AUTHZ-LOCAL
client configuration address respond
client configuration group PerUserAAA
virtual-template 1
exit
crypto ipsec transform-set set esp-3des esp-sha-hmac
exit
crypto ipsec profile vi
set transform-set set
set isakmp-profile vi
exit
interface Virtual-Template1 type tunnel
ip unnumbered F0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
exit
line vty 0 4
login authentication AUTH-NONE
exit
R4#
conf t
crypto ipsec client ezvpn easy_vpn_remote
connect auto
group PerUserAAA key cisco
mode client
peer 44.44.2.2
exit
interface f0/0
crypto ipsec client ezvpn easy_vpn_remote
exit
interface Lo44
crypto ipsec client ezvpn easy_vpn_remote inside
exit
We pasted our configuration, but VPN Client show "AG_INIT_EXCH".
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
44.44.2.2 44.44.4.4 AG_INIT_EXCH 0 0 ACTIVE
IPv6 Crypto ISAKMP SA
R4#
R4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback4
44.0.0.0/24 is subnetted, 5 subnets
O 44.44.2.0 [110/12] via 44.44.4.5, 00:07:24, FastEthernet0/0
O 44.44.3.0 [110/2] via 44.44.4.5, 00:07:34, FastEthernet0/0
C 44.44.4.0 is directly connected, FastEthernet0/0
O 44.44.5.0 [110/2] via 44.44.4.3, 00:08:01, FastEthernet0/0
C 44.44.44.0 is directly connected, Loopback44
R4#
We will enable debug on both R2 and R4.
conf t
logging on
logging buffered debugging
logging buffered 16000
service timestamps
end
debug crypto isakmp
R2#show logging
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level notifications, 31 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
Trap logging: level informational, 58 message lines logged
Log Buffer (16000 bytes):
Mar 28 09:50:33.514: %SYS-5-CONFIG_I: Configured from console by console
R2#
We will enable debugging on R4 and we will force connection to R2.
R4#debug crypto isakmp
Crypto ISAKMP debugging is on
R4#
R4#crypto ipsec client ezvpn connect
Let's review our logs:
R4#show logging
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level notifications, 37 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 54 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
Trap logging: level informational, 78 message lines logged
Log Buffer (16000 bytes):
Mar 28 09:49:31.387: %SYS-5-CONFIG_I: Configured from console by console
Mar 28 09:49:44.886: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=PerUserAAA Client_public_addr=44.44.4.4 Server_public_addr=44.44.2.2
Mar 28 09:50:46.166: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=PerUserAAA Client_public_addr=44.44.4.4 Server_public_addr=44.44.2.2
01:09:07: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
01:09:07: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
01:09:07: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
01:09:07: ISAKMP:(0): sending packet to 44.44.2.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH
01:09:07: ISAKMP:(0):Sending an IKE IPv4 Packet.
01:09:15: ISAKMP:(0):purging SA., sa=836BC1EC, delme=836BC1EC
01:09:17: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
01:09:17: ISAKMP:(0):peer does not do paranoid keepalives.
01:09:17: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 44.44.2.2)
Mar 28 09:51:47.723: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=PerUserAAA Client_public_addr=44.44.4.4 Server_public_addr=44.44.2.2
01:09:17: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 44.44.2.2)
01:09:17: ISAKMP: Unlocking peer struct 0x8428234C for isadb_mark_sa_deleted(), count 0
01:09:17: ISAKMP: Deleting peer node by peer_reap for 44.44.2.2: 8428234C
01:09:17: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
01:09:17: ISAKMP:(0):Old State = IKE_I_AM1 New State = IKE_DEST_SA
01:09:18: del_node src 44.44.4.4:500 dst 44.44.2.2:500 fvrf 0x0, ivrf 0x0
01:09:18: ISAKMP:(0):peer does not do paranoid keepalives.
01:09:18: ISAKMP:(0): SA request profile is (NULL)
01:09:18: ISAKMP: Created a peer struct for 44.44.2.2, peer port 500
01:09:18: ISAKMP: New peer created peer = 0x836BB998 peer_handle = 0x8000000D
01:09:18: ISAKMP: Locking peer struct 0x836BB998, refcount 1 for isakmp_initiator
01:09:18: ISAKMP:(0):Setting client config settings 8428234C
01:09:18: ISAKMP: local port 500, remote port 500
01:09:18: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 83E26FE4
01:09:18: ISAKMP:(0): client mode configured.
01:09:18: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
01:09:18: ISAKMP:(0): constructed NAT-T vendor-07 ID
01:09:18: ISAKMP:(0): constructed NAT-T vendor-03 ID
01:09:18: ISAKMP:(0): constructed NAT-T vendor-02 ID
01:09:18: ISKAMP: growing send buffer from 1024 to 3072
01:09:18: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
01:09:18: ISAKMP (0:0): ID payload
next-payload : 13
type : 11
group id : PerUserAAA
protocol : 17
port : 0
length : 18
01:09:18: ISAKMP:(0):Total payload length: 18
01:09:18: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
01:09:18: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_AM1
01:09:18: ISAKMP:(0): beginning Aggressive Mode exchange
01:09:18: ISAKMP:(0): sending packet to 44.44.2.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH
01:09:18: ISAKMP:(0):Sending an IKE IPv4 Packet.
01:09:28: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
01:09:28: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
01:09:28: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
01:09:28: ISAKMP:(0): sending packet to 44.44.2.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH
01:09:28: ISAKMP:(0):Sending an IKE IPv4 Packet.
01:09:38: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
01:09:38: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
01:09:38: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
01:09:38: ISAKMP:(0): sending packet to 44.44.2.2 my_port 500 peer_port 500 (I) AG_INIT_EXCH
01:09:38: ISAKMP:(0):Sending an IKE IPv4 Packet.
R4#
The problem here is the ASA blocking ISAKMP traffic. Let's fix it.
asa1# show run | include access
access-list OUTSIDE_IN extended permit icmp any any
access-group OUTSIDE_IN in interface outside
dynamic-access-policy-record DfltAccessPolicy
threat-detection statistics access-list
asa1#
asa1# conf t
asa1(config)# access-list OUTSIDE_IN permit udp any host 44.44.2.2 eq 500
asa1(config)# access-list OUTSIDE_IN permit esp any host 44.44.2.2
asa1(config)#
R2#show logging
01:18:17: ISAKMP (0:0): received packet from 44.44.4.4 dport 500 sport 500 Global (R) MM_NO_STATE
01:18:27: ISAKMP (0:0): received packet from 44.44.4.4 dport 500 sport 500 Global (R) MM_NO_STATE
01:18:37: ISAKMP (0:0): received packet from 44.44.4.4 dport 500 sport 500 Global (R) MM_NO_STATE
R2#
On R4 debug output we see "Phase1 SA policy proposal not accepted". Ths means that there is a problem with crypto isakmp policy.
Mar 28 10:05:16.834: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 44.44.4.4
01:22:55: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) AG_NO_STATE (peer 44.44.4.4)
01:22:55: ISAKMP: Unlocking peer struct 0x84131C1C for isadb_mark_sa_deleted(), count 0
01:22:55: ISAKMP: Deleting peer node by peer_reap for 44.44.4.4: 84131C1C
01:22:55: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
01:22:55: ISAKMP:(0):Old State = IKE_READY New State = IKE_DEST_SA
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
R4#
R4#
Mar 28 10:14:26.655: %CRYPTO-4-EZVPN_FAILED_TO_CONNECT: EZVPN(easy_vpn_remote) Ezvpn is in state READY, previous state was CONNECT_REQUIRED and event is CONNECT. Session is not up after 180 seconds of initiating session, resetting the connection
R4#
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
44.44.2.2 44.44.4.4 CONF_ADDR 1002 0 ACTIVE
IPv6 Crypto ISAKMP SA
R4#
R2#
01:35:11: ISAKMP/author: Author request for group PerUserAAAsuccessfully sent to AAA
01:35:11: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
01:35:11: ISAKMP:(1003):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
01:35:11: ISAKMP:(1003):attributes sent in message:
01:35:11: Address: 0.2.0.0
01:35:11: ISAKMP:(1003):Could not get address from pool!
01:35:11: ISAKMP:(1003):peer does not do paranoid keepalives.
01:35:11: ISAKMP:(1003):deleting SA reason "Fail to allocate ip address" state (R) CONF_ADDR (peer 44.44.4.4)
01:35:11: ISAKMP: Sending save password reply value 0
R2#
We forgot to specify dynamic pool of IP addresses, and that is why it is failing. We will add 44.44.115.0/24 as dynamic pool on R2.
R2# ip local pool dpool 44.44.115.1 44.44.115.254
R4#
Mar 28 10:26:36.896: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up
Mar 28 10:26:37.100: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R4#
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
44.44.2.2 44.44.4.4 QM_IDLE 1006 0 ACTIVE
IPv6 Crypto ISAKMP SA
R4#
R4#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 44.44.4.4 YES manual up up
Serial0/0 unassigned YES TFTP administratively down down
FastEthernet0/1 unassigned YES manual administratively down down
Serial0/1 unassigned YES manual administratively down down
NVI0 44.44.4.4 YES unset up up
Loopback4 4.4.4.4 YES manual up up
Loopback44 44.44.44.44 YES manual up up
Loopback10000 44.44.115.1 YES manual up up
R4#
R4#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
4.0.0.0/24 is subnetted, 1 subnets
C 4.4.4.0 is directly connected, Loopback4
44.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
O 44.44.2.0/24 [110/12] via 44.44.4.5, 00:53:44, FastEthernet0/0
O 44.44.3.0/24 [110/2] via 44.44.4.5, 00:53:54, FastEthernet0/0
C 44.44.4.0/24 is directly connected, FastEthernet0/0
O 44.44.5.0/24 [110/2] via 44.44.4.3, 00:54:21, FastEthernet0/0
C 44.44.44.0/24 is directly connected, Loopback44
C 44.44.115.1/32 is directly connected, Loopback10000
R4#
R2#show ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 44.44.2.2 YES manual up up
Serial0/0 unassigned YES TFTP administratively down down
Serial0/1 unassigned YES manual administratively down down
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 44.44.2.2 YES TFTP down down
Virtual-Access2 44.44.2.2 YES TFTP up up
Loopback2 2.2.2.2 YES manual up up
Loopback22 22.22.22.22 YES manual up up
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 44.44.2.10 to network 0.0.0.0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
22.0.0.0/24 is subnetted, 1 subnets
C 22.22.22.0 is directly connected, Loopback22
44.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 44.44.2.0/24 is directly connected, FastEthernet0/0
S 44.44.115.1/32 [1/0] via 0.0.0.0, Virtual-Access2
S* 0.0.0.0/0 [1/0] via 44.44.2.10
R2#
R2#
crypto ipsec profile vi
set reverse-route tag 10
R4#ping 44.44.2.2 source Lo10000
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.2.2, timeout is 2 seconds:
Packet sent with a source address of 44.44.115.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms
R4#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: FastEthernet0/0-head-0, local addr 44.44.4.4
protected vrf: (none)
local ident (addr/mask/prot/port): (44.44.115.6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 44.44.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 44.44.4.4, remote crypto endpt.: 44.44.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xB53FDC9C(3040861340)
inbound esp sas:
spi: 0x1DDF3B29(501168937)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: 9, crypto map: FastEthernet0/0-head-0
sa timing: remaining key lifetime (k/sec): (4406476/3504)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB53FDC9C(3040861340)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: 10, crypto map: FastEthernet0/0-head-0
sa timing: remaining key lifetime (k/sec): (4406476/3504)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
R4#show run
Bottom line is that I can only ping from Lo10000 interface to that network.
R4(config)# ip route 22.22.22.22 255.255.255.255 44.44.4.5
R4(config)#end
R4#ping 22.22.22.22 source Lo10000
Mar 28 12:38:19.242: %SYS-5-CONFIG_I: Configured from console by console
R4#ping 22.22.22.22 source Lo10000
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 44.44.115.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms
R4#
R4#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : easy_vpn_remote
Inside interface list: Loopback44
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
Address: 44.44.115.8 (applied on Loopback10000)
Mask: 255.255.255.255
Save Password: Disallowed
Split Tunnel List: 1
Address : 22.22.22.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Split Tunnel List: 2
Address : 2.2.2.2
Mask : 255.255.255.255
Protocol : 0x0
Source Port: 0
Dest Port : 0
Current EzVPN Peer: 44.44.2.2
R4#
R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#ip route 2.2.2.2 255.255.255.255 44.44.4.5
R4(config)#end
R4#ping 2.2.2.2 source Lo10000
Mar 28 12:42:17.192: %SYS-5-CONFIG_I: Configured from console by console
R4#ping 2.2.2.2 source Lo10000
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 44.44.115.8
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
R4#
Let's make it so that EzVPN client will go through XAUTH, because in the example above only group username and password needed to connect.
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#user
R2(config)#username r4@PerUserAAA pass
R2(config)#username r4@PerUserAAA password 0 cisco
R2(config)#username testpc@PerUserAAA password 0 cisco
R2(config)#
R2(conf-isa-prof)#client ?
authentication Use Extended Authentication
configuration Specify client configuration settings
pki Use username in the crypto certificate for authorization
R2(conf-isa-prof)#client authentication list AUTH-LOCAL
R2(conf-isa-prof)#
Unfortunately R4 log says to us that we must manually authenticate.
R4#show logging
04:13:31: EZVPN(easy_vpn_remote): Pending XAuth Request, Please enter the following command:
04:13:31: EZVPN: crypto ipsec client ezvpn xauth
R4#
R4#crypto ipsec client ezvpn xauth
Username: r4@PerUserAAA
Password:
R4#
Mar 28 12:57:07.103: %LINK-3-UPDOWN: Interface Loopback10000, changed state to up
Mar 28 12:57:08.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up
Let's make sure that we are allowed to user saved password on R4 Remote EzVPN client.
R2(config)#crypto isakmp client configuration group PerUserAAA
R2(config-isakmp-group)#?
ISAKMP group policy config commands:
save-password Allows remote client to save XAUTH password
R2(config-isakmp-group)#save-password
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
44.44.2.2 44.44.4.4 CONF_XAUTH 1044 0 ACTIVE
IPv6 Crypto ISAKMP SA
R4#
R4#crypto ipsec client ezvpn xaut
Username: r4@PerUserAAA
Password: cisco
R4#
Mar 28 13:27:17.346: %LINK-3-UPDOWN: Interface Loopback10000, changed state to up
Mar 28 13:27:18.348: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up
R4#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
44.44.2.2 44.44.4.4 QM_IDLE 1047 0 ACTIVE
IPv6 Crypto ISAKMP SA
R4#
Once we authenticated successfully. This password will be stored.
R4#ping 22.22.22.22 source Lo44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 44.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/21 ms
R4#ping 22.22.22.22 source Lo44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 44.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/20 ms
R4#
R4#ping 22.22.22.22 source Lo44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
Packet sent with a source address of 44.44.44.44
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/20 ms
R4#
R2#show logging
Mar 28 13:41:07.560: %SEC-6-IPACCESSLOGDP: list 188 permitted icmp 44.44.115.19 -> 22.22.22.22 (0/0), 1 packet
R2#
Configure EasyVPN such that network 44.44.44.44 will be accessible from 22.22.22.22.
R4(config)#crypto ipsec client ezvpn easy_vpn_remote
R4(config-crypto-ezvpn)#mode network-extension
R4(config-crypto-ezvpn)#
EZVPN: User connect request ignored,tunnel easy_vpn_remote endpoint not ready for request
R4(config-crypto-ezvpn)#
Mar 28 13:51:46.406: %LINK-5-CHANGED: Interface Loopback10000, changed state to administratively down
Mar 28 13:51:47.424: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to down
R2#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 44.44.2.10 to network 0.0.0.0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
22.0.0.0/24 is subnetted, 1 subnets
C 22.22.22.0 is directly connected, Loopback22
44.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C 44.44.2.0/24 is directly connected, FastEthernet0/0
S 44.44.44.0/24 [1/0] via 0.0.0.0, Virtual-Access2
S 44.44.115.19/32 [1/0] via 0.0.0.0, Virtual-Access2
S 44.44.115.20/32 [1/0] via 0.0.0.0, Virtual-Access3
S 44.44.115.15/32 [1/0] via 0.0.0.0, Virtual-Access2
S* 0.0.0.0/0 [1/0] via 44.44.2.10
R2#
R2#
As you can see "44.44.44.0/24" is no in the routing table of R2, and it is reachable from R2.
R2#ping 44.44.44.44 source Lo22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 22.22.22.22
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms
R2#
For some reason "ping 44.44.44.44 source Lo2" does not work, and Virtual-Access interface flaps. Let's see if the below command will help.
R2(config)#crypto isakmp keepalive 10 10 periodic
R4#
conf t
access-list 117 permit ip 44.44.44.0 0.0.0.255 22.22.22.0 0.0.0.255
access-list 117 permit ip 44.44.44.0 0.0.0.255 2.2.2.0 0.0.0.255
access-list 117 permit ip 4.4.4.0 0.0.0.255 22.22.22.0 0.0.0.255
access-list 117 permit ip 4.4.4.0 0.0.0.255 2.2.2.0 0.0.0.255
crypto ipsec client ezvpn easy_vpn_remote
acl 117
end
Why???????
R2# ping 4.4.4.4 source Lo22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 22.22.22.22
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/24 ms
R2# ping 44.44.44.44 source Lo22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 22.22.22.22
.....
Success rate is 0 percent (0/5)
R2# ping 44.44.44.44 source Lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 44.44.44.44, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.....
Success rate is 0 percent (0/5)
R2# ping 4.4.4.4 source Lo2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.....
Success rate is 0 percent (0/5)
R2#
R2#
05:40:49: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 44.44.2.2, remote= 44.44.4.4,
local_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
remote_proxy= 4.4.4.0/255.255.255.0/0/0 (type=4),
protocol= PCP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
05:40:49: map_db_find_best did not find matching map
05:40:49: IPSEC(ipsec_process_proposal): proxy identities not supported
05:40:49: ISAKMP:(1092): IPSec policy invalidated proposal with error 32
05:40:49: ISAKMP:(1092):Checking IPSec proposal 20
R2#
R4#ping 2.2.2.2 source Lo4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4
.....
Success rate is 0 percent (0/5)
R4#
1d00h: IPSec(validate_transform_proposal): proxy identities not supported
The access lists on each peer needs to mirror each other (all entries need to be reversible). This example illustrates this point.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
R4#
conf t
access-list 117 permit ip 44.44.44.0 0.0.0.255 22.22.22.0 0.0.0.255
access-list 117 permit ip 44.44.44.0 0.0.0.255 2.2.2.0 0.0.0.255
access-list 117 permit ip 4.4.4.0 0.0.0.255 22.22.22.0 0.0.0.255
access-list 117 permit ip 4.4.4.0 0.0.0.255 2.2.2.0 0.0.0.255
crypto ipsec client ezvpn easy_vpn_remote
acl 117
end
R2#
conf t
access-list 117 permit ip 22.22.22.0 0.0.0.255 44.44.44.0 0.0.0.255
access-list 117 permit ip 2.2.2.0 0.0.0.255 44.44.44.0 0.0.0.255
access-list 117 permit ip 22.22.22.0 0.0.0.255 4.4.4.0 0.0.0.255
access-list 117 permit ip 2.2.2.0 0.0.0.255 4.4.4.0 0.0.0.255
Example 4-9. Per-Group EzVPN Policy Attributes Configured Locally on an EzVPN Server
crypto isakmp client configuration group vpngroup
key ciscoezvpn
dns 10.1.1.10
wins 10.1.1.11
domain cisco.com
pool vpnpool
group-lock
save-password
include-local-lan
pfs
backup-gateway 9.1.1.36
max-users 100
max-logins 2
access-restrict fastEthernet 0/0
Additional Information:
Example 4-8. Per-Group–based Policy Configuration on a AAA Server
vpngroup Password = "cisco", Service-Type = Outbound
cisco-avpair = "ipsec:tunnel-type=ESP"
cisco-avpair = "ipsec:key-exchange=ike"
cisco-avpair = "ipsec:tunnel-password=ciscoezvpn"
cisco-avpair = "ipsec:addr-pool=vpnpool"
cisco-avpair = "ipsec:default-domain=cisco"
cisco-avpair = "ipsec:inacl=101"
cisco-avpair = "ipsec:access-restrict=fastethernet 0/0"
cisco-avpair = "ipsec:group-lock=1"
cisco-avpair = "ipsec:backup-server=9.1.1.36"
cisco-avpair = "ipsec:dns-servers=10.1.1.10"
cisco-avpair = "ipsec:firewall=1"
cisco-avpair = "ipsec:include-local-lan=1"
cisco-avpair = "ipsec:save-password=1"
cisco-avpair = "ipsec:wins-servers=10.1.1.11"
cisco-avpair = "ipsec:max-users = 100"
cisco-avpair = "ipsec:max-logins = 2"
Example 4-10. User-Based Policy Control Using AAA
ezvpn1@vpngroup Password = "ezvpn1east"
framed-Ip-Address=10.0.68.1
ipsec:user-save-password=1
ipsec:user-include-local-lan=1
ipsec:user-vpn-group=cisco
Search
Moving your apps to Amazon or Miscrosoft Clouds?
We can help you analyze your existing infrastructure, identify the cost savings we can achieve by migrating to a cloud provider. We can then execute end-to-end migration plan of your infrastructure and bringing down your TCO.
Ready for IPv6 Migration?
The Internet is running out of the equivalent of phone numbers - familiar problem, non-trivial solution.
The world has to move to IPv6, with its 128-bit addresses. But that's easier said than done.
Are you fluent in "Linux"?
Learn Linux from a leading expert and quickly master you Linux skills.
Learn how to simplify your workflow and increase your productivity using tips and techniques of the pros.
Ideal training for Corporate IT Beginners and Advanced IT Admins alike.
Who's Online
We have 4 guests and no members online